Re: [exim] iptables

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Nigel Wade
Data:  
Para: exim users
Assunto: Re: [exim] iptables
Harold Huggins wrote:
> Where within the EXIM directory, and sample script, should I install
> iptable (replace 1.2.3.4 with IP to allow) rules to block ports 25.


Generally, you wouldn't install iptables rules anywhere within the Exim
directory tree. Iptables is a kernel level packet filter for the Linux
kernel. Exim is a cross-platform mail transport agent, a user-land
application, and should not be concerned with kernel level matters on
one specific platform.

Iptables rules are normally dealt with elsewhere within your Linux
configuration. You should use whatever tool you normally use to define
your iptables rules. These are many and varied. Which you use is a
matter of choice, and may well be influenced by whatever flavour of
Linux you are using. If you are not running Linux then you won't be
using iptables.

>
> Sample of iptables rules:
>
> iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
> iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
> iptables -I INPUT -p tcp --dport 2525 -j REJECT
>
> iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
> iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
> iptables -I INPUT -p tcp --dport 2525 -j REJECT
>
>
> And, is this the best policy to block port 25?


No. I don't see why you'd want to explicitly block port 2525 (why port
2525?) unless you have something listening on that port, and you have
lax default accept policy. If you have a lax default accept policy then
the rule to accept port 25 is irrelevant. The above combination doesn't
make any sense to me.

There is no need to insert the same rule twice, or to repeat the entire
ruleset twice.

A better policy is to DROP everything and then only allow what you
explicitly require. Accept ESTABLISHED,RELATED traffic. Only accept
state NEW on port 25.

But this isn't directly related to Exim, so it's not really suitable for
this mailing list.


-- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
            University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw@???
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555