Re: iptables newbie question

From: Tim Haynes (usenet-20030813_at_stirfried.vegetable.org.uk)
Date: 08/14/03 

Date: Wed, 13 Aug 2003 23:28:24 +0100

skubik <vkube@yahoo.com> writes:

> On Wed, 13 Aug 2003 13:22:41 +0100, Tim Haynes wrote:
>>
>> You mean you're providing those services on this box?
>
> I'm providing SSh and WWW on my box, but I use the system as my
> workstation as well, so it's not a dedicated server. So those are the
> only services I'm providing.

Right. Got you. Keep the two parts separate, it'll save confusion.

>>> iptables -A INPUT -s <mail provider server> -p tcp --dport 25 -j ACCEPT
>>
>> I don't see that ever matching anything. Look at what you're saying:
[snip]
>> I can't make out whether you should've used an OUTPUT rule and swapped
>> -s to -d because you want to limit the services to which you may
>> connect, or whether you're the provider controlling what stuff can come
>> in to you.
>
> My objective with this was only to accept packets on port 25 that are
> coming from the e-mail server. I am not providing SMTP on my box, but
> merely want to limit connections on that port ONLY to the e-mail server
> hosting my e-mail account.

OK, so you're talking continuations of things you've established at this
point. As a general rule, stateful filtering with
       -m state --state ESTABLISHED,RELATED -j ACCEPT
will cater for this.

Next question: do you want to be able to establish connections out to
anything, or just your mail-server? If you're free & easy about outgoing
stuff, the above snippet is all you need. If you're up-tight about the
kinds of things you connect to, then refine it further - "you're only
allowed *back in* if you're FROM the mail-server TO me", with the ports and
IP#s all the right way around.

> Perhaps that is the biggest problem I'm having, does the INPUT chain only
> apply to anonymous outside connections made to my system, or does it also
> apply to return connections made from requests on my system? For example,
> on this box, if I open a browser and request yahoo.com, where does the
> yahoo.com server return the information to on my system (what port? what
> chain does it apply to?)

It's for all incoming traffic.

>> Well, the other thing that could have been going wrong with the
>> now-snipped rules is handling of return packets. If you're connecting
>> from your box to a mail-server, then packets have to flow back the way
>> as well.
>
> Yeah, that's kinda what I mean, WHERE do those packets flow to and on
> what chain?

        you your mailserver
        ________________________________________________

    1. OUTPUT somehighport --------> 25/tcp
        (entry goes into state table)

    2. INPUT somehighport <-------- 25/tcp
        (state table may be inspected)

The same sort of thing happens for any request you make - dns, ntp, web,
external mail servers, you name it; output from a high client port to a
designated service port on the remote box, return packets back along your
input chain.

You *can* trust the stateful inspection module; if you were tempted to
throw in extra restrictions on IP#s, port#s or similar, then it's likely
unnecessary vanity, as these things (and MORE - like timeouts, sequence
numbers etc) are all stored in the state-table.

You get lots of choice; personally, I'd leave INPUT for mostly INPUT
things, either continuations of *all* requested connections or provided
services, and I'd filter on OUTPUT if I wanted to stop myself talking to
unsupported external services.

~Tim 

-- 
   23:13:30 up 68 days, 13:48,  2 users,  load average: 0.00, 0.03, 0.06
piglet@stirfried.vegetable.org.uk |Crossing the river, caught in the rain
http://piglet.is.dreaming.org     |Crossing the rhythm, caught in the rain.

Relevant Pages

  • Re: No inbound email from external domains -- please help!
    ... Was not particularly pointing at you with the comment about disclosing the info needed, but you would be amazed at what gets XXXXX'd out when people request help in this space. ... except for the error that the tool cannot reach your mail server. ... My guess is that your router took a hit. ... verify that the wan facing nic and the inside port on the router are still in the same subnet. ...
    (microsoft.public.windows.server.sbs)
  • Re: network programming: how does s.accept() work?
    ... The program you contact at Google is a server. ... so, the server will usually assign a new port, say 56399, specifically ... connections to a server remain on the same port, ... sockets is what identifies them. ...
    (comp.lang.python)
  • Nimda.E/unknown memory resident, internet-aware processes
    ... a client's NT 4.0 server was infected with what appeared to be ... network traffic and saw several suspect connections. ... one other connection to port 2787. ... along with about 500 other compromised systems on just that one IRC server. ...
    (Incidents)
  • a cheesy Apache / IIS DoS vuln (+a question)
    ... Combined with the functionality of window scaling, ... short request can be used to trick the server ... Negotiate a high TCP window size for each of the connections (1 GB ...
    (Bugtraq)
  • Re: Sun Volume Manager or Solaris Disk Suite
    ... keyboard or mouse connections. ... I have to buy a RJ45 cable that will connect to a DB9 adapter on one ... port). ... How would putty know that I am trying to connect to a server via a com ...
    (comp.sys.sun.admin)