Brian Ronk wrote:
> I'm looking to add some filters to give only certain servers the
> ability to communicate with the internet. This is how the server my
> company has is set up:
>
> eth0 and eth1 are local networks (we have 2 ip schemes in the company)
> eth2 is the internet
>
> I'm new to iptables, so I wanted to make sure I'm thinking correctly
> before I implement the commands for this.
> What I was thinking was this:
> iptables -I OUTPUT -s !xxx.xxx.xxx.xxx -o ethX -p tcp --dport 25 -j
> DROP
> where xxx.xxx.xxx.xxx is the server address that I want to allow
> (there would be a command for each server, so let's say 10.0.0.1,
> 10.0.0.2, and 10.0.1.1 are the servers I'm allowing). and the X in
> ethX is either 0 or 1 for the internal networks. I'm hesitant to put
> it on eth2, because I'm not sure if that would block traffic coming in
> or not. As for OUTPUT, another possibility was FORWARD.
> Am I going about this the right way? If anything else is trying to
> sent email, I want it to drop it (to prevent anyone accidentally
> sending spam). Thanks for any help you can give me.
I'd recommend FORWARD.
[insert rules to allow whatever FORWARD to Internet here, then ...]
-A FORWARD -i eth0 -o eth2 -j DROP
-A FORWARD -i eth1 -o eth2 -j DROP
Stick in "-m tcp -p tcp --dport 25" if you want.
|
Similar Threads
Linear Mode
