iptables question with multiple interfaces

I have a MASQUERADE server with 3 nic's

1 (eth0) is my internet connection and the other 2 (eth1 / eth2) are
separate interfaces both sharing the internet connection.

My question is i need to block port 25 only on one of the interfaces.
So allow outgoing port 25 connections on the eth1 network but not eth2
network. currently i am using this rule:

/usr/sbin/iptables -I FORWARD 1 -p tcp --dport 25 -j DROP

which of course blocks all connects to port 25.

I just need to block out going port 25 connections on one interface.

Any ideas?

Thanks in advance.

(E-Mail Removed) wrote:
> I have a MASQUERADE server with 3 nic's
>
> 1 (eth0) is my internet connection and the other 2 (eth1 / eth2) are
> separate interfaces both sharing the internet connection.
>
> My question is i need to block port 25 only on one of the interfaces.
> So allow outgoing port 25 connections on the eth1 network but not eth2
> network. currently i am using this rule:
>
> /usr/sbin/iptables -I FORWARD 1 -p tcp --dport 25 -j DROP
>
> which of course blocks all connects to port 25.
>
> I just need to block out going port 25 connections on one interface.

man iptables

/usr/sbin/iptables -I FORWARD -p tcp -o eth2 --dport 25 -j DROP

>
> Any ideas?
>
> Thanks in advance.

Hello,

(E-Mail Removed) a écrit :
> (E-Mail Removed) wrote:
>
>> I have a MASQUERADE server with 3 nic's
>>
>> 1 (eth0) is my internet connection and the other 2 (eth1 / eth2) are
>> separate interfaces both sharing the internet connection.
>>
>> My question is i need to block port 25 only on one of the interfaces.
>> So allow outgoing port 25 connections on the eth1 network but not eth2
>> network. currently i am using this rule:

Do you mean "from the eth1 network" ?

> /usr/sbin/iptables -I FORWARD -p tcp -o eth2 --dport 25 -j DROP

Unless I misunderstood the question, I'd use -i (input interface)
instead of -o (output interface). Also, I'd use REJECT instead of DROP
in order to avoid the looong time-out delay on the client, unless such a
delay is desirable for the OP.

On Wed, 12 Dec 2007 11:23:55 +0100, Pascal Hambourg wrote:

> Unless I misunderstood the question, I'd use -i (input interface)
> instead of -o (output interface).

The original question made it appear that connections to port 25 on
servers not "outside" were okay. Perhaps connections from eth1 to ports
25 somewhere on eth2 are okay?

But blocking *only* with the -o would block connections to outside ports
25 from eth2 as well as eth1. That wasn't mentioned in the question, and
so might be undesirable.

So why not "-i eth1 -o eth0"? Would that work?

Alternatively, if both eth1 and eth2 have INPUT rules that prevent source
address forging, then the output block on eth0 could use -s instead of -o.

- Andrew

Pascal Hambourg wrote:
> Hello,
>
> (E-Mail Removed) a écrit :
>> (E-Mail Removed) wrote:
>>
>>> I have a MASQUERADE server with 3 nic's
>>>
>>> 1 (eth0) is my internet connection and the other 2 (eth1 / eth2) are
>>> separate interfaces both sharing the internet connection.
>>>
>>> My question is i need to block port 25 only on one of the interfaces.
>>> So allow outgoing port 25 connections on the eth1 network but not eth2
>>> network. currently i am using this rule:

I read "not allow outgoing smtp connection on eth2"
but perhaps it's not the question

>
> Do you mean "from the eth1 network" ?
>
>> /usr/sbin/iptables -I FORWARD -p tcp -o eth2 --dport 25 -j DROP
>
> Unless I misunderstood the question, I'd use -i (input interface)
> instead of -o (output interface). Also, I'd use REJECT instead of DROP
> in order to avoid the looong time-out delay on the client, unless such a
> delay is desirable for the OP.

me also I prefer REJECT but the poster say :
/usr/sbin/iptables -I FORWARD 1 -p tcp --dport 25 -j DROP

On Dec 12, 11:43 am, Philippe.We...@aero.jussieu.fr wrote:
> Pascal Hambourg wrote:
> > Hello,
>
> > Philippe.We...@aero.jussieu.fr a écrit :
> >> phiveoh...@gmail.com wrote:
>
> >>> I have a MASQUERADE server with 3 nic's
>
> >>> 1 (eth0) is my internet connection and the other 2 (eth1 / eth2) are
> >>> separate interfaces both sharing the internet connection.
>
> >>> My question is i need to block port 25 only on one of the interfaces.
> >>> So allow outgoing port 25 connections on the eth1 network but not eth2
> >>> network. currently i am using this rule:
>
> I read "not allow outgoing smtp connection on eth2"
> but perhaps it's not the question
>
>
>
> > Do you mean "from the eth1 network" ?
>
> >> /usr/sbin/iptables -I FORWARD -p tcp -o eth2 --dport 25 -j DROP
>
> > Unless I misunderstood the question, I'd use -i (input interface)
> > instead of -o (output interface). Also, I'd use REJECT instead of DROP
> > in order to avoid the looong time-out delay on the client, unless such a
> > delay is desirable for the OP.
>
> me also I prefer REJECT but the poster say :
> /usr/sbin/iptables -I FORWARD 1 -p tcp --dport 25 -j DROP

Basically i have 2 networks let say eth1 (10.0.0.1) is gatway 1 and
eth2 (192.168.0.1) is gatway 2.

I want to allow clients on eth1 to be able to connect to any port 25
mail server on the internet. But clients on gatway 2 are not allowed
any outgoing connects on port 25.

I was think last night of somthing like this:

/usr/sbin/iptables -t nat -A PREROUTING -s <net mask> -p tcp --
destination-port 80 -j DROP

On Dec 13, 4:52 pm, phiveoh...@gmail.com wrote:
> On Dec 12, 11:43 am, Philippe.We...@aero.jussieu.fr wrote:
>
>
>
> > Pascal Hambourg wrote:
> > > Hello,
>
> > > Philippe.We...@aero.jussieu.fr a écrit :
> > >> phiveoh...@gmail.com wrote:
>
> > >>> I have a MASQUERADE server with 3 nic's
>
> > >>> 1 (eth0) is my internet connection and the other 2 (eth1 / eth2) are
> > >>> separate interfaces both sharing the internet connection.
>
> > >>> My question is i need to block port 25 only on one of the interfaces..
> > >>> So allow outgoing port 25 connections on the eth1 network but not eth2
> > >>> network. currently i am using this rule:
>
> > I read "not allow outgoing smtp connection on eth2"
> > but perhaps it's not the question
>
> > > Do you mean "from the eth1 network" ?
>
> > >> /usr/sbin/iptables -I FORWARD -p tcp -o eth2 --dport 25 -j DROP
>
> > > Unless I misunderstood the question, I'd use -i (input interface)
> > > instead of -o (output interface). Also, I'd use REJECT instead of DROP
> > > in order to avoid the looong time-out delay on the client, unless sucha
> > > delay is desirable for the OP.
>
> > me also I prefer REJECT but the poster say :
> > /usr/sbin/iptables -I FORWARD 1 -p tcp --dport 25 -j DROP
>
> Basically i have 2 networks let say eth1 (10.0.0.1) is gatway 1 and
> eth2 (192.168.0.1) is gatway 2.
>
> I want to allow clients on eth1 to be able to connect to any port 25
> mail server on the internet. But clients on gatway 2 are not allowed
> any outgoing connects on port 25.
>
> I was think last night of somthing like this:
>
> /usr/sbin/iptables -t nat -A PREROUTING -s <net mask> -p tcp --
> destination-port 80 -j DROP

ops that destination should be 25 not 80

(E-Mail Removed) a écrit :
>
> Basically i have 2 networks let say eth1 (10.0.0.1) is gatway 1 and
> eth2 (192.168.0.1) is gatway 2.
>
> I want to allow clients on eth1 to be able to connect to any port 25
> mail server on the internet. But clients on gatway 2 are not allowed
> any outgoing connects on port 25.

Are clients on eth2 allowed to connect to SMTP servers on eth1 ?

> I was think last night of somthing like this:
>
> /usr/sbin/iptables -t nat -A PREROUTING -s <net mask> -p tcp --
> destination-port 25 -j DROP

The 'nat' table is not intended for filtering, it is reserved for
address and port translation. Also, matching on the input interface is
more reliable that matching on the source address.

If you want to prohibit the clients on eth2 from connecting to SMTP
servers outside their own network (including eth1) :

iptables -I FORWARD -i eth2 -p tcp --dport 25 -j DROP (or REJECT)

If you want to prohibit the clients on eth2 from connecting to servers
on internet only (eth0) :

iptables -I FORWARD -i eth2 -o eth0 -p tcp --dport 25 -j DROP

On Dec 14, 5:38 am, Pascal Hambourg <boite-a-s...@plouf.fr.eu.org>
wrote:
> phiveoh...@gmail.com a écrit :
>
>
>
> > Basically i have 2 networks let say eth1 (10.0.0.1) is gatway 1 and
> > eth2 (192.168.0.1) is gatway 2.
>
> > I want to allow clients on eth1 to be able to connect to any port 25
> > mail server on the internet. But clients on gatway 2 are not allowed
> > any outgoing connects on port 25.
>
> Are clients on eth2 allowed to connect to SMTP servers on eth1 ?
>
> > I was think last night of somthing like this:
>
> > /usr/sbin/iptables -t nat -A PREROUTING -s <net mask> -p tcp --
> > destination-port 25 -j DROP
>
> The 'nat' table is not intended for filtering, it is reserved for
> address and port translation. Also, matching on the input interface is
> more reliable that matching on the source address.
>
> If you want to prohibit the clients on eth2 from connecting to SMTP
> servers outside their own network (including eth1) :
>
> iptables -I FORWARD -i eth2 -p tcp --dport 25 -j DROP (or REJECT)
>
> If you want to prohibit the clients on eth2 from connecting to servers
> on internet only (eth0) :
>
> iptables -I FORWARD -i eth2 -o eth0 -p tcp --dport 25 -j DROP

eth1 and eth2 are just internal networks (like 25 clients on each)
they are all desktops so there will be no "internal" mail server
running. I just need to allow 1 group to access external mail servers
and the other group is not allowed.

I'll test out your suggestion above and work with it.

Thank you so much for your help.