My Experiences With Linux: IPTABLE firewall for a corporate mail server.

Apr 12, 2007

IPTABLE firewall for a corporate mail server.

This is an IPTABLE firewall for a corporate mail server. This working fine for various live servers. All are running Qmail. You can test it it locally first.
Please do not install it on remote server first. For further queries regarding this script please ask to me on bipinkdas@gmail.com

#THIS IPTABLE RULES ARE FOR A QMAIL SERVER
#Replace ips as needed,if you need further queries do contact webmaster.

#clean up existing rules and delete custom chains
/sbin/iptables -t filter -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X

#set default policy to drop everything
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP

$source=192.168.10.1
$dest=192.168.20.1
$dns=192.168.1.1
$backup=192.168.10.10

#####incoming rules######

#drop all invalid packets
/sbin/iptables -A INPUT -m state --state INVALID -j DROP

#allow all icmp packets from world
/sbin/iptables -A INPUT -s 0/0 -d $dest -p icmp -j ACCEPT

#allow all input from loopback
/sbin/iptables -A INPUT -i lo -j ACCEPT

#allow http from world
/sbin/iptables -A INPUT -s 0/0 -d $dest -p tcp --dport 80 -j ACCEPT

#allow mails from and to world
/sbin/iptables -A INPUT -s 0/0 -d $dest -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -s 0/0 -d $dest -p tcp --dport 110 -j ACCEPT

#allow rsync from backup machine
/sbin/iptables -A INPUT -s $backup -d $dest -p tcp --dport 873 -j ACCEPT

#allow packets from connections we established
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

######forwarding rules######

#no forwarding rule for a mail server.

######outgoing rules######

#drop all outgoing invalid packets
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP

#allow all icmp packets to outside world
/sbin/iptables -A OUTPUT -s $source -d 0/0 -p icmp -j ACCEPT

#allow dns traffic
/sbin/iptables -A OUTPUT -s $source -d $dns -p udp --dport 53 -j ACCEPT

#allow mails to world
/sbin/iptables -A OUTPUT -s $source -d 0/0 -p tcp --dport 25 -j ACCEPT

#allow ftp to backup server
/sbin/iptables -A OUTPUT -s $source -d $backup -p tcp --dport 21 -j ACCEPT

#allow all input to loopback interface
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

#allow packets of established connections
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

######save iptables rules######
service iptables save

8 comments:

Biju Pillai said...: Hi, I have configured a iptables firewall on my server with 80 port open for incoming and all ports open for outgoing still my application is not able to access aws s3.

Please share any information on this issue

Regards,
Biju; September 1, 2009 at 5:21 PM
സമാധാനം said...: @Biju
Question is not clear. ru asking about accessing application on EC2 ?
Because S3 is nothing but a storage bucket. You can upload and download files from that bucket. Please specify your exact query.; September 1, 2009 at 5:26 PM
സമാധാനം said...: Hope you have opened port 80 already through this ?
http://docs.amazonwebservices.com/AWSEC2/latest/GettingStartedGuide/

API command to open ports

Shell>ec2-authorize default -p 80
Shell>ec2-authorize default -p 22; September 1, 2009 at 5:30 PM
Biju Pillai said...: This comment has been removed by the author.; September 2, 2009 at 7:26 AM
Biju Pillai said...: Hi, Thanks for quick response and Happy Onam...

We are not using EC2. We have our application running in CentOS 5.3 which uses S3 to store the files uploaded by our users. I have configured iptables as follows (real IPs Changed),

# Generated by iptables-save v1.3.5 on Wed May 6 09:08:46 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [28:2408]
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -s 192.168.239.56 -j ACCEPT
-A INPUT -s 192.168.233.102 -j ACCEPT
-A INPUT -s 192.168.242.221 -j ACCEPT
-A INPUT -s 192.168.131.85 -j ACCEPT
-A INPUT -s 192.168.108.165 -j ACCEPT
-A INPUT -s 192.168.127.113 -j ACCEPT
-A INPUT -s 192.168.131.85 -d 192.168.239.56 -p udp -m udp --sport 53 --dport 1025:65535 -j ACCEPT
-A INPUT -s 192.168.108.165 -d 192.168.239.56 -p udp -m udp --sport 53 --dport 1025:65535 -j ACCEPT
-A INPUT -s 192.168.127.113 -d 192.168.239.56 -p udp -m udp --sport 53 --dport 1025:65535 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Wed May 6 09:08:46 2009

If i FLUSH this firewall, my application is able to upload files to our bucket.

Please have a look and try to help me in resolving this issue.

Thanks & Regards,
Biju; September 2, 2009 at 7:31 AM
സമാധാനം said...: Happy onam.

This rules looks perfect. But you need to upload files to S3. Then why dont you write an OUTPUT rule here ?
This rules only for accessing files and you need to upload files ? So you need to add some outbound rules.

Hope this helps,pls add email address to your post,this will help in future for fast communication; September 2, 2009 at 1:31 PM
Biju Pillai said...: one quick question, if there is no rules for outbound that means all outbound connections are open or do i need to specify them specifically?; September 2, 2009 at 2:08 PM
സമാധാനം said...: Yes. That depends you need OUTPUT rules only if you block everything first like

INPUT DROP
OUTPUT DROP
FORWARD DROP

But you accept everything first. Next step to do is check with S3 logs. How you connect to S3 from Linux box. Using any Java application OR custom codes.; September 2, 2009 at 2:37 PM

My Experiences With Linux

Apr 12, 2007

IPTABLE firewall for a corporate mail server.

8 comments:

VisitorS

Archive