[Gllug] ipchains/smtp acceptance from Demon

[home at alexhudson.com]

On Wed, Aug 15, 2001 at 10:13:06PM +0100, sean at uncertainty.org.uk wrote:
> > ipchains -A input -i $extint -s 194.217.242/24 -dport smtp -j ACCEPT
> > 
> > would seem to to the trick
> 
> but wouldn't the /24 allow a far greater range than I need to ?

No, that CIDR bitmask notation - 24 is smaller than 8 ;)

8  = 255.0.0.0		= 11111111.00000000.00000000.00000000
24 = 255.255.255.0	= 11111111.11111111.11111111.00000000

The number refers to the numbers of ones. 
 
> It is - I am not sure why I got some mail through - I hope that I meesed up
> and manually set a default allow while I was reconfiguring... 

It would have got through on some other rule..

> I think I have been getting generally confused between source ports and
> destination ports - the docs I read suggested stopping incoming
> connections by rejecting SYN requests (with the -y flag)...

No such thing as a 'syn request' - you mean packets sent with the syn flag
set. 

> It seems like I could in fact block all connections to low numbered ports
> on my ppp0 interface ?
> Apart from incoming mail from demon - and any other specific connections.

You're supposed to block connections to all ports and only allow specific
connections ;)

> What ports do I have to allow to connect for things like outgoing http ftp
> ssh ...?

None. You only allow incoming. So, without connection tracking, you could
allow all packets from 0/0 that are !-y, allow all outgoing packets from
yourself, and deny everything else (except mail). 

ftp is a special case, because that can need incoming connections in active
mode. However, it will work fine in passive mode, or you can use iptables
connection tracking to do it. It's a bodge in both instances though, and
you'll make it worse if you ever use the crappy masquerading system, because
ftp hates that even more - ftp proxying is the better solution.

Cheers,

Alex.



-- 

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug