Re: iptables question with multiple interfaces

From: phiveohtwo@xxxxxxxxx
Date: Sun, 16 Dec 2007 18:48:15 -0800 (PST)

On Dec 14, 5:38 am, Pascal Hambourg <boite-a-s...@xxxxxxxxxxxxxxx>
wrote:

phiveoh...@xxxxxxxxx a écrit :

Basically i have 2 networks let say eth1 (10.0.0.1) is gatway 1 and
eth2 (192.168.0.1) is gatway 2.

I want to allow clients on eth1 to be able to connect to any port 25
mail server on the internet. But clients on gatway 2 are not allowed
any outgoing connects on port 25.

Are clients on eth2 allowed to connect to SMTP servers on eth1 ?

I was think last night of somthing like this:

/usr/sbin/iptables -t nat -A PREROUTING -s <net mask> -p tcp --
destination-port 25 -j DROP

The 'nat' table is not intended for filtering, it is reserved for
address and port translation. Also, matching on the input interface is
more reliable that matching on the source address.

If you want to prohibit the clients on eth2 from connecting to SMTP
servers outside their own network (including eth1) :

iptables -I FORWARD -i eth2 -p tcp --dport 25 -j DROP (or REJECT)

If you want to prohibit the clients on eth2 from connecting to servers
on internet only (eth0) :

iptables -I FORWARD -i eth2 -o eth0 -p tcp --dport 25 -j DROP

eth1 and eth2 are just internal networks (like 25 clients on each)
they are all desktops so there will be no "internal" mail server
running. I just need to allow 1 group to access external mail servers
and the other group is not allowed.

I'll test out your suggestion above and work with it.

Thank you so much for your help.
.

References:
- iptables question with multiple interfaces
  - From: phiveohtwo
- Re: iptables question with multiple interfaces
  - From: Philippe . Weill
- Re: iptables question with multiple interfaces
  - From: Pascal Hambourg
- Re: iptables question with multiple interfaces
  - From: Philippe . Weill
- Re: iptables question with multiple interfaces
  - From: phiveohtwo
- Re: iptables question with multiple interfaces
  - From: Pascal Hambourg

Prev by Date: Re: Name resolution for local names using DHCP
Next by Date: Re: Name resolution for local names using DHCP
Previous by thread: Re: iptables question with multiple interfaces
Next by thread: Wifi card?
Index(es):
- Date
- Thread

Relevant Pages

Re: MX Record Question
... I'm changing the IP address of our mail server. ... Our Outlook clients are set to smtp.xxx.org rather than the IP ... Instead of the website you're using, I suggest to use OEx (Outlook Express ... How to Configure OEx for Internet News ...
(microsoft.public.win2000.dns)
Re: Reverse publish with isa2004?
... not all clients over the world. ... message retrieval, yet redirect all SMTP sends to your internal mail server, ... Are you using the same hostname for both SMTP and POP3? ... (the records in the "Internet" domain hosted at your provider). ...
(microsoft.public.isaserver)
Re: Activating Port 587 for relaying SMTP?
... > sending mail to any other mail server on the internet. ... Some of my clients, who use this machine as a mail relay and mailbox server, ... There are other providers as well, who block port 25 outbound, who I have ...
(microsoft.public.inetserver.iis.smtp_nntp)
Re: Reverse publish with isa2004?
... publishing one host can point to diffrent server ... ... not all clients over the world. ... records properly (the records in the "Internet" domain hosted at your ... and put an A record in there pointing to their mail server, ...
(microsoft.public.isaserver)
Re: send email
... > to act as a mail server for local and remote clients, ... while IMAP only transfers the message header. ... > In addition to the imap daemon, you also need to have sendmail running ...
(alt.os.linux.redhat)