Topic: turn off http leave smtp

[dan williamson]

I just installed a server at work recently. I need to give all the computers e-mail access, but I need to restrict internet access to  all of them but one machine. I have looked around on the net and I think that it is a TCPWrapper issue, but really haven't found enough info. Anyone have any ideas? This would be much appreciated.
Dan

[Nathan Fowler]

/sbin/ipchains -A input -p tcp --source ! --dport ! 25 -i -j DENY

I'd just worry about TCP unless you really want to be restrictive with UDP, but most UDP programs have a TCP controlling port.  I think the above IPChains rule will work, I haven't tested it, but I think the logic is sound.

Deny all TCP protocols for all users except for all protocols except TCP port 25 (SMTP).

If the command works I'll help you template it.

Hope this helped,
Nathan

[Nathan Fowler]

I think I transposted -j DENY and -i , it should read:

/sbin/ipchains -A input -p tcp --source ! --dport ! 25 -j DENY -i

[Christian Engbrocks]

You should never deny UDP in general.
very important services like DNS use it if a tcp connection times out.

I´m not sure but i think most instant messangers like icq do only use UDP.

[Rich Lafferty]

Minor correction: DNS uses UDP, unless the query is very large. It doesn't
try TCP first, so blocking UDP *is* blocking DNS.

[dan williamson]

Thanks for your help. I will be tackling this issue sometime this week, when my workload balances out. I will keep you updated. Many thanks for your quick responses!