Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: dan williamson on July 12, 2002, 06:31:47 PM
-
I just installed a server at work recently. I need to give all the computers e-mail access, but I need to restrict internet access to all of them but one machine. I have looked around on the net and I think that it is a TCPWrapper issue, but really haven't found enough info. Anyone have any ideas? This would be much appreciated.
Dan
-
/sbin/ipchains -A input -p tcp --source ! --dport ! 25 -i -j DENY
I'd just worry about TCP unless you really want to be restrictive with UDP, but most UDP programs have a TCP controlling port. I think the above IPChains rule will work, I haven't tested it, but I think the logic is sound.
Deny all TCP protocols for all users except for all protocols except TCP port 25 (SMTP).
If the command works I'll help you template it.
Hope this helped,
Nathan
-
I think I transposted -j DENY and -i , it should read:
/sbin/ipchains -A input -p tcp --source ! --dport ! 25 -j DENY -i
-
You should never deny UDP in general.
very important services like DNS use it if a tcp connection times out.
I´m not sure but i think most instant messangers like icq do only use UDP.
-
Minor correction: DNS uses UDP, unless the query is very large. It doesn't
try TCP first, so blocking UDP *is* blocking DNS.
-
Thanks for your help. I will be tackling this issue sometime this week, when my workload balances out. I will keep you updated. Many thanks for your quick responses!