Friday, September 2, 2011

IPTABLE firewall for a corporate mail server.

This is an IPTABLE firewall for a corporate mail server. This working fine for various live servers. All are running Qmail. You can test it it locally first.
Please do not install it on remote server first. For further queries regarding this script please ask to me onbipinkdas@gmail.com


#THIS IPTABLE RULES ARE FOR A QMAIL SERVER
#Replace ips as needed,if you need further queries do contact webmaster.

#clean up existing rules and delete custom chains
/sbin/iptables -t filter -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X

#set default policy to drop everything
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP

$source=192.168.10.1
$dest=192.168.20.1
$dns=192.168.1.1
$backup=192.168.10.10

#####incoming rules######

#drop all invalid packets
/sbin/iptables -A INPUT -m state --state INVALID -j DROP

#allow all icmp packets from world
/sbin/iptables -A INPUT -s 0/0 -d $dest -p icmp -j ACCEPT

#allow all input from loopback
/sbin/iptables -A INPUT -i lo -j ACCEPT

#allow http from world
/sbin/iptables -A INPUT -s 0/0 -d $dest -p tcp --dport 80 -j ACCEPT

#allow mails from and to world
/sbin/iptables -A INPUT -s 0/0 -d $dest -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -s 0/0 -d $dest -p tcp --dport 110 -j ACCEPT

#allow rsync from backup machine
/sbin/iptables -A INPUT -s $backup -d $dest -p tcp --dport 873 -j ACCEPT

#allow packets from connections we established
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

######forwarding rules######

#no forwarding rule for a mail server.

######outgoing rules######

#drop all outgoing invalid packets
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP

#allow all icmp packets to outside world
/sbin/iptables -A OUTPUT -s $source -d 0/0 -p icmp -j ACCEPT

#allow dns traffic
/sbin/iptables -A OUTPUT -s $source -d $dns -p udp --dport 53 -j ACCEPT

#allow mails to world
/sbin/iptables -A OUTPUT -s $source -d 0/0 -p tcp --dport 25 -j ACCEPT

#allow ftp to backup server
/sbin/iptables -A OUTPUT -s $source -d $backup -p tcp --dport 21 -j ACCEPT

#allow all input to loopback interface
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

#allow packets of established connections
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

######save iptables rules######
service iptables save