[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
howtos:network_services:postfix_dovecot_mysql:email_firewall [2015/02/16 09:43 (UTC)] – First complete version astrogeek | howtos:network_services:postfix_dovecot_mysql:email_firewall [2015/06/10 08:10 (UTC)] – typo fix and clarification of example firewall.rules file tim | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ==== Firewall Rules For Virtual Mail Server ==== | + | ====== Firewall Rules For Virtual Mail Server ====== |
+ | |||
+ | This page is supplemental to main article: [[howtos: | ||
A firewall is simply a set of kernel routing rules, iptables rules, that selectively block or allow network traffic into and out of your machine. A web facing email server must be secured by a suitable set of firewall rules or it will quickly be overwhelmed and compromised! | A firewall is simply a set of kernel routing rules, iptables rules, that selectively block or allow network traffic into and out of your machine. A web facing email server must be secured by a suitable set of firewall rules or it will quickly be overwhelmed and compromised! | ||
Line 7: | Line 9: | ||
<note important> | <note important> | ||
You should first use iptables -L to check for pre-existing rules and merge those below into your existing firewall. | You should first use iptables -L to check for pre-existing rules and merge those below into your existing firewall. | ||
- | If you have no existing firewall and need to allow http and ssh, uncomment the liines | + | If you have no existing firewall and need to allow http and ssh, uncomment the lines for those also included here.</ |
Following is a minimal set of iptables rules to provide a firewall for your email server. | Following is a minimal set of iptables rules to provide a firewall for your email server. | ||
Line 52: | Line 54: | ||
Ports 993 and 995 provide secure Imap and Pop3, respectively. These must be open in order for your virtual users to be able to send and receive email. | Ports 993 and 995 provide secure Imap and Pop3, respectively. These must be open in order for your virtual users to be able to send and receive email. | ||
- | To install these rules as your firewall save them to a text file, / | + | To install these rules as your firewall save them to a text file using < |
+ | |||
+ | < | ||
+ | < | ||
+ | :INPUT DROP [0:0] | ||
+ | :FORWARD DROP [0:0] | ||
+ | :OUTPUT ACCEPT [0:0] | ||
+ | </ | ||
+ | and to the end of the file, add < | ||
+ | As per the note above, don't forget to uncomment the ssh rule if the server is not sitting in front of you, or you'll lock yourself out!</ | ||
+ | |||
+ | There are many preferences for saving and loading firewall scripts. I generally use / | ||
< | < | ||
Line 62: | Line 75: | ||
< | < | ||
- | To load your firewall rules at each boot, add the following lines to / | + | To load your firewall rules at each boot, you will need to create a start script and save it to / |
+ | |||
+ | You may choose to create a more complete script with start and stop options, but the following simple script is sufficient to load your firewall rules at boot. | ||
< | < | ||
- | vi / | + | vi / |
# add the following lines # | # add the following lines # | ||
- | if [ -x / | + | if [ -e / |
iptables-restore </ | iptables-restore </ | ||
- | fi</ | + | fi |
+ | </ | ||
- | Make sure rc.local and the firewall | + | Make sure rc.firewall |
< | < | ||
- | chmod +x / | + | chmod +x / |
- | chmod +x /etc/firewall.rules | + | |
</ | </ | ||
- | Load your firewall rules and make sure they are as you expect them to be before continuing. | + | Load your firewall rules and make sure they are as you expect them to be before continuing. |
< | < | ||
Line 86: | Line 101: | ||
[[howtos: | [[howtos: | ||
+ | ====== Sources ====== | ||
+ | * Originally written by [[wiki: | ||
{{tag> | {{tag> |