[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.

Welcome to the Slackware Documentation Project

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
howtos:network_services:postfix_dovecot_mysql:email_firewall [2015/02/15 19:20 (UTC)] astrogeekhowtos:network_services:postfix_dovecot_mysql:email_firewall [2018/02/06 01:17 (UTC)] (current) – [Firewall Rules For Virtual Mail Server] astrogeek
Line 1: Line 1:
-==== Firewall Rules For Virtual Mail Server ====+====== Firewall Rules For Virtual Mail Server ======
  
-<note important>This article is under construction and not complete! Please return later...</note>+This page is supplemental to main article: [[howtos:network_services:postfix_dovecot_mysql|Creating a Virtual Mail Server with Postfix, Dovecot and MySQL]]
  
 A firewall is simply a set of kernel routing rules, iptables rules, that selectively block or allow network traffic into and out of your machine. A web facing email server must be secured by a suitable set of firewall rules or it will quickly be overwhelmed and compromised! A firewall is simply a set of kernel routing rules, iptables rules, that selectively block or allow network traffic into and out of your machine. A web facing email server must be secured by a suitable set of firewall rules or it will quickly be overwhelmed and compromised!
Line 7: Line 7:
 If you already have a firewall in place for other services then you will need to add to it the rules necessary to support mail server traffic. If you do not have a firewall currently in place, then you may use the example below as a good starting point! If you already have a firewall in place for other services then you will need to add to it the rules necessary to support mail server traffic. If you do not have a firewall currently in place, then you may use the example below as a good starting point!
  
-<note important>Loading //only// the rules below as your firewall will close other access that may be important to you such as hhtp and ssh! +<note important>Loading //only// the rules below as your firewall will close other access that may be important to you such as http and ssh! 
-You should first use iptables -L to check for pre-existing rules and merge those below into your existing firewall+You should first use iptables -L to check for pre-existing rules and __merge those below into your existing firewall__
-If you have no existing firewall and need to allow http and ssh, uncomment the liines for those also included here.</note>+If you have no existing firewall and/or need to allow http and ssh, uncomment the --policy lines and those for http and ssh as necessary to meet your requirements.</note>
  
-Following is a minimal set of iptables rules to provide a firewall for your email server.+Following is a **minimal** set of iptables rules to provide a firewall for your email server. While 
  
 <code> <code>
 +#--policy INPUT DROP
 +#--policy FORWARD DROP
 +#--policy OUTPUT ACCEPT
 +
 -A INPUT -m state --state INVALID -j DROP -A INPUT -m state --state INVALID -j DROP
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Line 54: Line 58:
 Ports 993 and 995 provide secure Imap and Pop3, respectively. These must be open in order for your virtual users to be able to send and receive email. Ports 993 and 995 provide secure Imap and Pop3, respectively. These must be open in order for your virtual users to be able to send and receive email.
  
-You may enable these rules by saving them to a text file (ex: /etc/firewall.rules), then loading that file using iptables-restore.+To install these rules as your firewall save them to a text file using <code>iptables-save >/etc/firewall.rules</code> then load that file using iptables-restore as shown below. This will replace any currently existing iptables rules with those in the file.
  
 +There are many preferences for saving and loading firewall scripts. I generally use /etc/firewall.rules for my own systems and will use that for this example.
  
 <code>iptables-restore </etc/firewall.rules</code> <code>iptables-restore </etc/firewall.rules</code>
-You may see all currently active rules like this...+ 
 +To see all currently active rules:
 <code>iptables -L</code> <code>iptables -L</code>
-You may flush all current rules like this...+ 
 +To flush all current rules:
 <code>iptables -F</code> <code>iptables -F</code>
  
-To load your firewall rules at each boot, add the following to /etc/rc.d/rc.local:+To load your firewall rules at each boot, you will need to create a start script and save it to /etc/rc.d/rc.firewall and make it executable. This file will then be started by /etc/rc.d/rc.inet2 when your system boots, before your network devices are started. 
 + 
 +You may choose to create a more complete script with start and stop options, but the following simple script is sufficient to load your firewall rules at boot.
  
 <code> <code>
-vi /etc/rc.d/rc.local+vi /etc/rc.d/rc.firewall
  
 # add the following lines # # add the following lines #
-if [ -/etc/firewall.rules ]; then+if [ -/etc/firewall.rules ]; then
         iptables-restore </etc/firewall.rules         iptables-restore </etc/firewall.rules
-fi</code>+fi 
 +</code>
  
-And make sure rc.local and the firewall rules files are executable...+Make sure rc.firewall is executable...
 <code> <code>
-chmod +x /etc/rc.d/rc.local +chmod +x /etc/rc.d/rc.firewall
-chmod +x /etc/firewall.rules+
 </code> </code>
  
-Load your firewall rules and make sure they are as you expect them to be before continuing.+Load your firewall rules and make sure they are as you expect them to be before continuing. Also, be certain that your firewall actually loads at boot to prevent accidentally running without it!
  
 <code> <code>
Line 87: Line 96:
  
 [[howtos:network_services:postfix_dovecot_mysql|Return to main article page]] [[howtos:network_services:postfix_dovecot_mysql|Return to main article page]]
 +====== Sources ======
 +  * Originally written by [[wiki:user:astrogeek | astrogeek]]
 {{tag>howtos email postfix dovecot firewall}} {{tag>howtos email postfix dovecot firewall}}
 howtos:network_services:postfix_dovecot_mysql:email_firewall ()