Hi, Can someone tell me how can I restrict 110 port access other than my IP block? if it through tcp-wrapper then how can i do that? Thanking Sharif
kasharif@citech-bd.com wrote:
Hi, Can someone tell me how can I restrict 110 port access other than my IP block? if it through tcp-wrapper then how can i do that? Thanking Sharif
i would do it with netfilter/iptables (assuming you're on linux, with a recent enough distribution. Under bsd, use ipfilter, it's similar)
something like:
iptables -t filter -P INPUT DROP iptables -t filter -A INPUT -p tcp --dport 110 --source 10.0.0.0/8 -j ACCEPT iptables -t filter -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
this rule would block any incoming traffic except to port 110 coming from 10.x.x.x, and would allow any outgoing traffic
i quickly write it from memory, so there may be errors (i mean, verify it :), and of course you should adapt it to your specific setup.
--
\|||/
(o o) Matthieu ImbertooO-(_)-Ooo------------------------------------------
On Sunday 26 Jun 2005 11:21 am, matthieu imbert wrote:
kasharif@citech-bd.com wrote:
Hi, Can someone tell me how can I restrict 110 port access other than my IP block? if it through tcp-wrapper then how can i do that?
i would do it with netfilter/iptables (assuming you're on linux, with a recent enough distribution. Under bsd, use ipfilter, it's similar)
I'd probably use xinetd option "only_from" to achieve the same effect.
Not least because xinetd offers other options to control (and in particular to prevent run away) resource usage.
But then the server here is behind a firewall, so I had to open that to allow access.
matthieu imbert wrote:
kasharif@citech-bd.com wrote:
Hi, Can someone tell me how can I restrict 110 port access other than my IP block? if it through tcp-wrapper then how can i do that? Thanking Sharif
i would do it with netfilter/iptables (assuming you're on linux, with a recent enough distribution. Under bsd, use ipfilter, it's similar)
something like:
iptables -t filter -P INPUT DROP iptables -t filter -A INPUT -p tcp --dport 110 --source 10.0.0.0/8 -j ACCEPT iptables -t filter -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
this rule would block any incoming traffic except to port 110 coming from 10.x.x.x, and would allow any outgoing traffic
i quickly write it from memory, so there may be errors (i mean, verify it :), and of course you should adapt it to your specific setup.
This is only good if the *ONLY* access you want to the machine is to be on port 110 from the 10.0.0.0/8 subnet.
I'm pretty sure that's not what the OP wants.
alan
Thanks for your prompt solution...
This is my mail server...serving smtp, pop, imap and http...So do u think its the perfect solution for me to control access 110 port?
I tried with hosts.allow it doesn't work. if dovecot doesn't have any ACL system then i think ip filtering is the only solution isn't it? Thanking Sharif
kasharif@citech-bd.com wrote:
Hi, Can someone tell me how can I restrict 110 port access other than my IP block? if it through tcp-wrapper then how can i do that? Thanking Sharif
i would do it with netfilter/iptables (assuming you're on linux, with a recent enough distribution. Under bsd, use ipfilter, it's similar)
something like:
iptables -t filter -P INPUT DROP iptables -t filter -A INPUT -p tcp --dport 110 --source 10.0.0.0/8 -j ACCEPT iptables -t filter -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
this rule would block any incoming traffic except to port 110 coming from 10.x.x.x, and would allow any outgoing traffic
i quickly write it from memory, so there may be errors (i mean, verify it :), and of course you should adapt it to your specific setup.
--
\|||/ (o o) Matthieu ImbertooO-(_)-Ooo------------------------------------------
On 28.6.2005, at 06:54, kasharif@citech-bd.com wrote:
I tried with hosts.allow it doesn't work. if dovecot doesn't have any ACL system then i think ip filtering is the only solution isn't it?
What ACL system do you mean?
Firewalling is one solution anyway. Another would be to try to run Dovecot through inetd which would make hosts.allow work (see wiki). And final possibility would be to use PAM module which restricts the IP addresses where to allow logins.
participants (5)
-
Alan Premselaar
-
kasharif@citech-bd.com
-
matthieu imbert
-
Simon Waters
-
Timo Sirainen