Zhang Huangbin avatar Zhang Huangbin committed 4cdebd3

One port each iptable rule.

Comments (0)

Files changed (2)

iRedMail/functions/cleanup.sh

         export sshd_port='22'
     else
         # Replace port number in iptable, pf and Fail2ban.
-        perl -pi -e 's#(.*,)22(.*)#${1}$ENV{sshd_port} ${2}#' ${SAMPLE_DIR}/iptables.rules ${SAMPLE_DIR}/pf.conf
+        perl -pi -e 's#(.*, )22( .*)#${1}$ENV{sshd_port}${2}#' ${SAMPLE_DIR}/iptables.rules
 
         [ -f ${FAIL2BAN_JAIL_LOCAL_CONF} ] && \
             perl -pi -e 's#(.*port=.*)ssh(.*)#${1}$ENV{sshd_port}${2}#' ${FAIL2BAN_JAIL_LOCAL_CONF}
                 if [ X"${DISTRO}" == X"SUSE" ]; then
                     # Below services are not accessable from external network:
                     #   - ldaps (636)
-                    perl -pi -e 's/^(FW_SERVICES_EXT_TCP=)(.*)/${1}"$ENV{'HTTPD_PORT'} 443 25 110 995 143 993 587 465 $ENV{'sshd_port'}"\n#${2}/' ${IPTABLES_CONFIG}
+                    perl -pi -e 's/^(FW_SERVICES_EXT_TCP=)(.*)/${1}"$ENV{HTTPD_PORT} 443 25 110 995 143 993 587 465 $ENV{sshd_port}"\n#${2}/' ${IPTABLES_CONFIG}
 
                 elif [ X"${DISTRO}" == X"DEBIAN" -o X"${DISTRO}" == X"UBUNTU" ]; then
                     # Copy sample rc script for Debian.

iRedMail/samples/iptables.rules

 # Loop device.
 -A INPUT -i lo -j ACCEPT
 
-# http/https, smtp/submission, pop3/pop3s, imap/imaps, ssh
--A INPUT -p tcp -m multiport --dport 80,443,25,587,110,995,143,993,465,22 -j ACCEPT
+# http, https
+-A INPUT -p tcp --dport 80 -j ACCEPT
+-A INPUT -p tcp --dport 443 -j ACCEPT
+
+# smtp, submission
+-A INPUT -p tcp --dport 25 -j ACCEPT
+-A INPUT -p tcp --dport 587 -j ACCEPT
+
+# pop3, pop3s
+-A INPUT -p tcp --dport 110 -j ACCEPT
+-A INPUT -p tcp --dport 995 -j ACCEPT
+
+# imap, imaps
+-A INPUT -p tcp --dport 143 -j ACCEPT
+-A INPUT -p tcp --dport 993 -j ACCEPT
+
+# ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
 
 # Allow PING from remote hosts.
 -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
 # ejabberd
 #-A INPUT -p tcp -m multiport --dport 5222,5223,5280 -j ACCEPT
 
-# http/https
-#-A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT
-
-# smtp/smtps
-#-A INPUT -p tcp -m multiport --dport 25,465 -j ACCEPT
-
-# pop3/pop3s
-#-A INPUT -p tcp -m multiport --dport 110,995 -j ACCEPT
-
-# imap/imaps
-#-A INPUT -p tcp -m multiport --dport 143,993 -j ACCEPT
-
 # ldap/ldaps
 #-A INPUT -p tcp -m multiport --dport 389,636 -j ACCEPT
 
 # ftp.
 #-A INPUT -p tcp -m multiport --dport 21,20 -j ACCEPT
 
-# ssh
-#-A INPUT -p tcp --dport 22 -j ACCEPT
-
 COMMIT
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.