I'm just about to put some servers on teh interweb, so need to tighten them up a bit. These are the rules that I have for my SMTP/Web server, as generated by Webmin.

eth0 has a public IP, and is connected directly to teh interweb. On this interface, the machine should only accept traffic for ports 25, 80, and 222 (ssh).

eth1 has a non-public IP address, and is connected to the LAN. I am not bothered about what traffic is accepted here.

Does the line "-A INPUT ! -i eth0 -j ACCEPT" mean that traffic is accepted if input interface is not eth0?

And if this machine is not going to be NATing, do I need sections "*nat" and "*mangle"?

Here are my rules. Any help/comment appreciated.


# Generated by iptables-save v1.2.11 on Mon Dec 11 15:00:22 2006
*nat
:PREROUTING ACCEPT [16:2141]
:POSTROUTING ACCEPT [4:283]
:OUTPUT ACCEPT [4:283]
COMMIT
# Completed on Mon Dec 11 15:00:22 2006
# Generated by iptables-save v1.2.11 on Mon Dec 11 15:00:22 2006
*mangle
:PREROUTING ACCEPT [598:613490]
:INPUT ACCEPT [594:613314]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [422:36314]
:POSTROUTING ACCEPT [422:36314]
COMMIT
# Completed on Mon Dec 11 15:00:22 2006
# Generated by iptables-save v1.2.11 on Mon Dec 11 15:00:22 2006
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Accept SMTP traffic
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# My own special SSH Rule
-A INPUT -p tcp -m tcp --dport 222 -j ACCEPT
# Web Server
-A INPUT -p tcp -m tcp -i eth0 --dport 80 -j ACCEPT
COMMIT
# Completed on Mon Dec 11 15:00:22 2006