-
Notifications
You must be signed in to change notification settings - Fork 5
MailCleaner Firewall
The MailCleaner firewall dynamically generates the iptables configuration upon restart by creating the necessary default ports for the machine's local network, as well as by dumping the rules configured in the external_accesses table of the mc_config database (on the master node). You can access this table by running:
/usr/mailcleaner/bin/mc_mysql -m mc_config
from the master node.
If you change the MailCleaner server's firewall rules with iptables directly, the changes will only be temporary and will be removed on next reboot. The generation of the these rules is done by /usr/mailcleaner/bin/dump_firewall.pl.
To have new firewall rules persist, you must add it to this table like:
INSERT INTO external_access (service,port,protocol,allowed_ip) VALUES ('SSH','22','TCP','192.168.0.1/32');
This will allow SSH access via port 22 for the IP 192.168.0.1. This is an equivalent to:
iptables -A INPUT -s 192.168.0.1/32 -p tcp -m tcp --dport 22 -j ACCEPT
This rule will get loaded upon restart the firewall:
/usr/mailcleaner/etc/init.d/firewall restart
This is how some of the setting in the administrator interface, such as access to the web interface itself, is enabled.
For ports that are open, MailCleaner runs Fail2Ban to automatically block abusive behavior. You can see our Fail2Ban Guide for information on how to manage this feature.
- Installation
- Overview of Admin Interface
- General Administration and Maintenance Issues
- Clustering
- Upgrading
- FAQ
Expand ▶ Pages above to view the Table of Contents for the article you are already reading, or to browse additional topics. You can also search for keywords in the Wiki.