fc4 iptables blocking yum and smtp (postfix)

dtra · 04-29-2006, 07:27 AM

hi all

ok, i know this is an iptables issue, because both yum and smtp work when i turn iptables off

i don't really have any idea when it comes to server level stuff, so i really need someone to help me out here

i have been told that it has something to do with ESTABLISHED,RELATED settings that i need to add (but don't know what i need to do)

my iptables listed below

thanks
dave

Code:

# Generated by iptables-save v1.3.0 on Tue Apr 11 23:20:05 2006
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 22,10000
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 20,21,25,80,110,143,443,993,995,3306
-A INPUT -p udp -m udp -m multiport -j ACCEPT --dports 53,123
#-A INPUT -p udp -m udp --sport 53 -j ACCEPT
# Localhost traffic
-A INPUT -i lo -j ACCEPT
COMMIT
# Completed on Tue Apr 11 23:20:05 2006
# Generated by iptables-save v1.3.0 on Tue Apr 11 23:20:05 2006
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [247924:148337622]

:OUTPUT ACCEPT [203797:85733410]
:POSTROUTING ACCEPT [203797:85733410]
:PREROUTING ACCEPT [273515:151663480]
COMMIT
# Completed on Tue Apr 11 23:20:05 2006
# Generated by iptables-save v1.3.0 on Tue Apr 11 23:20:05 2006
*nat
:OUTPUT ACCEPT [3330:227736]
:POSTROUTING ACCEPT [3330:227736]
:PREROUTING ACCEPT [41038:5544645]
COMMIT
# Completed on Tue Apr 11 23:20:05 2006

Simon Bridge · 04-30-2006, 12:05 AM

Dosn't look anything like the default firewall...

hmmm - I'd make more sence out of iptables -L or, even better, the script used to create this. It looks kinda odd to me. Certainly the lack of stateful filters is a point... probably the best way to tell you about this is to provide a commented example for you to compare:

Code:

# sdb firewall: Simon Bridge 2005
# based on the mdh firewall: Jon "maddog" Hall & Paul G Seary 2003

#! /bin/sh

# Load appropriate modules.
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# remove existing rules
iptables --flush
iptables -t nat --flush
iptables --delete_chain
iptables --zero

# Definitions
MYNET="192.168.23.0/24"
LANFACE="eth0"
WEBFACE=
WEBIP=""
DNS01=""
DNS02=""
BCAST="192.168.23.255"
LOOPB="127.0.0.0/8"

### Kernel Parameters ###

# Uncomment to disable response to icmp ping requests.
#/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Disable ICMP redirect acceptance.
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
   /bin/echo "0" > ${interface}
done

# Enable bad error message protection.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Turn on reverse path filtering.
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
   /bin/echo "1" > ${interface}
done

# Make sure that IP forwarding is turned off.
/bin/echo "0" > /proc/sys/net/ipv4/ip_forward

### Rules ###

# Set up a default DROP policy for the built-in chains.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow unlimited traffic on the loopback interface.
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow SSH connections
iptables -A INPUT -t tcp -j ACCEPT -dport 22

# Allow only initiated traffic in
iptables -A INPUT -m state --state RELATED,EXISTING -j ACCEPT

# Allow IP Forwarding and use NAT for outgoing connections.
# (Only use for dual homed host acting as an internet gateway.)
#/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
#iptables -P FORWARD ACCEPT
#iptables -A POSTROUTING -t NAT -o $WEBFACE -j SNAT --to $WEBIP

# Allow network traffic through eth0
iptables -A INPUT -i $LANFACE -s $MYNET -j ACCEPT

# Allow all traffic out
# Any other output rule should go /before/ this one
iptables -A OUTPUT -m state --state NEW,RELATED,EXISTING -j ACCEPT

Adding to above - you'll maybe want to disable ssh remote login too. (Particularily remote login attempts from outside your lan.)

For you - I think you are blocking ftp packets incoming - you need to accept packets from related and existing connections.