LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 04-29-2006, 08:27 AM   #1
dtra
Member
 
Registered: Nov 2004
Distribution: fc4
Posts: 104

Rep: Reputation: 15
fc4 iptables blocking yum and smtp (postfix)


hi all

ok, i know this is an iptables issue, because both yum and smtp work when i turn iptables off

i don't really have any idea when it comes to server level stuff, so i really need someone to help me out here

i have been told that it has something to do with ESTABLISHED,RELATED settings that i need to add (but don't know what i need to do)

my iptables listed below

thanks
dave

Code:
# Generated by iptables-save v1.3.0 on Tue Apr 11 23:20:05 2006
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 22,10000
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 20,21,25,80,110,143,443,993,995,3306
-A INPUT -p udp -m udp -m multiport -j ACCEPT --dports 53,123
#-A INPUT -p udp -m udp --sport 53 -j ACCEPT
# Localhost traffic
-A INPUT -i lo -j ACCEPT
COMMIT
# Completed on Tue Apr 11 23:20:05 2006
# Generated by iptables-save v1.3.0 on Tue Apr 11 23:20:05 2006
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [247924:148337622]

:OUTPUT ACCEPT [203797:85733410]
:POSTROUTING ACCEPT [203797:85733410]
:PREROUTING ACCEPT [273515:151663480]
COMMIT
# Completed on Tue Apr 11 23:20:05 2006
# Generated by iptables-save v1.3.0 on Tue Apr 11 23:20:05 2006
*nat
:OUTPUT ACCEPT [3330:227736]
:POSTROUTING ACCEPT [3330:227736]
:PREROUTING ACCEPT [41038:5544645]
COMMIT
# Completed on Tue Apr 11 23:20:05 2006
 
Old 04-30-2006, 01:05 AM   #2
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
Dosn't look anything like the default firewall...

hmmm - I'd make more sence out of iptables -L or, even better, the script used to create this. It looks kinda odd to me. Certainly the lack of stateful filters is a point... probably the best way to tell you about this is to provide a commented example for you to compare:

Code:
# sdb firewall: Simon Bridge 2005
# based on the mdh firewall: Jon "maddog" Hall & Paul G Seary 2003

#! /bin/sh

# Load appropriate modules.
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# remove existing rules
iptables --flush
iptables -t nat --flush
iptables --delete_chain
iptables --zero

# Definitions
MYNET="192.168.23.0/24"
LANFACE="eth0"
WEBFACE=
WEBIP=""
DNS01=""
DNS02=""
BCAST="192.168.23.255"
LOOPB="127.0.0.0/8"

### Kernel Parameters ###

# Uncomment to disable response to icmp ping requests.
#/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Disable ICMP redirect acceptance.
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
   /bin/echo "0" > ${interface}
done

# Enable bad error message protection.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Turn on reverse path filtering.
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
   /bin/echo "1" > ${interface}
done

# Make sure that IP forwarding is turned off.
/bin/echo "0" > /proc/sys/net/ipv4/ip_forward

### Rules ###

# Set up a default DROP policy for the built-in chains.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow unlimited traffic on the loopback interface.
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow SSH connections
iptables -A INPUT -t tcp -j ACCEPT -dport 22

# Allow only initiated traffic in
iptables -A INPUT -m state --state RELATED,EXISTING -j ACCEPT

# Allow IP Forwarding and use NAT for outgoing connections.
# (Only use for dual homed host acting as an internet gateway.)
#/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
#iptables -P FORWARD ACCEPT
#iptables -A POSTROUTING -t NAT -o $WEBFACE -j SNAT --to $WEBIP

# Allow network traffic through eth0
iptables -A INPUT -i $LANFACE -s $MYNET -j ACCEPT

# Allow all traffic out
# Any other output rule should go /before/ this one
iptables -A OUTPUT -m state --state NEW,RELATED,EXISTING -j ACCEPT
Adding to above - you'll maybe want to disable ssh remote login too. (Particularily remote login attempts from outside your lan.)

For you - I think you are blocking ftp packets incoming - you need to accept packets from related and existing connections.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix - Using for SMTP wfernley Linux - Newbie 3 12-29-2005 09:22 AM
something's blocking smtp MiniMe001 Linux - General 3 09-10-2005 03:06 PM
Blocking known command in SMTP manya Linux - Security 2 04-21-2005 08:32 AM
Blocking JUnk Mails in postfix jomy Linux - Networking 1 12-29-2004 01:07 PM
Postfix and SMTP Phaethar Linux - Software 0 03-09-2004 09:29 AM


All times are GMT -5. The time now is 11:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration