iptables

satimis · 11-26-2006, 06:42 PM

Hi folks,

Ubuntu-6.06.1-LAMP-server-amd64

Which file I have to check the policy of iptables to see;

- whether having forwarded port 25 to server?

$ sudo iptables -L

Code:

Password:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/S YN tcpmss match 1400:1536 TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I need to enable forwarding port 25 to server

Which file contains "server name" ?

I suppose iptables is running;

$ dpkg -l | grep iptables

Code:

ii  iptables                                         1.3.3-2ubuntu4
              Linux kernel 2.4+ iptables administration to

Is there any other way to check?

TIA

B.R.
satimis

sal_paradise42 · 11-26-2006, 11:33 PM

should be on the nat table

"iptables -nL -t nat | grep 25"

satimis · 11-27-2006, 01:12 AM

Quote:

Originally Posted by sal_paradise42

should be on the nat table

"iptables -nL -t nat | grep 25"

Hi sal_paradise42,

Tks for your advice

$ sudo iptables -nL -t nat | grep 25
No printout

I don't know whether ISP blocks port 25 or I need to enable port forwarding on port 25 to server.

Performed following test;

$ sudo /etc/init.d/firewall stop

Code:

Removing all iptables rules:  [End of flush]

$ sudo telnet localhost 25

Code:

Password:
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 server1.example.com ESMTP Postfix (Ubuntu)
ehlo satimis.homelinux.com
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME
mail from: myself@satimis.homelinux.com
250 Ok
rcpt to: satimis@yahoo.com
250 Ok
data
354 End data with <CR><LF>.<CR><LF>

Subject: Test

This is a test, a test
.
250 Ok: queued as 72999754068
quit
221 Bye
Connection closed by foreign host.

No error found on /var/log/mail.err, only an empty file.

$ cat /var/log/mail.log

Code:

......
Nov 27 14:21:40 ubuntu postfix/smtp[5600]: connect to h.mx.mail.yahoo.com[209.191.118.103]: Connection timed out (port 25)
Nov 27 14:21:40 ubuntu postfix/smtp[5597]: connect to h.mx.mail.yahoo.com[209.191.118.103]: Connection timed out (port 25)
Nov 27 14:21:40 ubuntu postfix/smtp[5600]: 8452B754052: to=<satimis@yahoo.com>, relay=none, delay=232642, status=deferred (connect to h.mx.mail.yahoo.com[209.191.118.103]: Connection timed out)
Nov 27 14:21:40 ubuntu postfix/smtp[5597]: 1A25F754050: to=<satimis@yahoo.com>, relay=none, delay=232996, status=deferred (connect to h.mx.mail.yahoo.com[209.191.118.103]: Connection timed out)
Nov 27 14:21:40 ubuntu postfix/smtp[5598]: connect to h.mx.mail.yahoo.com[66.196.97.250]: Connection timed out (port 25)
Nov 27 14:21:40 ubuntu postfix/smtp[5598]: 58B9D75404C: to=<satimis@yahoo.com>, relay=none, delay=365906, status=deferred (connect to h.mx.mail.yahoo.com[209.191.118.103]: Connection timed out)
Nov 27 14:21:40 ubuntu postfix/smtp[5596]: connect to h.mx.mail.yahoo.com[209.191.118.103]: Connection timed out (port 25)
Nov 27 14:21:40 ubuntu postfix/smtp[5596]: 172E6754048: to=<satimis@yahoo.com>, relay=none, delay=410465, status=deferred (connect to h.mx.mail.yahoo.com[66.196.97.250]: Connection timed out)
Nov 27 14:21:40 ubuntu postfix/qmgr[5587]: D50EC754060: to=<satimis@yahoo.com>, relay=none, delay=66296, status=deferred (delivery temporarily suspended: connect to h.mx.mail.yahoo.com[209.191.118.103]: Connection timed out)
Nov 27 14:22:44 ubuntu postfix/smtpd[5970]: connect from localhost.localdomain[127.0.0.1]
Nov 27 14:25:27 ubuntu postfix/smtpd[5970]: 72999754068: client=localhost.localdomain[127.0.0.1]
Nov 27 14:25:53 ubuntu postfix/cleanup[5981]: 72999754068: message-id=<20061127062527.72999754068@server1.example.com>
Nov 27 14:25:53 ubuntu postfix/qmgr[5587]: 72999754068: from=<myself@satimis.homelinux.com>, size=416, nrcpt=1 (queue active)
Nov 27 14:25:53 ubuntu postfix/qmgr[5587]: 72999754068: to=<satimis@yahoo.com>, relay=none, delay=44, status=deferred (delivery temporarily suspended: connect to h.mx.mail.yahoo.com[209.191.118.103]: Connection timed out)
Nov 27 14:26:00 ubuntu postfix/smtpd[5970]: disconnect from localhost.localdomain[127.0.0.1]

Tried gmail.com with same result.

Is there any way checking ISP. Before I came across a thread running "cpan" checking port 25 unforunately I forgot the command line.

Tks.

B.R.
satimis

satimis · 11-27-2006, 03:46 AM

Hi sal_paradise42,

found port 25 is not blocked by ISP

http://www.grc.com/default.htm
ShieldsUP!

Port 25

Code:

GRC Port Authority Report created on UTC: 2006-11-27 at 09:24:50

Results from probe of port: 25

    1 Ports Open
    0 Ports Closed
    0 Ports Stealth
---------------------
    1 Ports Tested

THE PORT tested was found to be: OPEN.

TruStealth: FAILED - NOT all tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - NO Ping reply (ICMP Echo) was received.

Common ports

Code:

----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2006-11-27 at 09:20:22

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113, 
                            119, 135, 139, 143, 389, 443, 445, 
                            1002, 1024-1030, 1720, 5000

    4 Ports Open
   17 Ports Closed
    5 Ports Stealth
---------------------
   26 Ports Tested

Ports found to be OPEN were: 25, 110, 143, 443

Ports found to be STEALTH were: 80, 135, 139, 445, 5000

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - NO Ping reply (ICMP Echo) was received.

$ dpkg -l | grep postfix

Code:

ii  postfix                                          2.2.10-1ubuntu0.1              A high-performance mail transport agent

$ dpkg -l | grep courier

Code:

ii  courier-authdaemon                               0.47-13ubuntu5.1              Courier Mail Server - Authentication daemon
ii  courier-base                                     0.47-13ubuntu5.1              Courier Mail Server - Base system
ii  courier-imap                                     3.0.8-13ubuntu5.1              Courier Mail Server - IMAP server
ii  courier-imap-ssl                                 3.0.8-13ubuntu5.1              Courier Mail Server - IMAP over SSL
ii  courier-pop                                      0.47-13ubuntu5.1              Courier Mail Server - POP3 server
ii  courier-pop-ssl                                  0.47-13ubuntu5.1              Courier Mail Server - POP3 over SSL
ii  courier-ssl                                      0.47-13ubuntu5.1              Courier Mail Server - SSL/TLS Support

They are running.

Firewall stopped during test.
$ sudo /etc/init.d/firewall stop
Password:
Removing all iptables rules: [End of flush]

There must be somethings else.

Tks.

B.R.
satimis

nuxrl · 11-27-2006, 04:13 AM

You need to tell us a little more before people can help you. How do you connect to the Internet? Is there a router between the the server and the ISP's connection? What you have done shows us,

1. your mail server is listening on port 25;
2. you have Internet connection and the outgoing traffic to port 25 is not blocked.

If there's a router involved, forward traffic on port 25 to your local server and use another box not from your home network (from net cafe or work sth, for example) and try

Code:

telnet your_domain/wan_IP 25

Most ISPs block incoming traffic on port 25. If that's the case, you need,
1. run postfix on another port other than default 25;
2. find another place to forward traffic to 25 to your new port.

Hope this helps.

satimis · 11-27-2006, 04:58 AM

Hi nuxrl,

Tks for your advice.

Quote:

How do you connect to the Internet? Is there a router between the the server and the ISP's connection? What you have done shows us,

The server is connected to ISP via an ADSL modem, which is only a modem, no setup is needed. Another end of the modem is connected to a telephone wall socket.

Quote:

1. your mail server is listening on port 25;
2. you have Internet connection and the outgoing traffic to port 25 is not blocked.

Yes, I stopped iptables before making the test. Is there any other device or file blocking port 25

Quote:

try

Code:

telnet your_domain/wan_IP 25

$ sudo telnet satimis.homelinux.com/wan_IP 25

Code:

telnet: could not resolve satimis.homelinux.com/wan_IP/25: Name or service not known

I expect to clarify following first. After registration DYNDNS.ORG sent me a reply

Code:

Hostname:  satimis.homelinux.com
IP Address: 58.152.161.53
Wildcard:  Y
Mail Exchanger: None
Backup MX:  Y

Is it "Hostname"="mydomain"? Tks

Quote:

Most ISPs block incoming traffic on port 25. If that's the case, you need,
1. run postfix on another port other than default 25;
2. find another place to forward traffic to 25 to your new port.

From "GRC Port Authority Report" port 25 is open. Neither it is stealth

B.R.
satimis

amitsharma_26 · 11-27-2006, 06:57 AM

Satimis,

Few points :
1. As neither you are having default FORWARD policy as DROP & nor you are running any other explicit rules at FORWARD to DROP; the only thing you need to forward any packets recieved from internet to another box(server) is DNATing.

2. I did'nt found 25 port in OPEN state at your ip. (I nmaped you for this)

Quote:

Originally Posted by satimis

I need to enable forwarding port 25 to server
Which file contains "server name" ?

3. At any point use can refer your server via its ip as well in case of its host/domain name.

So My suggestion is to add a DNAT rule to your firewall running at this box & leave FORWARD chain as it is.(though it is not suggestible)

nuxrl · 11-27-2006, 07:32 AM

Hi Satimis,

Thanks for the information.

Beisdes amitsharma_26's suggestion to use a DNAT rule in iptables, another option is to change /etc/postfix/main.cf to have,

Code:

inet_interfaces = all

and restart postfix. This will force postfix to listen on all active interfaces on your server.

satimis · 11-27-2006, 08:21 AM

Hi nuxrl,

Tks for your advice.

Quote:

Beisdes amitsharma_26's suggestion to use a DNAT rule in iptables, another option is to change /etc/postfix/main.cf to have,

Code:

inet_interfaces = all

$ cat /etc/postfix/main.cf | grep inet_interfaces

Code:

inet_interfaces = all

It is already there.

$ cat /etc/postfix/main.cf

Code:

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = /etc/postfix/local-host-names
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
mailbox_command =
home_mailbox = Maildir/
virtual_maps = hash:/etc/postfix/virtusertable

B.R.
satimis

satimis · 11-27-2006, 08:58 AM

Hi amitsharma_26,

Tks for your advice.

Quote:

2. I did'nt found 25 port in OPEN state at your ip. (I nmaped you for this)

Performed following tests;

To scan all reserved TCP ports on the PC satimis.homelinux.con
$ sudo nmap -v satimis.linux.com

Code:

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-11-27 22:43 HKT
DNS resolution of 1 IPs took 8.29s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 2, CN: 1]
Initiating SYN Stealth Scan against ostg.com (66.35.250.177) [1674 ports] at 22:43
Discovered open port 80/tcp on 66.35.250.177
Increasing send delay for 66.35.250.177 from 0 to 5 due to max_successful_tryno increase to 4
Increasing send delay for 66.35.250.177 from 5 to 10 due to max_successful_tryno increase to 5
Increasing send delay for 66.35.250.177 from 10 to 20 due to max_successful_tryno increase to 6
Increasing send delay for 66.35.250.177 from 20 to 40 due to 11 out of 12 dropped probes since last increase.
SYN Stealth Scan Timing: About 3.02% done; ETC: 23:00 (0:16:05 remaining)
Increasing send delay for 66.35.250.177 from 40 to 80 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 66.35.250.177 from 80 to 160 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 66.35.250.177 from 160 to 320 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 66.35.250.177 from 320 to 640 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 66.35.250.177 from 640 to 1000 due to 11 out of 19 dropped probes since last increase.
caught SIGINT signal, cleaning up

To scan port 25
$ sudo nmap -p 25 satimis.homelinux.com

Code:

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-11-27 22:45 HKT
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 2.256 seconds

$ sudo nmap -P0 satimis.homelinux.com

Code:

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-11-27 22:47 HKT
Interesting ports on n058152161053.netvigator.com (58.152.161.53):
(The 1673 ports scanned but not shown below are in state: filtered)
PORT    STATE  SERVICE
113/tcp closed auth

Nmap finished: 1 IP address (1 host up) scanned in 26.911 seconds

What is "n058152161053.netvigator.com (58.152.161.53)"? netvigator.com is my ISP.

Quote:

So My suggestion is to add a DNAT rule to your firewall running at this box & leave FORWARD chain as it is.(though it is not suggestible)

What command shall I run. TIA

B.R.
satimis

sal_paradise42 · 11-27-2006, 09:57 AM

so, is your ADSL modem connected to a router of some kind? or is it connected to the server? Because if the server is connected directly to the modem you may not be doing NAT, then port forwarding is not needed.

amitsharma_26 · 11-27-2006, 12:02 PM

Quote:

Originally Posted by satimis

What command shall I run.

Code:

iptables -t nat -A PREROUTING -p tcp -i <eth-wan-interface> --dport 25 -j DNAT --to <serverip--to-forward>

Also set your server(to whom which are forwarding our port 25) to have gateway as firewall box.

satimis · 11-27-2006, 05:42 PM

Quote:

Originally Posted by sal_paradise42

so, is your ADSL modem connected to a router of some kind? or is it connected to the server? Because if the server is connected directly to the modem you may not be doing NAT, then port forwarding is not needed.

Hi,

The ADSL modem is connected directly to the server. It has only 2 sockets, one connected to server with a CAT5 cable and another to telephone wall socket with a telephone line.

B.R.
satimis

satimis · 11-27-2006, 05:54 PM

Hi amitsharma_26,

Quote:

CODE]iptables -t nat -A PREROUTING -p tcp -i <eth-wan-interface> --dport 25 -j DNAT --to <serverip--to-forward>[/CODE] Also set your server(to whom which are forwarding our port 25) to have gateway as firewall box.

I'm suspecting my ISP blocking port 25. Because I sent email from it via ISP broadband to its final destination, webmail box on Yahoo.

Shall I replace;
<eth-wan-interface>
<serverip--to-forward>

with something? Or just run the command line exactly written by you on above. Tks.

B.R.
satimis

sal_paradise42 · 11-27-2006, 06:34 PM

satimis,

amitsharma_26 assumes that you are using a Linux box that connects to your DSL modem and is acting as a router/Nat device, is this the case? if not, what kind of box do you have connected to your dsl modem, is it a netgear,lynksys or something like that?