LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-29-2008, 05:40 PM   #1
cool47
Member
 
Registered: Mar 2008
Location: Disney World
Distribution: CentOS
Posts: 50

Rep: Reputation: 15
evolution with iptables


hello,

I have server with firewall , iptables and proxy settings.
The evolution is configured, i can send mail to my gmail account. pop foward is enabled in gmail account but i can't fetch mail from gmail account. In script it is added

#For pop3
$iptables -A INPUT -p tcp --dport 110 -j ACCEPT

showing an error "could not connect to pop.gmail.com, connection time out"
what is the problem?
thanks in advance

Last edited by cool47; 05-29-2008 at 05:41 PM.
 
Old 05-29-2008, 06:46 PM   #2
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407

Rep: Reputation: 35
Please let us know a little more. The rule you posted will allow packets for POP3 to be received by your firewall, if a previous rule does not cause the packet to be discarded. It would be useful to know what the whole INPUT chain looks like. You can show it with the command
Code:
 # iptables -nvL INPUT
Let us suppose that the firewall rule is correct and correctly placed, pending your report on the full chain.

Is Evolution running on the firewall machine or on another one? If it is on another one, have you enabled packet forwarding? What are the rules in the iptables FORWARD chain?

If Evolution is running on the same machine, what does its logfile (perhaps /var/log/maillog) say? Are there error messages there? Are there any lines in the syslog file (/var/log/messages ?)? What distribution and what version of the OS are you running? These details will allow us a better chance of actually diagnosing the trouble with you.
 
Old 05-29-2008, 06:51 PM   #3
tommyr1216
Member
 
Registered: Sep 2004
Location: Pennsylvania
Distribution: Gentoo, Suse, Fedora, Slackware
Posts: 56

Rep: Reputation: 15
The INPUT table is for incoming connections. You would want to modify the OUTPUT table instead. Change your command to:

iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT

(that's all assuming that your OUTPUT policy is not ACCEPT and that you don't have any other rules preventing this connection. If that's the case, post your entire iptables script so we can investigate further.)
 
Old 05-29-2008, 08:08 PM   #4
cool47
Member
 
Registered: Mar 2008
Location: Disney World
Distribution: CentOS
Posts: 50

Original Poster
Rep: Reputation: 15
here it is:

#!/bin/sh

SQUID_SERVER="192.168.213.129" # squid server IP

INTERNET="eth0" # Interface connected to Internet
LAN_IN="eth1" # Interface connected to LAN

SQUID_PORT="3128" # Squid port

# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp

echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
iptables -A FORWARD -i $LAN_IN -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT

#for pop3 to download mail

$iptables -A INPUT -p tcp --dport 110 -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Last edited by cool47; 05-29-2008 at 08:09 PM.
 
Old 05-29-2008, 09:36 PM   #5
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407

Rep: Reputation: 35
Well, there are a couple of things that I think we should clear up. First of all, we should clear up the question of whether any process could reach pop.gmail.com. From where my systems connect to the internet, this DNS name resolves to 209.85.147.109 and 209.85.147.111 Can you ping either of these addresses and get a response? If so, can you then ping pop.gmail.com and get a response?

From your firewall script, I guess that you will not be able to get the second experiment to work, but that is uncertain, as some systems have automatic ways of punching holes through the firewall for DNS traffic. If you could post the actual rules, rather than the script which generates them, it would be instructive.

Part way down in your script, a comment says that you are going to allow UDP, DNS and passive FTP traffic, but the rule just below that does not do exactly that. It allows packets received in reply to connection requests initiated either on the firewall or on machines on the LAN behind the firewall, and would permit an active FTP as well as a passive FTP connection, if the control channel was set up from behind the firewall or on the firewall machine. I am not entirely sure if it will allow DNS exchanges begun from behind the firewall (these are, in fact, UDP packets).

BTW, since your OUTPUT chain policy is ACCEPT, the rules you have specified for this chain are redundant. The only rules that would have an effect with this policy are ones that REJECT or DROP packets.

If it is possible to resolve the DNS name to an address, and to get a ping response, then I guess it might be time to do a packet trace, looking at packets that have either source or destination port 110 and TCP protocol, so that you can tell whether no packet goes out, or none returns, or one returns and is somehow misdirected.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Permission problem with importing evolution mail from the old .evolution folder oskar Linux - Software 4 05-23-2008 08:28 PM
running evolution daemon without starting evolution bloozman Linux - Desktop 0 06-12-2007 03:00 PM
remove evolution-alarm evolution-data daemons mikegorb Linux - Software 1 11-05-2006 03:44 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 08:20 PM
How do you transfer evolution mail and settings to another computer running evolution cmisip Linux - Software 2 01-10-2003 02:07 PM


All times are GMT -5. The time now is 05:20 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration