rules port 25 and port 110
Hi Everyone,
i have setup my centos 3.9 proxy server with shorewall. However, i failed to send or recieve any email in my outlook express. after check, there port 25 and 110 is block at shorewall rules. But, i cant figure out where go wrong. Can anyone please give me some advise. thanks. below are the rules. ACCEPT loc $FW udp 137:139 #samba ACCEPT loc $FW tcp 137,139 #samba ACCEPT loc $FW udp 1024: 137 #samba ACCEPT loc $FW tcp 8080 ACCEPT loc $FW tcp 443 ACCEPT loc $FW tcp 23 ACCEPT loc $FW tcp 10000 ACCEPT loc $FW tcp 20000 ACCEPT loc $FW tcp domain ACCEPT loc $FW udp domain ACCEPT loc $FW icmp 8 ACCEPT $FW loc icmp 8 ACCEPT $FW loc udp 137:139 #samba ACCEPT $FW loc tcp 137,139 ACCEPT $FW loc udp 1024: 137 ACCEPT $FW net tcp www ACCEPT $FW net tcp https ACCEPT $FW net tcp domain ACCEPT $FW net udp domain ACCEPT $FW net icmp 8 ACCEPT net $FW tcp www ACCEPT loc net tcp smtp ACCEPT loc net tcp pop3 ACCEPT loc net icmp 8 ACCEPT loc net tcp - ftp ACCEPT loc net tcp - ftp-data ACCEPT loc net tcp ftp ACCEPT loc net tcp ftp-data ACCEPT loc net tcp 1723 #VPN ACCEPT loc $FW tcp 110 ACCEPT loc $FW tcp 25 ACCEPT loc net 47 ACCEPT loc net tcp 1024: ACCEPT loc net udp 33435:33535 - ACCEPT loc net tcp 1863 ACCEPT loc net tcp 5000:5001 ACCEPT loc net tcp 5050 ACCEPT loc net tcp 5100 ACCEPT loc net udp 5000:5010 ACCEPT loc net tcp 443 ACCEPT net $FW tcp 22 ACCEPT net $FW tcp 80 ACCEPT net $FW tcp 443 ACCEPT $FW net tcp 22 ACCEPT net loc tcp 5938 #teamviewer |
Code:
ACCEPT loc net tcp smtp Are you sure you're using smtp and pop3? imap, imaps, ssmtp, pop3s use ports 143, 993, 465, 995 respectively. It's also possible that your upstream provider might be blocking port 25. Sometimes you can call them and ask them to open it. If they don't, sometimes you can use port 587 instead. |
Quote:
But, i wonder how to adjust my rules? I sure i am using smtp and pop3 and port 25 and port 110. If connect my pc connect to modem without proxy, there are not problem for my mail. So, i assume the proxy rules block the 25 and port 110. |
Try :
Code:
telnet smtp.yourmailserver.net 25 Code:
220 smtp.yourmailserver.net ESMTP Code:
telnet pop3.yourmailserver.net 110 Code:
+OK <12345.0123456789@pop3.yourmailserver.net> |
Sorry: replace "yourmailserver.net" with the appropriate servers for your email service provider.
|
Quote:
Connecting To "mymailserver.net"... could not open connection to the host, on port 25: connect failed. I wondering any possible there any service affect the tcp is not up? I did install the webmin and stop some of the action boot up. Please advise, thanks |
1) check if it uses 25 and 110! not all mailservers use the standard ports. some use 587 and 995
etc.. consult the mail provider (manual/faq/support) for the right ports. 2) you could, just for a very short test, try to connect to the server without firewall activated. (remember to do it very shortly, max 10 sec.) if it then works, it's definitely your machine blocking something (firewall block). If it still doesn't work, it's something else, and not firewall related. (could be a typo of the server name, a problem at their location) |
Ok, so if you connect directly to the modem, you have no problem. If you're behind the firewall, you cannot telnet your mail server on 25/110. That does sound like it's being blocked. (We're still assuming you're indeed using 25/110, and that you could successfully telnet those if you were directly connected.)
This one could be tricky. It would help to give us any and all information you feel comfortable sharing. (This is a firewall, so I can understand some reticence.) Such as: Code:
ifconfig Also make sure you're internal machine has an IP ("ifconfig") address and route ("route -n"). Let us know if you have a DHCP server setup on your firewall. |
Just FYI, 3.x is out of support at RH https://access.redhat.com/support/po...pdates/errata/, except for those who pay extra for Exetended support at RH.
Not sure how this affects Centos clone... |
Quote:
below are my setting # Shorewall version 4 - Zones File # # For information about this file, type "man shorewall-zones" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 # # Shorewall version 4 - Interfaces File # # For information about entries in this file, type "man shorewall-interfaces" # # The manpage is also online at # http://www.shorewall.net/manpages/sh...nterfaces.html # ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS loc eth1 detect net eth0 detect # # Shorewall version 4 - Policy File # # For information about entries in this file, type "man shorewall-policy" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### #SOURCE DEST POLICY LOG LIMIT CONNLIMIT: # LEVEL BURST MASK loc net REJECT net all DROP info ALL all REJECT info # # Shorewall version 4 - Hosts file # # For information about entries in this file, type "man shorewall-hosts" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-hosts.html # ############################################################################### #ZONE HOST(S) OPTIONS |
"ifconfig" shows how the interfaces are setup, including the associated IP addresses.
"route -n" shows how the systems routing table is setup, by IP address. DHCP is the protocol that automatically assigns IP addresses. Unless you've manually set IP addresses (recommended on your firewall), each machine needs to have a DHCP server on it's immediate physical network. That service assigns IP addresses and tells computers where to send data to reach the Internet. Without it, your internal computers might be able to talk to one another if they guess 169.*.*.* addresses, but they won't be able to send data beyond the local area network. I suggest adding the "routefilter" option to your interface file, line "eth0". This prevents certain attacks, and is included in the Shorewall intro sample. (You appear to have no rule between loc and net allowing http, yet you have a rule between net and $FW permitting tcp port 80. I'm not sure what you're doing here...) Things look ok, generally. I have to ask, though, can your client system can access the Internet at all when it's behind the firewall? Shorewall could be perfectly fine, but you'll still be offline if you have an IP or DHCP problem. It might be wise to reset the modem when plugging it back into the firewall. (If it's a cable modem, it might be required.) (part of why I asked for "ifconfig" and "route -n"; you'll also want to check the client machine. If it's running Windows, you'll want "ipconfig" or find the adapter, right click-> status-> support.) |
[QUOTE=gd2shoe;4191530]"ifconfig" shows how the interfaces are setup, including the associated IP addresses.
"route -n" shows how the systems routing table is setup, by IP address. I suggest adding the "routefilter" option to your interface file, line "eth0". This prevents certain attacks, and is included in the Shorewall intro sample. (You appear to have no rule between loc and net allowing http, yet you have a rule between net and $FW permitting tcp port 80. I'm not sure what you're doing here...) Things look ok, generally. I have to ask, though, can your client system can access the Internet at all when it's behind the firewall? Shorewall could be perfectly fine, but you'll still be offline if you have an IP or DHCP problem. It might be wise to reset the modem when plugging it back into the firewall. (If it's a cable modem, it might be required.) QUOTE] I actually follow one of my friend guide. So far, i still not fully understand the rules which is really need and not need. i using the squid to allow the specify client ip to browse internet using port 8080. So those client can browse internet perfectly. But outlook express fail to download mail or send mail through port 25 and 110. below are the ifcfg for eth0 n eth1. From below i wondering am i missing anything else?...boardcast??? DEVICE=eth0 BOOTPROTO=static HWADDR=00:26:5A:EB:60:6C ONBOOT=yes TYPE=Ethernet NETMASK=255.255.255.0 IPADDR=10.170.43.66 USERCTL=no PEERDNS=yes GATEWAY=10.170.43.65 DEVICE=eth1 BOOTPROTO=static HWADDR=00:11:09:18:86:D3 ONBOOT=yes TYPE=Ethernet NETMASK=255.255.0.0 IPADDR=10.1.124.102 USERCTL=no PEERDNS=yes thanks |
So your client system can reach the web through a proxy? That's good. Make certain your client system is set to treat the firewall system as its Gateway (ie 10.1.124.102). Just because it can reach the firewall doesn't mean that it knows it can find the Internet there.
|
Quote:
|
And... What is the gateway set to on the client? (By the by, what OS is running on the client system?)
|
All times are GMT -5. The time now is 08:13 AM. |