rules port 25 and port 110
 

Hi Everyone,

i have setup my centos 3.9 proxy server with shorewall.
However, i failed to send or recieve any email in my outlook express.
after check, there port 25 and 110 is block at shorewall rules.

But, i cant figure out where go wrong.
Can anyone please give me some advise.

thanks.

below are the rules.

ACCEPT loc $FW udp 137:139 #samba
ACCEPT loc $FW tcp 137,139 #samba
ACCEPT loc $FW udp 1024: 137 #samba
ACCEPT loc $FW tcp 8080
ACCEPT loc $FW tcp 443
ACCEPT loc $FW tcp 23
ACCEPT loc $FW tcp 10000
ACCEPT loc $FW tcp 20000
ACCEPT loc $FW tcp domain
ACCEPT loc $FW udp domain
ACCEPT loc $FW icmp 8
ACCEPT $FW loc icmp 8
ACCEPT $FW loc udp 137:139 #samba
ACCEPT $FW loc tcp 137,139
ACCEPT $FW loc udp 1024: 137
ACCEPT $FW net tcp www
ACCEPT $FW net tcp https
ACCEPT $FW net tcp domain
ACCEPT $FW net udp domain
ACCEPT $FW net icmp 8
ACCEPT net $FW tcp www
ACCEPT loc net tcp smtp
ACCEPT loc net tcp pop3
ACCEPT loc net icmp 8
ACCEPT loc net tcp - ftp
ACCEPT loc net tcp - ftp-data
ACCEPT loc net tcp ftp
ACCEPT loc net tcp ftp-data
ACCEPT loc net tcp 1723 #VPN
ACCEPT loc $FW tcp 110
ACCEPT loc $FW tcp 25
ACCEPT loc net 47
ACCEPT loc net tcp 1024:
ACCEPT loc net udp 33435:33535 -
ACCEPT loc net tcp 1863
ACCEPT loc net tcp 5000:5001
ACCEPT loc net tcp 5050
ACCEPT loc net tcp 5100
ACCEPT loc net udp 5000:5010
ACCEPT loc net tcp 443
ACCEPT net $FW tcp 22
ACCEPT net $FW tcp 80
ACCEPT net $FW tcp 443
ACCEPT $FW net tcp 22
ACCEPT net loc tcp 5938 #teamviewer

Pardon my shorewall, I'm beyond rusty. These are the lines that catch my attention. You have 3 locations: loc, net, and $FW. I assume your client is on the loc side and your server is on the net side. If this firewall is protecting the mail server, and your clients are at another location, you'll need to adjust your rules.

Are you sure you're using smtp and pop3? imap, imaps, ssmtp, pop3s use ports 143, 993, 465, 995 respectively. It's also possible that your upstream provider might be blocking port 25. Sometimes you can call them and ask them to open it. If they don't, sometimes you can use port 587 instead.

Thanks. you assumption is right. i got 3 location.
But, i wonder how to adjust my rules?

I sure i am using smtp and pop3 and port 25 and port 110. If connect my pc connect to modem without proxy, there are not problem for my mail.
So, i assume the proxy rules block the 25 and port 110.

Try :
This should be a simple conversation between yourself and the mail server. You should get something like this:
Then do pop3:
This should give you something like:
If these fail, then you're firewall is interfering on 25 and/or 110. If these succeed, then the problem is something else.

Sorry: replace "yourmailserver.net" with the appropriate servers for your email service provider.

I get both same error:
Connecting To "mymailserver.net"... could not open connection to the host, on port 25: connect failed.

I wondering any possible there any service affect the tcp is not up? I did install the webmin and stop some of the
action boot up.

Please advise, thanks

1) check if it uses 25 and 110! not all mailservers use the standard ports. some use 587 and 995
etc.. consult the mail provider (manual/faq/support) for the right ports.

2) you could, just for a very short test, try to connect to the server without firewall activated.
(remember to do it very shortly, max 10 sec.) if it then works, it's definitely your machine blocking something (firewall block). If it still doesn't work, it's something else, and not firewall related. (could be a typo of the server name, a problem at their location)

Ok, so if you connect directly to the modem, you have no problem. If you're behind the firewall, you cannot telnet your mail server on 25/110. That does sound like it's being blocked. (We're still assuming you're indeed using 25/110, and that you could successfully telnet those if you were directly connected.)

This one could be tricky. It would help to give us any and all information you feel comfortable sharing. (This is a firewall, so I can understand some reticence.) Such as:
I don't think there's a problem with your rules (though you probably have too many), but maybe you have your interfaces switched?

Also make sure you're internal machine has an IP ("ifconfig") address and route ("route -n"). Let us know if you have a DHCP server setup on your firewall.

Just FYI, 3.x is out of support at RH https://access.redhat.com/support/po...pdates/errata/, except for those who pay extra for Exetended support at RH.
Not sure how this affects Centos clone...

what is the route -n? DHCP server?? i dont think i setup it on my firewall.

below are my setting

# Shorewall version 4 - Zones File
#
# For information about this file, type "man shorewall-zones"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4

#
# Shorewall version 4 - Interfaces File
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/sh...nterfaces.html
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
loc eth1 detect
net eth0 detect



#
# Shorewall version 4 - Policy File
#
# For information about entries in this file, type "man shorewall-policy"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT CONNLIMIT:
# LEVEL BURST MASK
loc net REJECT
net all DROP info
ALL all REJECT info



#
# Shorewall version 4 - Hosts file
#
# For information about entries in this file, type "man shorewall-hosts"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-hosts.html
#
###############################################################################
#ZONE HOST(S) OPTIONS

"ifconfig" shows how the interfaces are setup, including the associated IP addresses.
"route -n" shows how the systems routing table is setup, by IP address.

DHCP is the protocol that automatically assigns IP addresses. Unless you've manually set IP addresses (recommended on your firewall), each machine needs to have a DHCP server on it's immediate physical network. That service assigns IP addresses and tells computers where to send data to reach the Internet. Without it, your internal computers might be able to talk to one another if they guess 169.*.*.* addresses, but they won't be able to send data beyond the local area network.

I suggest adding the "routefilter" option to your interface file, line "eth0". This prevents certain attacks, and is included in the Shorewall intro sample.

(You appear to have no rule between loc and net allowing http, yet you have a rule between net and $FW permitting tcp port 80. I'm not sure what you're doing here...)

Things look ok, generally. I have to ask, though, can your client system can access the Internet at all when it's behind the firewall? Shorewall could be perfectly fine, but you'll still be offline if you have an IP or DHCP problem. It might be wise to reset the modem when plugging it back into the firewall. (If it's a cable modem, it might be required.)

(part of why I asked for "ifconfig" and "route -n"; you'll also want to check the client machine. If it's running Windows, you'll want "ipconfig" or find the adapter, right click-> status-> support.)

[QUOTE=gd2shoe;4191530]"ifconfig" shows how the interfaces are setup, including the associated IP addresses.
"route -n" shows how the systems routing table is setup, by IP address.

I suggest adding the "routefilter" option to your interface file, line "eth0". This prevents certain attacks, and is included in the Shorewall intro sample.

(You appear to have no rule between loc and net allowing http, yet you have a rule between net and $FW permitting tcp port 80. I'm not sure what you're doing here...)

Things look ok, generally. I have to ask, though, can your client system can access the Internet at all when it's behind the firewall? Shorewall could be perfectly fine, but you'll still be offline if you have an IP or DHCP problem. It might be wise to reset the modem when plugging it back into the firewall. (If it's a cable modem, it might be required.)
QUOTE]

I actually follow one of my friend guide. So far, i still not fully understand the rules which is really need and not need.
i using the squid to allow the specify client ip to browse internet using port 8080. So those client can browse internet perfectly. But outlook express fail to download mail or send mail through port 25 and 110.

below are the ifcfg for eth0 n eth1. From below i wondering am i missing anything else?...boardcast???

DEVICE=eth0
BOOTPROTO=static
HWADDR=00:26:5A:EB:60:6C
ONBOOT=yes
TYPE=Ethernet
NETMASK=255.255.255.0
IPADDR=10.170.43.66
USERCTL=no
PEERDNS=yes
GATEWAY=10.170.43.65

DEVICE=eth1
BOOTPROTO=static
HWADDR=00:11:09:18:86:D3
ONBOOT=yes
TYPE=Ethernet
NETMASK=255.255.0.0
IPADDR=10.1.124.102
USERCTL=no
PEERDNS=yes

thanks

So your client system can reach the web through a proxy? That's good. Make certain your client system is set to treat the firewall system as its Gateway (ie 10.1.124.102). Just because it can reach the firewall doesn't mean that it knows it can find the Internet there.

yup, my client can reach the web through proxy. So, what can i do next? Do you have any idea?

And... What is the gateway set to on the client? (By the by, what OS is running on the client system?)