HELP Ip tables configuration for Outlook express allowing SSL port 25 and 995

KarlRojero · 11-03-2009, 02:20 AM

Hello everyone. I hope you can help me on my problem regarding allowing ports SSL 25 and 995 to pass through my iptables.

Here is my current iptables configuration.

Quote:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Masquerade and Route

#-A POSTROUTING -o eth1 -j MASQUERADE
#-A POSTROUTING -o eth0 -j MASQUERADE

# BOSS IP -A POSTROUTING -s PRIVATEIP -j SNAT --to PUBLICIP
-A POSTROUTING -s 192.168.1.101 -j SNAT --to xxx.xx.xx.xx
-A POSTROUTING -s 192.168.1.8 -j SNAT --to xxx.xx.xx.xx

# other desktops allowing only ports 25 and 110 on email

#USER PC -A POSTROUTING -s PRIVATEIP -p tcp --dport 25 -j SNAT --to PUBLICIP

-A POSTROUTING -s 192.168.1.61 -p tcp --dport 25 -j SNAT --to xxx.xx.xx.xx
-A POSTROUTING -s 192.168.1.61 -p tcp --dport 110 -j SNAT --to xxx.xx.xx.xx
-A POSTROUTING -s 192.168.1.61 -p tcp --dport 995 -j SNAT --to xxx.xx.xx.xx

COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

#Allow self access by loopback interface
-A INPUT -i lo -p all -j ACCEPT
-A OUTPUT -o lo -p all -j ACCEPT

# Accept established connections
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset

# Open HTTP and other ports
# eth1 - public
# eth0 - private
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp --dport 8080 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT
-P INPUT DROP
COMMIT

KarlRojero · 11-04-2009, 12:08 AM

Anyone?

win32sux · 11-04-2009, 09:57 AM

Have you tried adding a couple lines for those ports in the "Open HTTP and other ports" section?

KarlRojero · 11-04-2009, 08:11 PM

Quote:

Originally Posted by win32sux

Have you tried adding a couple lines for those ports in the "Open HTTP and other ports" section?

# Open HTTP and other ports
# eth1 - public
# eth0 - private
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT
-A INPUT -p tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp --dport 8080 -j ACCEPT

the port 25 and 995? yes nothing happened

KarlRojero · 11-04-2009, 08:35 PM

Though the postrouted pc can actually telnet the ports

#USER PC -A POSTROUTING -s PRIVATEIP -p tcp --dport 25 -j SNAT --to PUBLICIP

-A POSTROUTING -s 192.168.1.61 -p tcp --dport 25 -j SNAT --to xxx.xx.xx.xx
-A POSTROUTING -s 192.168.1.61 -p tcp --dport 110 -j SNAT --to xxx.xx.xx.xx
-A POSTROUTING -s 192.168.1.61 -p tcp --dport 995 -j SNAT --to xxx.xx.xx.xx

win32sux · 11-04-2009, 08:57 PM

Wait, I had interpreted this as you wanting to allow connections to this box on ports 25 and 995. That doesn't seem like it's the case now, though. This iptables box is doing NAT, right? So do you want to allow outbound (from LAN to WAN) connections to ports 25 and 995, or do you need to forward inbound connections to hosts on the LAN side? Please clarify.

KarlRojero · 11-04-2009, 10:57 PM

Quote:

Originally Posted by win32sux

Wait, I had interpreted this as you wanting to allow connections to this box on ports 25 and 995. That doesn't seem like it's the case now, though. This iptables box is doing NAT, right? So do you want to allow outbound (from LAN to WAN) connections to ports 25 and 995, or do you need to forward inbound connections to hosts on the LAN side? Please clarify.

Hello sir thank you for replying.

I want my client computer to access the port 25 and 995 only. SO that they can Download the outlook express message using my proxy as gateway.

for example

Private 192.168.1.3 Public IP 202.xx.xx.xx <==-- This is my proxy pc where my iptables reside it has public IP also

192.168.1.10 <==-- This is my Client computer that uses outlook express port 25 and 995 SSL. I use the 192.168.1.3 as a Gateway and I can telnet to ports 25 and 995 but i cant download emails.

Im thinking it has something to do with IP talbes the outlook thingy..

Im only allowing ports 25 and 995 to the client to prevent them using P2P downloaders.

I got no problem downloading OUTLOOK when i use the BOSS CONFIG

# BOSS IP -A POSTROUTING -s PRIVATEIP -j SNAT --to PUBLICIP
-A POSTROUTING -s 192.168.1.101 -j SNAT --to xxx.xx.xx.xx

win32sux · 11-04-2009, 11:06 PM

How many interfaces do you have? Which are LAN and WAN?

win32sux · 11-04-2009, 11:15 PM

In any case, something like this is probably all you need:

Code:

iptables -P FORWARD DROP

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE -s 192.168.1.10 -d 202.xx.xx.xx \
-m multiport --dports 25,995 -m state --state NEW -j ACCEPT

iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

Just make sure these really are the only packets you want to forward.

Typically people will start with this objective, then realize they need other stuff (such as DNS).

KarlRojero · 11-04-2009, 11:18 PM

PRIVATE LAN
Boss interface - No Restrictions
Client/Ordinary employee Interface - Ports Allowed is 25 and 995 only. But use squid for http web browsing

Both of these interfaces are connected to my proxy server In private Lan. in which they use my proxy server as a gateway to connect outside.

win32sux · 11-04-2009, 11:43 PM

Quote:

Originally Posted by KarlRojero

PRIVATE LAN
Boss interface - No Restrictions
Client/Ordinary employee Interface - Ports Allowed is 25 and 995 only. But use squid for http web browsing

Both of these interfaces are connected to my proxy server In private Lan. in which they use my proxy server as a gateway to connect outside.

Okay so you've got three interfaces (two LAN and one WAN). You want packets arriving on one of the LAN interfaces to get forwarded, without restrictions. On the other LAN interface, you want only TCP packets with destination port 25 or 995 (and a specific destination IP) to get forwarded, and you want Squid to handle the rest. Is this correct?

KarlRojero · 11-05-2009, 12:27 AM

Quote:

Originally Posted by win32sux

Okay so you've got three interfaces (two LAN and one WAN). You want packets arriving on one of the LAN interfaces to get forwarded, without restrictions. On the other LAN interface, you want only TCP packets with destination port 25 or 995 (and a specific destination IP) to get forwarded, and you want Squid to handle the rest. Is this correct?

Yes sir this is correct.. I got no problem with squid handling the two interfaces. I mean both can connect to it.

The LAN interface without restriction is OK. Meaning i can download messages from outlook.

Quote:

# BOSS IP -A POSTROUTING -s PRIVATEIP -j SNAT --to PUBLICIP
-A POSTROUTING -s 192.168.1.101 -j SNAT --to xxx.xx.xx.xx

Hence the other LAN interface with restriction that uses port 25 and 995 only is the one i had a problem with.

Quote:

#USER PC -A POSTROUTING -s PRIVATEIP -p tcp --dport 25 -j SNAT --to PUBLICIP
-A POSTROUTING -s 192.168.1.61 -p tcp --dport 25 -j SNAT --to xxx.xx.xx.xx
-A POSTROUTING -s 192.168.1.61 -p tcp --dport 995 -j SNAT --to xxx.xx.xx.xx

Thank you so much for your patience I am newbie to this one.

win32sux · 11-05-2009, 09:15 AM

Okay then, this script should get you started (it does everything I described):

Code:

#!/bin/sh

IPT="/sbin/iptables"
WAN_IFACE="eth0"
LAN1_IFACE="eth1"
LAN2_IFACE="eth2"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $LAN1_IFACE -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i $LAN2_IFACE --dport 3128 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i $LAN1_IFACE -o $WAN_IFACE -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p TCP -i $LAN2_IFACE -o $WAN_IFACE -d 202.xx.xx.xx \
-m multiport --dports 25,995 -m state --state NEW -j ACCEPT

$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE