LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-11-2006, 10:59 AM   #1
ciberrust
Member
 
Registered: Dec 2003
Location: AUS
Distribution: CentOs, OpenSuse, Ubuntu, Leopard :D
Posts: 97

Rep: Reputation: 15
Smile Iptables and mail server


hello, i have 1 computer that serves as a router, it has 2 nic's one that comes from the cable modem and the other to a switch, the server is a dhcp server dns and also a router, all that is ok i can bwrose on the others pc with dhcp, now... also i set up a mail server using communigate (send mails seem to be to hard for me) i'm using the trial version that puts a header to all the messages...

and i have this firewall setup
--------------------------------------------------------------------------------------------------

#!/bin/sh
#
# initialize firewall
#

echo Flushing old firewall settings
iptables -F
echo Starting firewall...


#DHCP Internet and Connection Sharing Script

# Use Ports as 22 [ssh]
# /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# /sbin/iptables -A INPUT -p tcp --dport 1400 -j ACCEPT
/sbin/iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 555 -j DNAT --to 192.168.0.2:555
/sbin/iptables -A PREROUTING -t nat -p udp -i eth0 --dport 555 -j DNAT --to 192.168.0.2:555
/sbin/iptables -A FORWARD -p tcp --destination-port 555 -j ACCEPT
/sbin/iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 411 -j DNAT --to 192.168.0.2:411
/sbin/iptables -A FORWARD -p tcp --destination-port 411 -j ACCEPT

#localhost 127.0.0.1 and icmp
/sbin/iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
/sbin/iptables -A FORWARD -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
/sbin/iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

/sbin/iptables -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

#Net Sharing
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -j LOG --log-level 4 --log-prefix "ATTACK"
/sbin/iptables -A INPUT -i eth0 -j DROP
#Add your additional rule here
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE


# Some output
echo Firewall loaded
iptables -L

----------------------------------------------------------------------------------------------------

Flushing old firewall settings
Starting firewall...
Firewall loaded
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- localhost localhost
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning prefix `ATTACK'
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:555
ACCEPT tcp -- anywhere anywhere tcp dpt:411
ACCEPT all -- localhost localhost

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- localhost localhost
ACCEPT icmp -- anywhere anywhere state NEW,RELATED,ESTABLISHED

Chain tcp_packets (0 references)
target prot opt source destination


----------------------------------------------------------------------------------------------------

now my question is... when i start the firewall i can't recevied any mail, i've tried

iptables -A INPUT -p tcp --sport 25 -j ACCEPT

and

iptables -A INPUT -p tcp --dport 25 -j ACCEPT

nogo...
so what i need is to setup a line in the firewall that allows me to send and received email, without loosing all the others functions like dhcp or nat stuff like that...

thanx in advance
 
Old 04-11-2006, 04:42 PM   #2
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 546

Rep: Reputation: 30
Well,i can't understand much off what you wrote , ... and what are your default input output forward policies options .Anyway i advice you for a good firewall to use a DROP politic for all chains.Then remember this:all that is not explicitally allowed has to be DROPED,and collect documentation about connection tracking.Then look:
$IPT -A INPUT DROP
$IPT -A OUTPUT DROP
$IPT -A FORWARD DROP
$IPT -t nat -A PREROUTING -p tcp -d gateway.host --dport 25 -j DNAT --to mail.server.in.lan:25
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWAD -i eth0 -o eth1 --dport 25 -d mail.server.in.lan -j ACCEPT
$IPT -A OUTPUT -m state --state NEW,RELATED,ESABLISHED
# mail.server.in.lan
$IPT -A INPUT -m state --state ESTABLISHED,RELATED
$IPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
What is that 555?and 1400?
For DHCP use:
$IPT -I INPUT -i eth1 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
If you have a router before linuxgateway you have to enable port 25 on the router firewall as well pointing to the linuxbox right behind it,but you have a modem usb-right?!
Anyway i'm going far with fantasy you should give more details about the configuration of your network if you use a linux box with 2eths as router and need to do nat go to my thread still on linuxquestions.org(http://www.linuxquestions.org/questi...d.php?t=432996) where there is the firewall script i'm using,enjoy deb!
GGG - napoli -

Last edited by gabsik; 04-11-2006 at 05:11 PM.
 
Old 04-12-2006, 03:01 PM   #3
abhi.b
LQ Newbie
 
Registered: Apr 2006
Posts: 12

Rep: Reputation: 0
is ur communigate mail server behind this router / gw linux device ?
 
Old 04-15-2006, 10:59 PM   #4
ciberrust
Member
 
Registered: Dec 2003
Location: AUS
Distribution: CentOs, OpenSuse, Ubuntu, Leopard :D
Posts: 97

Original Poster
Rep: Reputation: 15
here it is http://www.geocities.com/charlee_peluca/fc3.gif
ok that is the setup i have...

and now the question is how do i configure iptables to get communigate to send and receive emails, and not loosing any other serivce, in other word to open the ports needed by the mail server, so i can be more protected but to received and send emails... also i need to use 1 account from outside ...

thanx again
 
Old 04-17-2006, 05:21 AM   #5
jsosic
LQ Newbie
 
Registered: Mar 2006
Location: Split
Distribution: Debian and Gentoo
Posts: 8

Rep: Reputation: 0
First of all, please make sure that mailserver works when firewall is down!

Second, I still don't understand wether your mail server is running on one of your LAN computers (connected to switch), or on the NAT/DHCP router/server machine?!

Because, that are two very different things. If it's in the LAN, then you have to forward (DNAT) port 25 to it, and if it's on your router, than basic -A INPUT -p tcp --dport 25 should do it.

I see is you DNAT 555/411, allow lo&icmp, doing MASQUERADE TWICE, and allowing related,established connections in input table. You know that if you wish to accept 25, rule must be placed BEFORE your only DROP in the script?
 
Old 04-20-2006, 10:45 AM   #6
ciberrust
Member
 
Registered: Dec 2003
Location: AUS
Distribution: CentOs, OpenSuse, Ubuntu, Leopard :D
Posts: 97

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by jsosic
First of all, please make sure that mailserver works when firewall is down!

Second, I still don't understand wether your mail server is running on one of your LAN computers (connected to switch), or on the NAT/DHCP router/server machine?!

Because, that are two very different things. If it's in the LAN, then you have to forward (DNAT) port 25 to it, and if it's on your router, than basic -A INPUT -p tcp --dport 25 should do it.

I see is you DNAT 555/411, allow lo&icmp, doing MASQUERADE TWICE, and allowing related,established connections in input table. You know that if you wish to accept 25, rule must be placed BEFORE your only DROP in the script?
Ok yes the mail server works, whit the firewall dow.
the mail server is running on the NAT/DHCP router/server machine
 
  


Reply

Tags
how, install, iptables, pls, system


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Configure & Connect a Linux mail server from a windows mail clients digihall7 Linux - Networking 4 10-23-2006 12:21 PM
Need Advice; 3 NIC's; High Volume Mail Server; Sendmail; Iptables? Killer Bassist Linux - Networking 3 12-04-2005 11:40 PM
Iptables problem with Mail server ~=gr3p=~ Linux - Security 3 10-25-2005 10:28 PM
can we configure a Linux server with mail server,file server and web server kumarx Linux - Newbie 5 09-09-2004 06:21 AM
Mail Server Delimiter for alternate mail server venugopalmk Linux - Networking 2 04-29-2003 04:55 AM


All times are GMT -5. The time now is 05:38 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration