iptables letting sendmail work

zepplin611 · 07-12-2004, 03:56 PM

Greetings,

I have the following iptables applied to a Fedora C1 Box:

# Generated by iptables-save v1.2.8 on Thu Jul 8 16:12:45 2004
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Thu Jul 8 16:12:45 2004
# Generated by iptables-save v1.2.8 on Thu Jul 8 16:12:45 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
*********************

How do I allow email messages to arrive at users' boxes while keeping the above tightly
closed machine status????

thanks!!!

Ztyx · 07-12-2004, 04:39 PM

Code:

# Generated by iptables-save v1.2.8 on Thu Jul 8 16:12:45 2004
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Thu Jul 8 16:12:45 2004
# Generated by iptables-save v1.2.8 on Thu Jul 8 16:12:45 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT

Just add the line in bold I added above. Should probably work.

zepplin611 · 07-12-2004, 04:55 PM

Ztyx,

thanks so much for the help...this worked!!! Should i then assume that if i'm running
a pop3 server on this box that i should do the same with port: 110????

thanks

Ztyx · 07-13-2004, 04:42 AM

Yes, exactly - you pick up very quickly

zepplin611 · 07-13-2004, 03:41 PM

i've got one more for you Ztyx...how about if i'm running NFS...which port(s) do i open up then???

thanks!

ppuru · 07-13-2004, 09:52 PM

a tip

look into /etc/services. this file has all the port number to name mappings.

the ports to look at are portmap (111/udp, 111/tcp) and nfs [2049/udp and 2049/tcp)

Ztyx · 07-14-2004, 02:44 AM

Thanks ppuru,

...also, when you add a line in your firewall script which shall allow incoming udp connection you change 'tcp' to 'udp'. Just to be clear =)

zepplin611 · 07-14-2004, 09:46 AM

Thanks so much for this help....this thread contains a wealth of useful info!!!!

zepplin!

zepplin611 · 07-14-2004, 10:33 AM

Fellow IPTABLES newbies:

to get the nfs mount to work to work...this is how i had to poke the hole in the firewall:

[root@s# iptables -A INPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT --dport 767

[root@s# iptables -A INPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT --dport 2049

[root@s# iptables -A INPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT --dport 111

[root@s# iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT --dport 770

does this seem reasonable????

Ztyx · 07-14-2004, 12:29 PM

Quite. I am not really clear why you add '--state NEW,ESTABLISHED' since that's mainly the two types there are of "packet types". I would strongly suggest that you also limit the incoming packets to the IP:s which should hjave the ability to fetch files to you computer.
That you can do with the '-s' flag in iptables. Example:

Code:

[root@s# iptables -A INPUT -p tcp -s 192.168.0.97 -j ACCEPT --dport 767
[root@s# iptables -A INPUT -p tcp -s 192.168.0.97 -j ACCEPT --dport 2049
[root@s# iptables -A INPUT -p tcp -s 192.168.0.97 -j ACCEPT --dport 111
[root@s# iptables -A INPUT -p tcp -s 192.168.0.97 -j ACCEPT --dport 770

where 192.168.0.97 is the computer which should be allowed to connect to 's'. In /etc/services it was also stated that NFS used the udp-protocol aswell. Therefore you should add at least:

Code:

[root@s# iptables -A INPUT -p udp -s 192.168.0.97 -j ACCEPT --dport 111
[root@s# iptables -A INPUT -p udp -s 192.168.0.97 -j ACCEPT --dport 2049

aswell. I don't know about the other two ports...do a search on the internet, and also if NFS doesn't work properly try to open those ports aswell...

Regards,

Jens

PS. Also if you can specify something like '192.168.0.0/24' which means '192.168.0.*' in iptables. For some info on NFS, you can look here:
http://www.ecst.csuchico.edu/~dranch...tyOS-c-40.html
i found the page thrue google. DS.

benjithegreat98 · 07-14-2004, 01:14 PM

Quote:

Quite. I am not really clear why you add '--state NEW,ESTABLISHED' since that's mainly the two types there are of "packet types".

Actually, iptables has 4 states. NEW ESTABLISHED RELATED INVALID

I generally do this:
--state NEW, ESTABLISHED, RELATED

edit:

Here is a link you might like:
http://www.faqs.org/docs/iptables/userlandstates.html

zepplin611 · 07-18-2004, 10:19 PM

Ztyx....your last host worked real well for one of my servers to nfs to another....but when trying the
same with a different nfs server it isn't working....

any suggestion on how to look for the reason why the EXACT replica of iptables won't work?? ie.
logging info?

I've check /etc/hosts.allow and /etc/exports and run: exportfs -a ...all the same on the one that isn't
working....
zepp

EDIT:

uname -a for server that it works on:
Linux server 2.4.22-1.2188.nptl #1 Wed Apr 21 20:35:41 EDT 2004 i686 athlon i386 GNU/Linux

uname -a for server it does NOT work on:
Linux server2 2.4.22-1.2197.nptl #1 Thu Jul 1 15:28:56 EDT 2004 i686 athlon i386 GNU/Linux

could the kernel difference be causing this????

Ztyx · 07-19-2004, 10:30 AM

I don't know. You could try to open up the firewall totally once just to be sure that the firewall is not the problem. Have you checked logfiles? There should be a NFS module loaded into the kernel, but I guess the nfs daemon wouldn't start if that module wasn't there...