port 25 filtered despite firewall having port 25 open

ille.pugil42 · 03-07-2007, 12:44 PM

Almost overnight, our email system stopped sending emails. Upon further checking, port 25 (SMTP) is being filtered. We panicked, and checked the firewall. The firewall shows that port 25 is open, but nmap shows it as "filtered"... Can you look at those and possibly tell us what we've overlooked? The system is a FC5 install.

nmap output:

Code:

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-03-07 10:04 PST
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1665 ports scanned but not shown below are in state: closed)
PORT      STATE    SERVICE
25/tcp    filtered smtp
51/tcp    open     la-maint
80/tcp    open     http
110/tcp   open     pop3
143/tcp   open     imap
443/tcp   open     https
993/tcp   open     imaps
50000/tcp open     iiimsf
50002/tcp open     iiimsf

Nmap finished: 1 IP address (1 host up) scanned in 1.244 seconds

Here's the output from iptables -L:

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            icmp any 
ACCEPT     ipv6-crypt--  anywhere             anywhere            
ACCEPT     ipv6-auth--  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:la-maint 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:pop3 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imap 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:783 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imaps 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

stress_junkie · 03-07-2007, 03:08 PM

Quote:

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-03-07 10:04 PST
Interesting ports on localhost.localdomain (127.0.0.1):

It looks to me that you have run nmap from the host that you are testing on its loopback address. That isn't going to help you. You have to run nmap from a remote host against the normal IP address of the machine being tested.

The first test that you can do is to use telnet to connect to port 25 of that machine from a remote machine. You should see a message indicating that you have connected to the smtp service. If you don't then check to see if your email MTA (Postfix, Sendmail, Qmail, whatever) is configured correctly and that it is running properly.

If you have lost the ability to send email over the Internet but you can still send email within the office then check to see if your ISP is blocking your use of port 25.

ille.pugil42 · 03-07-2007, 03:15 PM

I had run nmap locally because nmap from outside of the system doesn't pop up with anything, it just runs forever or gives an error about timing out. Telnet doesn't connect either. I'm not sure, but I think that nmap never returned much of a favorable result from outside; I think FC5's security has it setup to just drop unwanted/filtered traffic. Does the result from iptables look like its attempting to filter? Otherwise, my question is what is causing it to filter port 25?

Email seems to be going at times, albeit slowly. At other times it just stops until the system is rebooted.

ille.pugil42 · 03-07-2007, 06:05 PM

So, after trying *one last time* for a nmap from a remote computer, it finally came back with port 25 open and unfiltered. It seems the email on the system is working now (problems *may* have been coming from misconfiguration).

So, why does port 25 still show as filtered on a nmap from inside that computer? At this point its more curiosity than anything else.

stress_junkie · 03-07-2007, 06:09 PM

I don't know.

win32sux · 03-08-2007, 02:08 AM

Quote:

Originally Posted by ille.pugil42

So, why does port 25 still show as filtered on a nmap from inside that computer? At this point its more curiosity than anything else.

what does the output of this (as root) look like:

Code:

netstat -pantu

ille.pugil42 · 03-08-2007, 11:38 AM

Not entirely sure if that sheds some light, but whatever helps!

Code:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:110                 0.0.0.0:*                   LISTEN      2357/tcpserver      
tcp        0      0 127.0.0.1:50000             0.0.0.0:*                   LISTEN      2049/hpiod          
tcp        0      0 127.0.0.1:50002             0.0.0.0:*                   LISTEN      2054/python         
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      2354/tcpserver      
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:60222          SYN_RECV    -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:1649           SYN_RECV    -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:4389           SYN_RECV    -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:2929           SYN_RECV    -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:1034           SYN_RECV    -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:2314           SYN_RECV    -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:1516           SYN_RECV    -                   
tcp        0      0 localhost:110            XXX.XXX.XXX.XXX:64816          TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:4645           TIME_WAIT   -                   
tcp        1      0 localhost:25             XXX.XXX.XXX.XXX:57387          CLOSE_WAIT  3081/tcpserver      
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:2918           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:1584           TIME_WAIT   -                   
tcp        0     29 localhost:25             XXX.XXX.XXX.XXX:3742           LAST_ACK    -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:62449          TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:3927           TIME_WAIT   -                   
tcp        0     28 localhost:25             XXX.XXX.XXX.XXX:50782          ESTABLISHED 29432/qmail-smtpd   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:1578           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:52238          ESTABLISHED 31399/qmail-smtpd   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:4878           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:5348           ESTABLISHED -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:3161           ESTABLISHED -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:57320          ESTABLISHED 24030/qmail-smtpd   
tcp        0      0 localhost:110            XXX.XXX.XXX.XXX:60486          TIME_WAIT   -                   
tcp        0      0 localhost:110            XXX.XXX.XXX.XXX:60487          TIME_WAIT   -                   
tcp        0     28 localhost:25             XXX.XXX.XXX.XXX:1485           ESTABLISHED 29615/qmail-smtpd   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:60314          ESTABLISHED 3263/qmail-smtpd    
tcp        0     29 localhost:25             XXX.XXX.XXX.XXX:63305          LAST_ACK    -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:1818           ESTABLISHED 31317/qmail-smtpd   
tcp        0     28 localhost:25             XXX.XXX.XXX.XXX:3038           ESTABLISHED 28001/qmail-smtpd   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:59062          ESTABLISHED -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:2814           ESTABLISHED 2766/qmail-smtpd    
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:36845          ESTABLISHED -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:57000          TIME_WAIT   -                   
tcp        0     28 localhost:25             XXX.XXX.XXX.XXX3:50579         ESTABLISHED 28521/qmail-smtpd   
tcp        0     29 localhost:25             XXX.XXX.XXX.XXX:3293           LAST_ACK    -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:4616           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:34468          TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:1865           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:2555           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:4599           TIME_WAIT   -                   
tcp        0     28 localhost:25             XXX.XXX.XXX.XXX:51352          ESTABLISHED 26379/qmail-smtpd   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:3645           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:3737           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:3804           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:4289           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:62597          ESTABLISHED -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:4119           ESTABLISHED 32587/qmail-smtpd   
tcp        1      0 localhost:25             XXX.XXX.XXX.XXX:4819           CLOSE_WAIT  3283/tcpserver      
tcp        1     23 localhost:25             XXX.XXX.XXX.XXX:56583          CLOSING     -                   
tcp        1     23 localhost:25             XXX.XXX.XXX.XXX:9753           CLOSING     -                   
tcp        0     29 localhost:25             XXX.XXX.XXX.XXX:1978           LAST_ACK    -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:1900           ESTABLISHED 26233/qmail-smtpd   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:1794           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:53292          ESTABLISHED 1729/qmail-smtpd    
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:1577           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:4813           TIME_WAIT   -                   
tcp        0     29 localhost:25             XXX.XXX.XXX.XXX:3669           LAST_ACK    -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:4966           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:3753           ESTABLISHED -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:51158          TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:58038          TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:42673          ESTABLISHED 3195/qmail-smtpd    
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:56530          TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:3586           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:4711           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:2927           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:29515          ESTABLISHED -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:2200           ESTABLISHED 3245/qmail-smtpd    
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:7584           ESTABLISHED -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:57477          ESTABLISHED 2876/qmail-smtpd    
tcp        0     29 localhost:25             XXX.XXX.XXX.XXX:4620           LAST_ACK    -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:1597           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:4794           TIME_WAIT   -                   
tcp        0     28 localhost:25             XXX.XXX.XXX.XXX:58847          ESTABLISHED 514/qmail-smtpd     
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:43469          ESTABLISHED -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:2975           ESTABLISHED 895/qmail-smtpd     
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:1300           ESTABLISHED -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:2207           ESTABLISHED 3226/qmail-smtpd    
tcp        0     28 localhost:25             XXX.XXX.XXX.XXX:3099           ESTABLISHED 369/qmail-smtpd     
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:2241           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:42256          ESTABLISHED 1192/qmail-smtpd    
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:2821           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:4355           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:1124           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:4950           ESTABLISHED 32156/qmail-smtpd   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:3876           ESTABLISHED 3224/qmail-smtpd    
tcp        1      0 localhost:25             XXX.XXX.XXX.XXX:2904           CLOSE_WAIT  -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:2468           ESTABLISHED -                   
tcp        0  26749 localhost:110            XXX.XXX.XXX.XXX:3013           ESTABLISHED 26063/qmail-popup   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:2335           ESTABLISHED -                   
tcp        0     29 localhost:25             XXX.XXX.XXX.XXX:50678          LAST_ACK    -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:4728           ESTABLISHED 23700/qmail-smtpd   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:4205           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:64816          ESTABLISHED 32123/qmail-smtpd   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:60237          ESTABLISHED 2807/qmail-smtpd    
tcp        1      0 localhost:25             XXX.XXX.XXX.XXX:36524          CLOSE_WAIT  -                   
tcp        1      0 localhost:25             XXX.XXX.XXX.XXX:2183           CLOSE_WAIT  -                   
tcp        0     29 localhost:25             XXX.XXX.XXX.XXX:49215          LAST_ACK    -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:3366           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:3688           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:2418           ESTABLISHED -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:3720           ESTABLISHED 3173/qmail-smtpd    
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:4736           ESTABLISHED -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:1418           ESTABLISHED 2900/qmail-smtpd    
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:4190           ESTABLISHED -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:1774           TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:60115          ESTABLISHED -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:2846           TIME_WAIT   -                   
tcp        0     29 localhost:25             XXX.XXX.XXX.XXX:2295           LAST_ACK    -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:64251          TIME_WAIT   -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:3603           ESTABLISHED -                   
tcp        0      0 localhost:25             XXX.XXX.XXX.XXX:4578           TIME_WAIT   -                   
tcp        0      0 :::993                      :::*                        LISTEN      2282/couriertcpd    
tcp        0      0 :::143                      :::*                        LISTEN      8163/couriertcpd    
tcp        0      0 :::80                       :::*                        LISTEN      2122/httpd          
tcp        0      0 :::51                       :::*                        LISTEN      2077/sshd           
tcp        0      0 :::443                      :::*                        LISTEN      2122/httpd          
udp        0      0 localhost:58547          XXX.XXX.XXX.XXX:53             ESTABLISHED 3081/tcpserver      
udp        0      0 localhost:64715          XXX.XXX.XXX.XXX:53             ESTABLISHED 3283/tcpserver      
udp        0      0 localhost:123            0.0.0.0:*                                  2103/ntpd           
udp        0      0 127.0.0.1:123               0.0.0.0:*                               2103/ntpd           
udp        0      0 0.0.0.0:123                 0.0.0.0:*                               2103/ntpd           
udp        0      0 :::123                      :::*                                    2103/ntpd

win32sux · 03-08-2007, 07:30 PM

Quote:

Originally Posted by ille.pugil42

Not entirely sure if that sheds some light, but whatever helps!

just wanted to make sure your MTA was listening everywhere... hmmm, weird... the only other thing to look at would be the iptables rules, but the way you posted them it's really hard to understand them... if you could be a little more verbose, like this it would be great:

Code:

iptables -nvL

if there's no rule that would cause nmap to show it as filtered, i'm not sure what the explanation would be... =/

live_dont_exist · 03-09-2007, 12:51 AM

Hmm just one thing.Can you try this and post back:

Code:

nmap 192.168.0.32  {Your IP}

instead of:

Code:

nmap 127.0.0.1 {Loopback}

Also just in case you dont have any iptables blocking off the loopback .. right???

Finally take a look at this thread.Somewhat similar to what you're facing. Nmap is apparently problematic with loopback IP's.

http://www-gatago.com/comp/security/...s/3708397.html

If you still want the absolute exacts you'll need to sit and read up on the Nmap documentation itself on www.insecure.org

Cheers
Arvind