Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a wierd issue with SMTP traffic when using iptables. I can get it to work for a short period of time and then something as simple as rebooting the client machine and/or the firewall will stop it from working.
This can happen whether I make changes or not to the rules.
Here is my iptables file. a.b.c.d is the smtp server we use and I would like for only that SMTP server to be accessible but if it is easier to get it to work without that rescrition that would be a good start
Code:
# Generated by iptables-save v1.3.0 on Mon Dec 12 16:14:39 2005
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Dec 12 16:14:39 2005
# Generated by iptables-save v1.3.0 on Mon Dec 12 16:14:39 2005
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [63:16751]
:OUTPUT ACCEPT [75:27398]
:POSTROUTING ACCEPT [75:27398]
:PREROUTING ACCEPT [63:16751]
COMMIT
# Completed on Mon Dec 12 16:14:39 2005
# Generated by iptables-save v1.3.0 on Mon Dec 12 16:14:39 2005
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -p tcp -m tcp -m multiport -i eth1 -o eth0 -j ACCEPT --dports 3128,80,110,22,53,25
-A FORWARD -p tcp -m tcp -s 192.168.10.25 -i eth1 -o eth0 --dport 569 -j ACCEPT
-A FORWARD -m state -i eth0 -o eth1 --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p tcp -m tcp -d a.b.c.d --dport 25 -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
-A INPUT -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -s 0/0 -d 0/0 -i eth1 -j ACCEPT
-A INPUT -s 0/0 -d 0/0 -i lo -j ACCEPT
-A INPUT -p tcp -m tcp -s 0/0 -d a.b.c.d --dport 25 -j ACCEPT --syn
-A INPUT -p icmp -j ACCEPT
COMMIT
# Completed on Mon Dec 12 16:14:39 2005
are these the rules on the SMTP box itself?? or are these the rules on the router/firewall which sits between the SMTP box and the WAN/Internet??
the reason i ask is cuz you have rules for a.b.c.d (25/TCP) in both the FORWARD and INPUT chains so i'm not sure what you are doing... perhaps if you explain your network setup a little more thoroughly it would be easier to give you a hand...
the SMTP box is not within this network it is at the ISP (not my idea). the way I wan the firewall to work is to forward the SMTP packets to this server at the ISP and only that one server.
the SMTP box is not within this network it is at the ISP (not my idea). the way I wan the firewall to work is to forward the SMTP packets to this server at the ISP and only that one server.
okay... so the rules are running on the firewall for your LAN, and the SMTP server is on the WAN... i take it that eth1 is your LAN interface and eth0 is your WAN interface... try like this then (i'm ignoring your INPUT rules as they are irrelevant in this case):
Code:
iptables -F FORWARD
iptables -X FORWARD
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p TCP -i eth1 -o eth0 -m multiport \
--dports 3128,80,110,443,22 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p UDP -i eth1 -o eth0 --dport 53 \
-m state --state NEW -j ACCEPT
iptables -A FORWARD -p TCP -i eth1 -o eth0 -s 192.168.10.25 \
--dport 569 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p TCP -i eth1 -o eth0 -d your.smtp.server.ip \
--dport 25 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p ICMP -i eth1 -o eth0 --icmp-type 8 \
-m state --state NEW -j ACCEPT
iptables -A FORWARD -m limit --limit 5/minute --limit-burst 5 \
-j LOG --log-prefix "FORWARD DROP: "
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.