LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 12-14-2005, 10:46 AM   #1
dragonleech
LQ Newbie
 
Registered: Dec 2005
Posts: 24

Rep: Reputation: 15
SMTP issue with iptables


I have a wierd issue with SMTP traffic when using iptables. I can get it to work for a short period of time and then something as simple as rebooting the client machine and/or the firewall will stop it from working.

This can happen whether I make changes or not to the rules.

Here is my iptables file. a.b.c.d is the smtp server we use and I would like for only that SMTP server to be accessible but if it is easier to get it to work without that rescrition that would be a good start

Code:
# Generated by iptables-save v1.3.0 on Mon Dec 12 16:14:39 2005
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Dec 12 16:14:39 2005
# Generated by iptables-save v1.3.0 on Mon Dec 12 16:14:39 2005
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [63:16751]
:OUTPUT ACCEPT [75:27398]
:POSTROUTING ACCEPT [75:27398]
:PREROUTING ACCEPT [63:16751]
COMMIT
# Completed on Mon Dec 12 16:14:39 2005
# Generated by iptables-save v1.3.0 on Mon Dec 12 16:14:39 2005
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -p tcp -m tcp -m multiport -i eth1 -o eth0 -j ACCEPT --dports 3128,80,110,22,53,25
-A FORWARD -p tcp -m tcp -s 192.168.10.25 -i eth1 -o eth0 --dport 569 -j ACCEPT
-A FORWARD -m state -i eth0 -o eth1 --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p tcp -m tcp -d a.b.c.d --dport 25 -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
-A INPUT -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -s 0/0 -d 0/0 -i eth1 -j ACCEPT
-A INPUT -s 0/0 -d 0/0 -i lo -j ACCEPT
-A INPUT -p tcp -m tcp -s 0/0 -d a.b.c.d --dport 25 -j ACCEPT  --syn
-A INPUT -p icmp -j ACCEPT

COMMIT
# Completed on Mon Dec 12 16:14:39 2005
 
Old 12-19-2005, 07:31 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
are these the rules on the SMTP box itself?? or are these the rules on the router/firewall which sits between the SMTP box and the WAN/Internet??

the reason i ask is cuz you have rules for a.b.c.d (25/TCP) in both the FORWARD and INPUT chains so i'm not sure what you are doing... perhaps if you explain your network setup a little more thoroughly it would be easier to give you a hand...
 
Old 12-20-2005, 10:23 AM   #3
dragonleech
LQ Newbie
 
Registered: Dec 2005
Posts: 24

Original Poster
Rep: Reputation: 15
the SMTP box is not within this network it is at the ISP (not my idea). the way I wan the firewall to work is to forward the SMTP packets to this server at the ISP and only that one server.

Thanks,

Dragonleech
 
Old 12-20-2005, 04:56 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by dragonleech
Code:
-A FORWARD -p tcp -m tcp -m multiport -i eth1 -o eth0 -j ACCEPT --dports 3128,80,110,22,53,25
-A FORWARD -p tcp -m tcp -s 192.168.10.25 -i eth1 -o eth0 --dport 569 -j ACCEPT
-A FORWARD -m state -i eth0 -o eth1 --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p tcp -m tcp -d a.b.c.d --dport 25 -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
Quote:
Originally Posted by dragonleech
the SMTP box is not within this network it is at the ISP (not my idea). the way I wan the firewall to work is to forward the SMTP packets to this server at the ISP and only that one server.
okay... so the rules are running on the firewall for your LAN, and the SMTP server is on the WAN... i take it that eth1 is your LAN interface and eth0 is your WAN interface... try like this then (i'm ignoring your INPUT rules as they are irrelevant in this case):
Code:
iptables -F FORWARD

iptables -X FORWARD

iptables -P FORWARD DROP

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p TCP -i eth1 -o eth0 -m multiport \
--dports 3128,80,110,443,22 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p UDP -i eth1 -o eth0 --dport 53 \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -p TCP -i eth1 -o eth0 -s 192.168.10.25 \
--dport 569 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p TCP -i eth1 -o eth0 -d your.smtp.server.ip \
--dport 25 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p ICMP -i eth1 -o eth0 --icmp-type 8 \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -m limit --limit 5/minute --limit-burst 5 \
-j LOG --log-prefix "FORWARD DROP: "

Last edited by win32sux; 12-20-2005 at 05:05 PM.
 
Old 12-21-2005, 11:46 AM   #5
dragonleech
LQ Newbie
 
Registered: Dec 2005
Posts: 24

Original Poster
Rep: Reputation: 15
Thanks

I implimented the rules above about 3 hrs ago and they seem to be working great thanks

Dragonleech
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SMTP/POP3 problems with squid/iptables dragonleech Linux - Security 8 09-23-2010 05:57 AM
SMTP/POP3 iptables problem dragonleech Linux - Security 4 12-12-2005 12:33 PM
postfix smtp issue(s) (fedora core 4) alfNtexas Linux - Software 4 10-05-2005 04:44 AM
SMTP Auth issue with Dovecot in debian fidelis Debian 0 09-28-2004 07:07 PM
POP3/SMTP-IPTABLES Problems chris Linux - Networking 1 02-28-2003 05:55 AM


All times are GMT -5. The time now is 04:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration