LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 03-14-2007, 03:38 PM   #1
Avatar
Member
 
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 530

Rep: Reputation: 30
Exclamation Hm, I think I broke my firewall (cant get email)


Help someone!

I have a brand new server running Ubuntu Edgy 6.10 for AMD-64. There is no GUI installed.

The server sits between a small LAN (~30 clients) and a DSL modem for the Internet. It runs squid, squidGuard, and a firewall script for now. All it has to do is cache and filter web traffic, and of course do some basic security.

I've been having problems getting squid set up and being able to connect through the LAN, but I've been successful now to the point that clients can surf the Web, and squidGuard is happily doing its filtering. (However, transparent proxying isn't working, but that's another story).

During my messing around I've somehow managed to break something, and now no one on the LAN can use SMTP/POP3 (this is hosted at our ISP).

Other than squid settings, the only thing I can think that I did was set "/proc/sys/net/ipv4/ip_forward" and "ip_dynaddr", and mess the firewall settings.

This is the same firewall script that I used on our old server and it worked fine. In fact, it worked fine on THIS server yesterday.

I don't think it can be squid, since squid only gets the traffic from port 80.

I have no idea where to start looking to solve this problem, I am only assuming it's the firewall. So here's my iptables -L:

Code:
iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
pass-and-log  all  --  192.168.1.0/24       anywhere
drop-and-log  all  --  192.168.1.0/24       anywhere
drop-and-log  all  --  192.168.1.0/24       anywhere
pass-and-log  icmp --  anywhere             anywhere
pass-and-log  icmp --  anywhere             anywhere
pass-and-log  tcp  --  anywhere             anywhere            tcp dpts:loc-srv:netbios-ssn
pass-and-log  udp  --  anywhere             anywhere            udp dpts:loc-srv:netbios-ssn
pass-and-log  tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds
pass-and-log  udp  --  anywhere             anywhere            udp dpt:microsoft-ds
pass-and-log  all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:bootpc dpt:bootps
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootpc dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:6881:6889
ACCEPT     udp  --  anywhere             anywhere            udp dpts:6881:6889
drop-and-log  all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
pass-and-log  tcp  --  anywhere             anywhere            tcp dpts:loc-srv:netbios-ssn
pass-and-log  udp  --  anywhere             anywhere            udp dpts:loc-srv:netbios-ssn
pass-and-log  tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds
pass-and-log  udp  --  anywhere             anywhere            udp dpt:microsoft-ds
drop-and-log  tcp  --  anywhere             anywhere            tcp dpt:ms-sql-m
drop-and-log  udp  --  anywhere             anywhere            udp dpt:ms-sql-m
drop-and-log  tcp  --  anywhere             anywhere            tcp dpt:4444
drop-and-log  udp  --  anywhere             anywhere            udp dpt:4444
drop-and-log  tcp  --  anywhere             anywhere            tcp dpt:593
drop-and-log  udp  --  anywhere             anywhere            udp dpt:593
drop-and-log  tcp  --  anywhere             anywhere            tcp dpt:69
drop-and-log  udp  --  anywhere             anywhere            udp dpt:tftp
drop-and-log  tcp  --  anywhere             anywhere            tcp dpt:6969
drop-and-log  udp  --  anywhere             anywhere            udp dpt:6969
drop-and-log  tcp  --  anywhere             anywhere            tcp dpt:666
drop-and-log  udp  --  anywhere             anywhere            udp dpt:666
pass-and-log  all  --  anywhere             anywhere            state RELATED,ESTABLISHED
pass-and-log  all  --  anywhere             anywhere
drop-and-log  all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
pass-and-log  all  --  anywhere             192.168.1.0/24
drop-and-log  all  --  anywhere             192.168.1.0/24
drop-and-log  all  --  anywhere             192.168.1.0/24
pass-and-log  all  --  anywhere             anywhere
pass-and-log  all  --  anywhere             anywhere
ACCEPT     tcp  --  192.168.1.0/24       255.255.255.255     tcp spt:bootps dpt:bootpc
ACCEPT     udp  --  192.168.1.0/24       255.255.255.255     udp spt:bootps dpt:bootpc
drop-and-log  all  --  anywhere             anywhere

Chain drop-and-log (19 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain pass-and-log (17 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
What ELSE could block mail from coming through? My errors (in Outlook) are something like "A TCP/IP error occurred while sending data to the server"

Any help appreciated!
 
Old 03-14-2007, 03:45 PM   #2
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 5,943
Blog Entries: 5

Rep: Reputation: 753Reputation: 753Reputation: 753Reputation: 753Reputation: 753Reputation: 753Reputation: 753
You might try turning off the firewall to see if it resolves the issue. You can turn it back on afterwards. This test would at least confirm you're looking in the right place.

Don't use ubuntu but on other Distros it's just:

service iptables stop (stop the firewall
-AND-
service iptables start (restart the firewall)

Also are you sure these are the right rules? If you did on the fly edits of iptables then forgot to save them before you stopped/started iptables it would have lost the rules so the restarted rules wouldn't be the ones you thought they were.
 
Old 03-14-2007, 04:04 PM   #3
Avatar
Member
 
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 530

Original Poster
Rep: Reputation: 30
Hi jlightner,

When I tried that command (which worked on my old mandrake server) I got
bash: service: command not found

usually if I want to start or stop something, I have to run /etc/init.d/<command> start | stop

But there is no iptables listed in /etc/init.d. I did find it in /sbin, but start and stop did not work.

???
 
Old 03-15-2007, 07:43 AM   #4
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 5,943
Blog Entries: 5

Rep: Reputation: 753Reputation: 753Reputation: 753Reputation: 753Reputation: 753Reputation: 753Reputation: 753
Do you have /etc/rc.d? A quick Google suggests that may be the location for start/stop scripts in your distro.
 
Old 03-15-2007, 08:23 AM   #5
Avatar
Member
 
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 530

Original Poster
Rep: Reputation: 30
No, I do not have that folder. My Mandrake distro did but not Ubuntu. Ubuntu has /etc/init.d and /etc/rcN.d (where N is the runlevel numbers) and /etc/rc.local.

I restarted my server WITHOUT running my firewall script:
iptables -L
Code:
root@proxy:/etc# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Internet works, but email STILL doesn't work. Error message is now "Unable to connect to the server."

Thinking it might be a DNS issue, I just installed BIND (DNS service) on my server and now I can ping names & get their IP addresses (whereas before I could not, I was connected to the Internet via the squid proxy) however all pings return "Request timed out" from the LAN but they return when I ping from the server.

Example:
Before BIND: From a LAN client
ping www.google.ca
Unknown host www.google.ca

After BIND: From a LAN client
ping www.google.ca
Pinging www.1.google.com [74.14.203.104] with 32 bytes of data:
Request timed out.
Request timed out.
...

From server, ping worked fine both before and after.

What else can I try???
 
Old 03-15-2007, 08:30 AM   #6
Avatar
Member
 
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 530

Original Poster
Rep: Reputation: 30
Never mind!!! It WAS a firewall issue.

I did:
Code:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -i eth1 -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A FORWARD -j ACCEPT
And yeah, now e-mail works. so it WAS my firewall.

Obviously, I don't want to leave it like it is!!!! So I need to fix it, fast. Can you tell me how to post my firewall script with the comments stripped out? (there's lots of comments)

Thanks!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux firewall for Email Server smp0219 Linux - Networking 4 03-01-2007 06:10 PM
Rookie broke firewall sbowman22 Linux - Security 1 12-08-2005 03:40 PM
How To: Setup Spamassassin on RedHat Firewall with earthlink email? abcampa Linux - Software 2 08-23-2005 10:02 AM
how to configure a firewall (iptables) to let me use a email server behind it? jorgelopez100 Linux - Networking 1 03-26-2004 09:49 AM
Linux Server software recommendations firewall proxy email fax etc motiv8d Linux - Software 2 11-23-2003 12:38 PM


All times are GMT -5. The time now is 06:50 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration