iptables

My iptables has the following lines in it:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT

I am trying to use my red hat 8 sendmail server and with a windows 2000 workstation on the lan using outlook 2002, access mail from the linux box using pop3. The pop3 service is enabled on the server. I can send and receive mail from the internet however i cannot access mail from the windows 2000 workstation on the LAN from the linux box using pop3. The email client fails on log onto the pop3 server. I have checked the username and password multiple times. it seems to locate the server but there is no response from the server.

The linux box is not directly attached to the router. It is sitting on the lan off a switch.

Are my iptables correct?

Post all of your IP tables rules. I take it that you've set your policy to drop, and are allowing specific port through yeah? If this is the case then you'll want to allowed related and established connections through too.

cheers

Jamie...

sorry, i do not understand what you mean by wanting to allow related and established connections through. How do i do this?

I based my iptables using RH Lokkit and then added the three lines above in iptables. Does this help? I allowed for web, mail and ssh and did not allow telnet.

If you post all of your rules then you might already have the related,established connections allowed through. Its literally a line that says

Code:

$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

Where $IPTABLES is the location of iptables, and $EXTIF is my external interface.

cheers

Jamie...

What IPTables documentation have you read? I've just searched for your posts and there seem to be a lot of questions you've posted on pretty much the same topic which is allowing ports through IP tables.

Have you made sure that things work with no iptables rules in place first?

cheers

Jamie...

will try these tomorrow, thanks jamie

Is the line above safe to be added? Just worried about security of the linux box.

From memory i do not recall the line above in my iptables but i will check tomorrow. If it is not, then is it safe to add it? What is the external interface? Is this eth0?

thanks again

The line I mentioned is safe to add as it's only allowing related connections, which means they already have to have passed the original firewall constraints. The external interface $EXTIF is simply a variable set in my firewall script, in my case it's ppp0 (the interface of my ADSL modem), for you it'll be whatever your external connection is called.

cheers

Jamie...

i still do not understand how this has anything to do with my local network. Forgive me for being so thick. I am finding it hard getting a grasp of iptables.

What if i put the following in my iptables?

iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -o eth0 -s 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.168.0.0/24 -j ACCEPT

where eth0 is the internal interface linux box. Will this allow local network connections and possibly help with pop3 issue i have with the windows 2000 workstation on the lan?

Remember, my linux box is not directly attached to the adsl router. it is attached to a switch on the lan.

Thats why I asked if you've tried it without iptables in place. You can simply flush all your rules using something like

Code:

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F

HTH

Jamie...

i think you should notice your hosts.allow and hosts.deny, not only firewall.

i have got nothing in hosts deny and i have got the following in hosts.allow

in.pop3d:192.168.1:ALLOW

Quote:

Originally posted by Tigger i have got nothing in hosts deny

Then anything is allowed

Did you try it with no rules in iptables (like
jharris said)

Note that hosts.allow/deny only effect daemons if you are calling them via tcpwrappers (tcpd) which is normally inturn called from (x)inetd.

cheers

Jamie...

Yes, if i stop iptables then everything works ok.

Here is my iptables, can someone help me out please?


chain input policy accept
RH-Lokkit-0-50-INPUT all anywhere anywhere
Accept tcp anywhere anywhere tcp dpt:http
Accept tcp anywhere anywhere tcp dpt:smtp
Accept tcp anywhere anywhere tcp dptop3

Forward - nothing in this chain
Output - nothing in this chain

RH-Lokkit-0-50-INPUT
Accept tcp anywhere anywhere tcp dpt:http flags:syn, rst, ack/syn
Accept tcp anywhere anywhere tcp dpt:smtp flags:syn, rst, ack/syn
Accept tcp anywhere anywhere tcp dpt:ssh flags:syn, rst, ack/syn
Accept udp anywhere anywhere udp spts:bootps:bootpc:dts:bootps:bootpc
Accept all anywhere anywhere
Reject tcp anywhere anywhere tcp dpts:0:1023 flags:syn, rst, ack/syn reject with icmp-port-unreachable
Reject udp anywhere anywhere udp dpts:0:1023 flags:syn, rst, ack/syn reject with icmp-port-unreachable
Reject udp anywhere anywhere nfs reject with icmp-port-unreachable
Reject tcp anywhere anywhere udp dpts:x11:6009 flags:syn, rst, ack/syn reject with icmp-port-unreachable
Reject tcp anywhere anywhere tcp xfs flags:syn, rst, ack/syn reject with icmp-port-unreachable


Can someone help me out please? My linux box is not directly attached to the router. It is sitting on the lan. I use internal interface as eth0 and external is ppp0 (i think). How can i find the external interface out for sure?

Your external interface will be ppp0 only if you have a dialup/ADSL modem on your machine. If you are connecting via a LAN then you're "external" interface will be whatever your network connection is (eth0 normally). I still can't see the "established related" options that I mentioned 4 days ago in your ruleset.

You might want to post the output of iptables -L -v which will show us more. If you are on a dialup or small LAN you might want to consider if you actually *need* any iptables rules.

cheers

Jamie...