i am using centos 4.4 as a in home IMAP server. i use fetchmail to get email off my gmail account using gmails POP service. i began installing iptables and setting it up to protect my server and network. i have a standalone router, dlink that also acts as a cheapy firewall and NAT and all the thigns routers do today. Then i have my CentOS server, in which i am setting up iptables.


i am able to get my imap (in network) working aswell as HTTPD, SSHD and the like. i can access the net from the server and can ping and such. i jsut cant get fetchmail to donwload my emails.


i use port 995 with SSL to access the server, i opened IPTABLES up with

-A INPUT -p tcp -m tcp -m state -i eth0 --dport 995 --sport 1024:65535 --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp -i eth0 --dport 1024:65535 --sport 995 -j ACCEPT


by my knowledge this allows port 995 from outside to access my server AND for my server to recive contact from system transmiting FROM port 995.

i can contact the pop.gmail.com server, see the new emails and it even tries to download them, then i get a

.fetchmail: SMTP connect to localhost failed
fetchmail: SMTP transaction error while fetching from pop.gmail.com
fetchmail: Query status=10 (SMTP)

error.


this to me appears to be a SMTP failure on my side, but this doesnt make much sense, i use postfix and dont have a single issue with postfix OR gmail OR fetchmail when the firewall is all open and free. but once any rules set are loaded the system wont allow SMTP communications.



here is my /etc/sysconfig/iptables entry:


# Generated by iptables-save v1.2.11 on Wed Oct 25 02:27:35 2006
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -o eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A FORWARD -i eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN:
-A OUTPUT -o eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A INPUT -i eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN:
-A INPUT -p tcp -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p udp -m udp -i eth0 --dport 1024:65535 --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth0 --dport 1024:65535 --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth0 --dport 1024:65535 --sport 995 -j ACCEPT
-A INPUT -p tcp -m tcp -m state -i eth0 --dport 80 --sport 1024:65535 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state -i eth0 --dport 143 --sport 1024:65535 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state -i eth0 --dport 995 --sport 1024:65535 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state -i eth0 --dport 9175 --sport 1024:65535 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state -i eth0 --dport 10000 --sport 1024:65535 --state NEW -j ACCEPT
COMMIT
# Completed on Wed Oct 25 02:27:35 2006
# Generated by iptables-save v1.2.11 on Wed Oct 25 02:27:35 2006
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Wed Oct 25 02:27:35 2006
# Generated by iptables-save v1.2.11 on Wed Oct 25 02:27:35 2006
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Oct 25 02:27:35 2006

i fixex my own problems.


i added to new rules


allow 127.0.0.1 to contact in from 127.0.0.1 on port 25 and vic versa.


so now only 127.0.0.1 FROM 127.0.0.1 can talk to 127.0.0.1 from 127.0.0.1 using 25, it appears that i was blocking fetchmail from passing the mail from itself to postfix, DAMNED my stupidness, but yea for fixes