I can surf through my gateway but not send any emails?

paul.nel · 11-27-2004, 04:48 AM

This problem sort appeared out of nowhere. I use my rh9 box as a gateway with a firewall and then surf from my other machines on teh net including some WXP machines and other Linux boxes. For some reason I am not able to send any emails through from any machines other than my gateway? All machines can still surf no problem, just the sendign of email that is an issue?

Any ideas?

p.n

maxut · 11-27-2004, 07:08 AM

please post the outputs of
#/sbin/iptables -nvL
#/sbin/iptables -nvL -t nat

paul.nel · 11-27-2004, 07:16 AM

Here it is:

# /sbin/iptables -nvL

Code:

Chain INPUT (policy ACCEPT 541K packets, 46M bytes)
 pkts bytes target     prot opt in     out     source               destination
 
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 6797 7984K ACCEPT     all  --  ippp0  eth0    0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
 6667  543K ACCEPT     all  --  eth0   ippp0   0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 4
 
Chain OUTPUT (policy ACCEPT 813K packets, 53M bytes)
 pkts bytes target     prot opt in     out     source               destination

#/sbin/iptables -nvL -t nat

Code:

Chain PREROUTING (policy ACCEPT 703 packets, 73479 bytes)
 pkts bytes target     prot opt in     out     source               destination
 
Chain POSTROUTING (policy ACCEPT 6712 packets, 409K bytes)
 pkts bytes target     prot opt in     out     source               destination
  939 60011 MASQUERADE  all  --  *      ippp0   0.0.0.0/0            0.0.0.0/0
 
Chain OUTPUT (policy ACCEPT 7519 packets, 461K bytes)
 pkts bytes target     prot opt in     out     source               destination

maxut · 11-27-2004, 10:07 AM

i thougth your firewall could be block smtp port in FORWARD chain or something could be wrong in other chains, but it seems ok.
just im confused about ippp0. does ifconfig show "ippp0" or "ppp0" ?
but if clients can surf, this musnt be a issue.

sorry no more idea.

good luck.

vald · 11-27-2004, 10:58 AM

may be the problem is MTU of ippp0 - it should be a bit small than ethernet's MTU (1500)... I'm not absolutely sure, but if "ifconfig ippp0" shows you that mtu is smaller than 1500 try this:

iptables -I FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

paul.nel · 11-27-2004, 11:23 AM

maxut: it's ippp0 'cause it is an ISDN and not a normal dialup modem

vald: MTU is 1500. It had worked in the past, that's what's bugging me.

p.n

vald · 11-27-2004, 12:47 PM

it's seems everything is OK with your gateway...

where is the mail server?
on the gate or outside your LAN?
if the mail server is outside, can you trace with traceroute?
some interestring in the result of ping from the gate... may be ttl=1 or lost packets...

may be it's stupid things, but really have no idea what's the problem, sorry

P.S.: Sorry for my bad english

paul.nel · 11-28-2004, 02:22 AM

I am still not getting anywhere with this problem. I can ping the smtp server from the clients no problem. But everytime I send a message I get the following error message:

Code:

An error occured while sending mail. The mail server responded:
 <email@address.com>: Relay access denied. Please
 verify that your email address is correct in your mail 
Prefrences and try again

?

p.n

vald · 11-28-2004, 07:28 AM

Is this problem appears only on sending?
I think problem is in the relay-access policy on the smtp server, on your gate everything is ok.
May be on the mail server is added header-check, or some other new anti-spam rules... sorry, at the present I'm not familiar with mail servers, just starting reading about postfix

May be the solution is to organize your own smtp-server on the gateway... or... just ask the mail-server administrator for some solution

P.S. Sorry for my bad english

mardanian · 11-28-2004, 09:54 AM

oki im here is a firewall wall script give it a try may be it solves your problem

to run the script do...

chmod +x scriptname

=========

./scriptname
!/bin/bash

# Rules for gateway

#Clear \ Flush all the rules from the different chains and tables

iptables --flush
iptables --flush INPUT #Flush the INPUT chain
iptables --flush OUTPUT #Flush the OUTPUT chain
iptables --flush FORWARD #Flush the FORWARD chain
iptables -t nat --flush #Flush the nat table
iptables -t mangle --flush #Flush the mangle table
iptables --delete-chain #Delete any pre-existing chains
iptables -t nat --delete-chain #Delete any pre-existing chains from nat table
iptables -t mangle --delete-chain #Delete any pre-existing chains from the mangle table

#Setting the default Policies for the chains
iptables --policy INPUT DROP #Setting the default policy for INPUT chain
iptables --policy FORWARD ACCEPT #Setting the default plicy for FORWARD chain
iptables --policy OUTPUT ACCEPT #Setting the default policy for the OUTPUT chain

#Accepting traffic for and to internal interface
iptables -A INPUT -i lo -j ACCEPT #Allowing unlimited loopback traffic
iptables -A OUTPUT -o lo -j ACCEPT #Allowing unlimited loopback traffic

# Using Connection State to By-Pass checking
# Creating the rules
#iptables -t nat -A POSTROUTING -o ippp0 -j MASQUERADE

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allowing ssh to remote servers

iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -j ACCEPT

## Load FTP module --if iptables are not buildinto the kernel then uncomment the line below
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
########
echo 1 > /proc/sys/net/ipv4/ip_dynaddr #
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians # Disable martians logging
echo 1 > /proc/sys/net/ipv4/ip_forward # Activate the forwarding
echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Don't respond to broadcast pings
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Disable source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Disable ICMP Redirect Acceptance
echo 1 > /proc/sys/net/ipv4/tcp_syncookies # TCP syncookie protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

regards

paul.nel · 11-28-2004, 12:28 PM

OK, it was what most of us suspected in the end. My service provider made some changes to his mail server and that messed me around. Changed the corresponding settings and away I go....

Thanks for all the help.

Cheers
p.n