According to the man page, I should be able to specify multiple protocols with one line.. i.e

$IPTABLES -A INPUT -p ALL --dport 143 -j ACCEPT

However iptables gives me the following error:

However if I write it like

$IPTABLES -A INPUT -p tcp --dport 143 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 143 -j ACCEPT

It doesn't give errors. I'm trying to troubleshoot an instance where I can't connect to courier-imap on 143 via Outlook Express 6x when the firewall is in place, but I can if I flush all existing rules.

The firewall I currently have in place is

And with it in place I can't reach the courier-imap service via Outlook Express (but I can from a straight telnet window). I've narrowed it down to something in the firewall blocking it, but am stuck there at the moment.

Not all protocols have ports. -p all includes ICMP, which is one of them. That's why --dport (and --sport) option doesn't work with it.

Which port is your Cuourier listening at? Are you sure it's 143?

Well that explains teh dport quirk on the firewall. I'm positive Courier-imap is listing on 143 I can telnet to the host on that port from an outside box and I get the:

* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THRE
AD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyr
ight 1998-2004 Double Precision, Inc. See COPYING for distribution information.

Further, if I ssh into the debian box and flush the iptables I can check the mailbox via Outlook Express no problem. If I re-enable my rc.firewall I get the "Your mail server has not responded in 60 seconds" error.

Unblock ICMP for a moment. The error message you get may change to something clearer.

Soon as I do that, I can check it fine with M$ Outlook Express. Now the question is both why does OE require sending an ICMP packet to check IMAP email but not pop3, and how can I allow it access without opening ICMP to everything.