IPTABLES and Port redirections....ARRRGGGGG...Help
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Before I left last night I turned off iptables using 'service iptables stop' just to make sure that nothing I had done would effect the server for the morning startup. I came in this morning and cleaned up the iptables file to remove your original OUTPUT line and then entered the new one. Bingo! it seems to work...wait I didn't actually turn ON the iptables yet. Double check with 'service iptables status' and get the message 'Firewall is stopped' WTF!!!
This is starting to make a bit of sense IF something else is running and using the iptables file in /etc/sysconfig for settings. I tried to use a ps command to look for iptables running under some other pid but nothing shows up and I don't appear to be running ipchains but I'm not entirely sure about that. Any idea what I should be looking for???
Right now if I add the last OUTPUT line with the ip addresses it works and if I then remove the line using -D instead of -A the telnet to port 25 of the mailserver does not work. All this and no iptables running according to the status.
???????????????????????????????????????????
Don't get me wrong again, I'm happy that it might be working but I'd REALLY like to understand this before I put it to bed.
Before I left last night I turned off iptables using 'service iptables stop' just to make sure that nothing I had done would effect the server for the morning startup. I came in this morning and cleaned up the iptables file to remove your original OUTPUT line and then entered the new one. Bingo! it seems to work...wait I didn't actually turn ON the iptables yet. Double check with 'service iptables status' and get the message 'Firewall is stopped' WTF!!!
This is starting to make a bit of sense IF something else is running and using the iptables file in /etc/sysconfig for settings. I tried to use a ps command to look for iptables running under some other pid but nothing shows up and I don't appear to be running ipchains but I'm not entirely sure about that. Any idea what I should be looking for???
Right now if I add the last OUTPUT line with the ip addresses it works and if I then remove the line using -D instead of -A the telnet to port 25 of the mailserver does not work. All this and no iptables running according to the status.
???????????????????????????????????????????
Don't get me wrong again, I'm happy that it might be working but I'd REALLY like to understand this before I put it to bed.
Bill
Working but not working is how I'd describe it right now. Now I can see by tcpdump and by getting the actual mail server login that I am redirecting port 25 to port 2525 when it leaves the server but sendmail/postfix does not seem to be working. I can watch as the system checks the email address every couple of minutes using tcpdump but nothing happens when I try to mail a test email. Right now I'm not sure if send mail is having a problem, maybe I messed it up trying to change its port, or whatever is allowing a telnet session to have its port resirected is for some reason not letting sendmail do it.
I still don't know HOW the port is being redirected in the first place....
On the thought that I might have gummed up postfix somehow I did a flush and a restart to see if maybe I had an email stuck somehow but that didn't seem to work.
Working but not working is how I'd describe it right now. Now I can see by tcpdump and by getting the actual mail server login that I am redirecting port 25 to port 2525 when it leaves the server but sendmail/postfix does not seem to be working. I can watch as the system checks the email address every couple of minutes using tcpdump but nothing happens when I try to mail a test email. Right now I'm not sure if send mail is having a problem, maybe I messed it up trying to change its port, or whatever is allowing a telnet session to have its port resirected is for some reason not letting sendmail do it.
I still don't know HOW the port is being redirected in the first place....
On the thought that I might have gummed up postfix somehow I did a flush and a restart to see if maybe I had an email stuck somehow but that didn't seem to work.
Bill
Ok, who do I &$^%%#& to get out of the outfit!!!
What will I see in a ps when iptables is running???
Just to see if something was going on I 'service iptables start' to start up iptables again and promptly lost the ability to telnet to port 2525 on the mail server. I then turned off iptables and still couldn't telnet. I checked the iptables file in /etc/sysconfig and the OUTPUT line was missing. I'm not exactly sure what is happening so I added the line back in and did a 'service iptables save' then I checked the iptables file and there it was. So I tried to telnet to port 25 of the mail server and got a timeout again *&^%*^%********&^*%*^&%*%*%*
Ok, take a deep breath and do a 'service iptables start' and try it again. Now I can telnet to port 25 of the mail server and see by tcpdump that it is going out on 2525. Turn off iptables again and back to a telnet timeout. Turn it on and it works.
I'd swear that someone is messing with me.
I'd doubly swear that iptables was OFF when it first started working earlier.
Even with the port being redirected sendmail/postfix isn't working.
So back to the original question, what exactly will I see running is a ps that uses the /etc/sysconfig/iptables file??? It still feels like something else is running that is conflicting with iptables and I'm almost certain that later on today I'll lose the port redirect again.
God I hate our ISP!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
You've asked to many different questions.
But first, when you give to iptables new rule by command -A (append) -I (insert) it takes it, but only in memory, and sometime when you start iptables it read default rule set and loses your rule.
To find out are there any modules in memory belong to iptables you can do "lsmod |grep ip".
To find out if iptables is doing its job - service has to be activated.
You've asked to many different questions.
But first, when you give to iptables new rule by command -A (append) -I (insert) it takes it, but only in memory, and sometime when you start iptables it read default rule set and loses your rule.
To find out are there any modules in memory belong to iptables you can do "lsmod |grep ip".
To find out if iptables is doing its job - service has to be activated.
I hope it helps
I know about the bit with iptables keeping the rule in memory so I was always doing a 'service iptables save' after I verified that the rule had been accepted.
when I run lsmod I get iptable_nat, ip_conntrack, ip_tables and ipv6
and when I turn off iptables all I get is ipv6.
I still think that something is/was running and conflicting with iptables but I just don't know what.
When I turn off iptables and try a telnet to the mail server I get the half login where I get the mail server telling me who it is then loging me out with a Connection closed by foreign host. If I try the telnet again right away I get a connection timeout. If I restart iptables I'm good again to telnet to the mail server using 25 and seeing it go out on tcpdump as 2525.
I do find it strange that once in a while with iptables off I get a partial login.
All this and I still can't get sendmail/postfix to work.
Is there any reason that the OUTPUT line might be upstream of the packets with regards to postfix?? I mean could the redirection be happening in a way that postfix bypasses it?
Nothing strange at all.
If you stop iptables, and do "lsmod |grep ip", you will still see modules in memory, NAT remembers some time about connections through it because port the same.
Nothing strange at all.
If you stop iptables, and do "lsmod |grep ip", you will still see modules in memory, NAT remembers some time about connections through it because port the same.
I'm back to Bizaro world, not as bizaro as the last one but still weird.
When I use sendmail I don't see any activity in the tcpdump window I have up, but the /var/log/maillog indicates that the postfix tried to access the mail server and timed out.
Could there be something more I need to use to redirect the incoming connection from the mail server??? When I telnet I see the login so I know it works with telnet but would postfix be different???
in my sendmail.mc and setup the authinfo with the login for the server which worked before so unless I messed up something else when I was trying to get postfix to use 2525 I'm back to being very confused
This seems to have done the trick, now when I use sendmail or use the custom software to send an invoice I see immediate activity on the tcpdump screen for the mail server on port 2525.
Is there anyway to put in the mail.mymailserver.com instead of the ip address??? I don't know if our web/email provider changes its ip address but I'd like to be prepared this time.
No, iptables can't resolve it for you, it can use only IP.
If you know all IP addresses for your server you can add rules for all of them.
Or tell your client use IP instead of URL
No, iptables can't resolve it for you.
If you know all IP addresses for your server you can add rules for all of them.
Or tell your client use IP instead of URL
I think you are working off of a bit of wrong info.
I'm not providing a email server. What I'm doing is taking a linux box that runs some custom software and letting it talk to our website/mail server, located on the web, to send and retrieve email for an individual email account. We send an invoice from the custom software to a printer interface I wrote to convert it to a pdf then email it through our external web based email server. No one connects into it to retrieve email, at least not yet
I'm slowly working my way to having an onsite email server but right now I have to work with what I got.
Please pray to or sacrifice to the deity of you choice that this keep working and I didn't screw up something else during all this.
By the way I did notice that the iptables file is much shorter now, before it had entries for filter and mangle, all set to accept, but for some reason now it just has them for PREROUTING, POSTROUTING and OUTPUT all set to ACCEPT with the additional -A line for the output rule. Not sure why or what that means but there you have it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.