Iptables problem sending mails

Tekorei · 02-11-2006, 02:19 PM

Hi there

I got this problem for sending mails outgoing mi LAN:

mail log output:

Code:

Feb 11 17:53:50 e2kserver postfix/smtp[5034]: 506D5A803B: to=<recipient@gmail.com>, relay=none, delay=3786, status=deferred (Host or domain name not found. Name service error for name=gmail.com type=MX: Host not found, try again)

I think my /etc/resolv.conf is ok, it looks like this:

Code:

search e2k.com.py
nameserver 200.85.32.2 (ISP DNS Server)
nameserver 200.85.32.3 (ISP DNS Server)
nameserver 127.0.0.1

Something I noticed is when I stop the iptables service the mails are sent, but when I start the iptables service again it doesnt work..

this is my iptables -L output:

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
valid-src  all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpt:ssh state NEW
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpt:http state NEW
ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.0.0/24       anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data

Chain FORWARD (policy DROP)
target     prot opt source               destination
valid-src  all  --  anywhere             anywhere
valid-dst  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
valid-dst  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             192.168.0.0/24
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:domain
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp

Chain valid-dst (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             16.0.0.0/4

Chain valid-src (2 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/8            anywhere
DROP       all  --  ip-72-16-0-0.valornet.com/12  anywhere
DROP       all  --  92.168.0.0/16        anywhere
DROP       all  --  16.0.0.0/4           anywhere
DROP       all  --  40.0.0.0/5           anywhere
DROP       all  --  27.0.0.0/8           anywhere
DROP       all  --  0.0.0.0/8            anywhere
DROP       all  --  anywhere             255.255.255.255
DROP       all  --  169.254.0.0/16       anywhere

what could be wrong?

gilead · 02-11-2006, 02:29 PM

Can you try running it without the valid-src or valid-dst chains? Since your policy is set to DROP for the INPUT, FORWARD and OUTPUT chains, anything that you haven't ACCEPTed will be dropped anyway.

Tekorei · 02-16-2006, 07:56 PM

I changed the firewall rules following some general indications from tldp.org

the server now does send outgoing mails, but I cant access any external host on port 25 or 110 through my LAN.. or the server himself on port 25/110

is there any PREROUTING or POSTROUTING rule that I should add to my iptables to allowing my LAN for sending outgoing mails?

this is my current iptables -L:

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  host33-10.wireless.com.py  host33-10.wireless.com.py tcp spt:smtp
ACCEPT     udp  --  anywhere             host33-10.wireless.com.py udp dpt:domain
ACCEPT     udp  --  host33-10.wireless.com.py  host33-10.wireless.com.py udp spt:domain
ACCEPT     tcp  --  host33-10.wireless.com.py  host33-10.wireless.com.py tcp spt:domain
ACCEPT     tcp  --  192.168.0.0/24       anywhere            tcp dpt:ssh
ACCEPT     tcp  --  192.168.0.0/24       anywhere            tcp spt:ssh
ACCEPT     tcp  --  anywhere             host33-10.wireless.com.py tcp dpt:smtp
ACCEPT     tcp  --  anywhere             host33-10.wireless.com.py tcp spt:smtp
ACCEPT     tcp  --  anywhere             host33-10.wireless.com.py tcp dpt:pop3
ACCEPT     tcp  --  anywhere             host33-10.wireless.com.py tcp dpt:http
ACCEPT     udp  --  anywhere             host33-10.wireless.com.py udp dpt:domain
ACCEPT     udp  --  host33-10.wireless.com.py  host33-10.wireless.com.py udp spt:domain
ACCEPT     udp  --  inet2.telecel.com.py  host33-10.wireless.com.py udp spt:domain
ACCEPT     tcp  --  host33-10.wireless.com.py  host33-10.wireless.com.py tcp spt:domain
ACCEPT     tcp  --  inet2.telecel.com.py  host33-10.wireless.com.py tcp spt:domain
ACCEPT     tcp  --  host33-10.wireless.com.py  host33-10.wireless.com.py tcp spt:pop3
ACCEPT     tcp  --  anywhere             host33-10.wireless.com.py tcp spt:smtp
ACCEPT     tcp  --  anywhere             host33-10.wireless.com.py tcp spt:ftp
ACCEPT     tcp  --  anywhere             host33-10.wireless.com.py tcp spt:ftp-data
ACCEPT     tcp  --  anywhere             host33-10.wireless.com.py
ACCEPT     all  --  192.168.0.0/24       anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  host33-10.wireless.com.py  host33-10.wireless.com.py tcp dpt:smtp
ACCEPT     udp  --  host33-10.wireless.com.py  anywhere            udp spt:domain
ACCEPT     udp  --  host33-10.wireless.com.py  host33-10.wireless.com.py udp dpt:domain
ACCEPT     tcp  --  host33-10.wireless.com.py  host33-10.wireless.com.py tcp dpt:domain
ACCEPT     tcp  --  anywhere             192.168.0.0/24      tcp dpt:ssh
ACCEPT     tcp  --  anywhere             192.168.0.0/24      tcp spt:ssh
ACCEPT     tcp  --  host33-10.wireless.com.py  anywhere            tcp spt:smtp
ACCEPT     tcp  --  host33-10.wireless.com.py  anywhere            tcp dpt:smtp
ACCEPT     tcp  --  host33-10.wireless.com.py  anywhere            tcp spt:pop3
ACCEPT     tcp  --  host33-10.wireless.com.py  anywhere            tcp spt:http
ACCEPT     udp  --  host33-10.wireless.com.py  anywhere            udp spt:domain
ACCEPT     udp  --  host33-10.wireless.com.py  host33-10.wireless.com.py udp dpt:domain
ACCEPT     udp  --  host33-10.wireless.com.py  inet2.telecel.com.py udp dpt:domain
ACCEPT     tcp  --  host33-10.wireless.com.py  host33-10.wireless.com.py tcp dpt:domain
ACCEPT     tcp  --  host33-10.wireless.com.py  inet2.telecel.com.py tcp dpt:domain
ACCEPT     tcp  --  host33-10.wireless.com.py  host33-10.wireless.com.py tcp dpt:pop3
ACCEPT     tcp  --  host33-10.wireless.com.py  anywhere            tcp dpt:smtp
ACCEPT     tcp  --  host33-10.wireless.com.py  anywhere            tcp dpt:ftp
ACCEPT     tcp  --  host33-10.wireless.com.py  anywhere            tcp dpt:ftp-data
ACCEPT     tcp  --  host33-10.wireless.com.py  anywhere
ACCEPT     all  --  anywhere             192.168.0.0/24

host33-10.wireless.com.py = my servers host (given by the ISP)
inet2.telecel.com.py = ISP DNS host