IPTABLES with SENDMAIL on local machine
I have several services running on my machine (web, pop, smtp) running on my server and I'm having a hell of a hard time with IPTABLES and Sendmail in particular.
I've been testing a simple IPTABLES configuration, and even though I open port 25 I can still not telnet to my server on port 25. All the other ports/services seem to work without any problems. I can remove the rule for port 80 and my web site stops working, I add it back in, and it works again. This is my simple config iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 --syn -j ACCEPT iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 25 --syn -j ACCEPT iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 110 --syn -j ACCEPT iiptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 80 --syn -j ACCEPT iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 443 --syn -j ACCEPT iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP So when I do this everything works except my SMTP on port 25, when I try to telnet to port 25 it just hangs. Then I do a IPTABLES -F and I can then telnet to port 25 again. This doesn't make any sense. Is there some other port that I need to open for Sendmail SMTP? With IPTABLES flushed, I telnet to port 25 and do a NETSTAT at the console and all I see it my IP connected on SMTP. I've tried several other iptable configs, and all of them always dropped my SSH connection and I had to reboot the server (this is a virtual host on the internet). This one has gotten me the closest to have a primative firewall, but only SMTP is not working??? Any ideas? Thanks! Brad |
The best way to find out what other traffic is happening is to flush the firewall, start tcpdump in a second window, and connect. The output of tcpdump will show you what's happening.
My first guess would be ident (port 113) If that's the case then it can be turned off in the sendmail.conf file by setting Timeout.ident = 0. Mike |
That makes sense, because I just discovered that if I let that telnet sit for a about 90sec it will connect.
|
Yeah that ident setting was already in my SENDMAIL config, so that didn't help. I know I'm on the right track, but??
I did the flush and the TCPDUMP. The only thing I see happening immediately after I see my connection on port 25 the server seems to do a reverse DNS lookup on my ip address. It looks like somehow I'm blocking this DNS lookup from happening although I'm not blocking any outgoing packets with iptables. My statements are all incoming??? Thanks! Brad |
DNS would be something else that sendmail needs. Try putting your IP address and hostname in /etc/hosts.
Also adding this to your script would probably help.... iptables -A INPUT -i lo -j ACCEPT I assume that you have a policy of ACCEPT on your OUTPUT table. Mike |
This VPS that I'm running doesn't have the stateful module installed for iptables. I think that is the main problem.
I went to a simpler config that seems to be working OK for me now. iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -N valid-tcp-flags iptables -A INPUT -p tcp -j valid-tcp-flags iptables -A OUTPUT -p tcp -j valid-tcp-flags iptables -A FORWARD -p tcp -j valid-tcp-flags iptables -N valid-source-address iptables -A INPUT -p ! tcp -j valid-source-address iptables -A INPUT -p tcp --syn -j valid-source-address iptables -A FORWARD -p ! tcp -j valid-source-address iptables -A FORWARD -p tcp --syn -j valid-source-address iptables -N valid-destination-address iptables -A OUTPUT -j valid-destination-address iptables -A FORWARD -j valid-destination-address iptables -A valid-tcp-flags -p tcp --tcp-flags ALL NONE -j DROP iptables -A valid-tcp-flags -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A valid-tcp-flags -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A valid-tcp-flags -p tcp --tcp-flags ACK,URG URG -j DROP iptables -A valid-tcp-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A valid-tcp-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A valid-tcp-flags -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A valid-source-address -s 10.0.0.0/8 -j DROP iptables -A valid-source-address -s 172.16.0.0/12 -j DROP iptables -A valid-source-address -s 192.168.0.0/16 -j DROP iptables -A valid-source-address -s 224.0.0.0/4 -j DROP iptables -A valid-source-address -s 240.0.0.0/5 -j DROP iptables -A valid-source-address -s 127.0.0.0/8 -j DROP iptables -A valid-source-address -s 0.0.0.0/8 -j DROP iptables -A valid-source-address -d 255.255.255.255 -j DROP iptables -A valid-source-address -s 169.254.0.0/16 -j DROP iptables -A valid-source-address -s 192.0.2.0/24 -j DROP iptables -A OUTPUT -p udp --dport 53 --sport 1024:65535 -j ACCEPT iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT iptables -A INPUT -p tcp --dport 22 --sport 1024:65535 -j ACCEPT iptables -A INPUT -p tcp --dport 80 --sport 1024:65535 -j ACCEPT iptables -A INPUT -p tcp --dport 443 --sport 1024:65535 -j ACCEPT iptables -A INPUT -p tcp --dport 110 --sport 1024:65535 -j ACCEPT iptables -A INPUT -p tcp --dport 995 --sport 1024:65535 -j ACCEPT iptables -A INPUT -p tcp --dport 25 --sport 1024:65535 -j ACCEPT iptables -A INPUT -p tcp --dport 8443 --sport 1024:65535 -j DROP iptables -A INPUT -p tcp --dport 3306 --sport 1024:65535 -j DROP iptables -A INPUT -p tcp --dport 1:1023 -j DROP Thanks! Brad |
All times are GMT -5. The time now is 06:20 AM. |