hello,

I have server with firewall , iptables and proxy settings.
The evolution is configured, i can send mail to my gmail account. pop foward is enabled in gmail account but i can't fetch mail from gmail account. In script it is added

#For pop3
$iptables -A INPUT -p tcp --dport 110 -j ACCEPT

showing an error "could not connect to pop.gmail.com, connection time out"
what is the problem?
thanks in advance

Please let us know a little more. The rule you posted will allow packets for POP3 to be received by your firewall, if a previous rule does not cause the packet to be discarded. It would be useful to know what the whole INPUT chain looks like. You can show it with the command Let us suppose that the firewall rule is correct and correctly placed, pending your report on the full chain.

Is Evolution running on the firewall machine or on another one? If it is on another one, have you enabled packet forwarding? What are the rules in the iptables FORWARD chain?

If Evolution is running on the same machine, what does its logfile (perhaps /var/log/maillog) say? Are there error messages there? Are there any lines in the syslog file (/var/log/messages ?)? What distribution and what version of the OS are you running? These details will allow us a better chance of actually diagnosing the trouble with you.

The INPUT table is for incoming connections. You would want to modify the OUTPUT table instead. Change your command to:

iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT

(that's all assuming that your OUTPUT policy is not ACCEPT and that you don't have any other rules preventing this connection. If that's the case, post your entire iptables script so we can investigate further.)

here it is:

#!/bin/sh

SQUID_SERVER="192.168.213.129" # squid server IP

INTERNET="eth0" # Interface connected to Internet
LAN_IN="eth1" # Interface connected to LAN

SQUID_PORT="3128" # Squid port

# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp

echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
iptables -A FORWARD -i $LAN_IN -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT

#for pop3 to download mail

$iptables -A INPUT -p tcp --dport 110 -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Well, there are a couple of things that I think we should clear up. First of all, we should clear up the question of whether any process could reach pop.gmail.com. From where my systems connect to the internet, this DNS name resolves to 209.85.147.109 and 209.85.147.111 Can you ping either of these addresses and get a response? If so, can you then ping pop.gmail.com and get a response?

From your firewall script, I guess that you will not be able to get the second experiment to work, but that is uncertain, as some systems have automatic ways of punching holes through the firewall for DNS traffic. If you could post the actual rules, rather than the script which generates them, it would be instructive.

Part way down in your script, a comment says that you are going to allow UDP, DNS and passive FTP traffic, but the rule just below that does not do exactly that. It allows packets received in reply to connection requests initiated either on the firewall or on machines on the LAN behind the firewall, and would permit an active FTP as well as a passive FTP connection, if the control channel was set up from behind the firewall or on the firewall machine. I am not entirely sure if it will allow DNS exchanges begun from behind the firewall (these are, in fact, UDP packets).

BTW, since your OUTPUT chain policy is ACCEPT, the rules you have specified for this chain are redundant. The only rules that would have an effect with this policy are ones that REJECT or DROP packets.

If it is possible to resolve the DNS name to an address, and to get a ping response, then I guess it might be time to do a packet trace, looking at packets that have either source or destination port 110 and TCP protocol, so that you can tell whether no packet goes out, or none returns, or one returns and is somehow misdirected.