LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-02-2010, 11:21 PM   #1
yoyoman0606
LQ Newbie
 
Registered: Dec 2010
Posts: 8

Rep: Reputation: 0
rules port 25 and port 110


Hi Everyone,

i have setup my centos 3.9 proxy server with shorewall.
However, i failed to send or recieve any email in my outlook express.
after check, there port 25 and 110 is block at shorewall rules.

But, i cant figure out where go wrong.
Can anyone please give me some advise.

thanks.

below are the rules.

ACCEPT loc $FW udp 137:139 #samba
ACCEPT loc $FW tcp 137,139 #samba
ACCEPT loc $FW udp 1024: 137 #samba
ACCEPT loc $FW tcp 8080
ACCEPT loc $FW tcp 443
ACCEPT loc $FW tcp 23
ACCEPT loc $FW tcp 10000
ACCEPT loc $FW tcp 20000
ACCEPT loc $FW tcp domain
ACCEPT loc $FW udp domain
ACCEPT loc $FW icmp 8
ACCEPT $FW loc icmp 8
ACCEPT $FW loc udp 137:139 #samba
ACCEPT $FW loc tcp 137,139
ACCEPT $FW loc udp 1024: 137
ACCEPT $FW net tcp www
ACCEPT $FW net tcp https
ACCEPT $FW net tcp domain
ACCEPT $FW net udp domain
ACCEPT $FW net icmp 8
ACCEPT net $FW tcp www
ACCEPT loc net tcp smtp
ACCEPT loc net tcp pop3
ACCEPT loc net icmp 8
ACCEPT loc net tcp - ftp
ACCEPT loc net tcp - ftp-data
ACCEPT loc net tcp ftp
ACCEPT loc net tcp ftp-data
ACCEPT loc net tcp 1723 #VPN
ACCEPT loc $FW tcp 110
ACCEPT loc $FW tcp 25
ACCEPT loc net 47
ACCEPT loc net tcp 1024:
ACCEPT loc net udp 33435:33535 -
ACCEPT loc net tcp 1863
ACCEPT loc net tcp 5000:5001
ACCEPT loc net tcp 5050
ACCEPT loc net tcp 5100
ACCEPT loc net udp 5000:5010
ACCEPT loc net tcp 443
ACCEPT net $FW tcp 22
ACCEPT net $FW tcp 80
ACCEPT net $FW tcp 443
ACCEPT $FW net tcp 22
ACCEPT net loc tcp 5938 #teamviewer
 
Old 12-04-2010, 12:24 AM   #2
gd2shoe
Member
 
Registered: Jun 2004
Location: Northern CA
Distribution: Debian
Posts: 835

Rep: Reputation: 49
Code:
ACCEPT	loc	net	tcp	smtp
ACCEPT	loc	net	tcp	pop3
...
ACCEPT	loc	$FW	tcp	110
ACCEPT	loc	$FW	tcp	25
Pardon my shorewall, I'm beyond rusty. These are the lines that catch my attention. You have 3 locations: loc, net, and $FW. I assume your client is on the loc side and your server is on the net side. If this firewall is protecting the mail server, and your clients are at another location, you'll need to adjust your rules.

Are you sure you're using smtp and pop3? imap, imaps, ssmtp, pop3s use ports 143, 993, 465, 995 respectively. It's also possible that your upstream provider might be blocking port 25. Sometimes you can call them and ask them to open it. If they don't, sometimes you can use port 587 instead.
 
Old 12-06-2010, 09:04 AM   #3
yoyoman0606
LQ Newbie
 
Registered: Dec 2010
Posts: 8

Original Poster
Rep: Reputation: 0
Smile

Quote:
Originally Posted by gd2shoe View Post
Code:
ACCEPT	loc	net	tcp	smtp
ACCEPT	loc	net	tcp	pop3
...
ACCEPT	loc	$FW	tcp	110
ACCEPT	loc	$FW	tcp	25
Pardon my shorewall, I'm beyond rusty. These are the lines that catch my attention. You have 3 locations: loc, net, and $FW. I assume your client is on the loc side and your server is on the net side. If this firewall is protecting the mail server, and your clients are at another location, you'll need to adjust your rules.

Are you sure you're using smtp and pop3? imap, imaps, ssmtp, pop3s use ports 143, 993, 465, 995 respectively. It's also possible that your upstream provider might be blocking port 25. Sometimes you can call them and ask them to open it. If they don't, sometimes you can use port 587 instead.
Thanks. you assumption is right. i got 3 location.
But, i wonder how to adjust my rules?

I sure i am using smtp and pop3 and port 25 and port 110. If connect my pc connect to modem without proxy, there are not problem for my mail.
So, i assume the proxy rules block the 25 and port 110.
 
Old 12-06-2010, 09:56 PM   #4
gd2shoe
Member
 
Registered: Jun 2004
Location: Northern CA
Distribution: Debian
Posts: 835

Rep: Reputation: 49
Try :
Code:
telnet smtp.yourmailserver.net 25
helo
quit
This should be a simple conversation between yourself and the mail server. You should get something like this:
Code:
220 smtp.yourmailserver.net ESMTP
helo
250 smtp.yourmailserver.net 
quit
221 smtp.yourmailserver.net 
Connection to host lost.
Then do pop3:
Code:
telnet pop3.yourmailserver.net 110
quit
This should give you something like:
Code:
+OK <12345.0123456789@pop3.yourmailserver.net>
quit
+OK
If these fail, then you're firewall is interfering on 25 and/or 110. If these succeed, then the problem is something else.
 
Old 12-06-2010, 09:57 PM   #5
gd2shoe
Member
 
Registered: Jun 2004
Location: Northern CA
Distribution: Debian
Posts: 835

Rep: Reputation: 49
Sorry: replace "yourmailserver.net" with the appropriate servers for your email service provider.
 
Old 12-08-2010, 03:09 AM   #6
yoyoman0606
LQ Newbie
 
Registered: Dec 2010
Posts: 8

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by gd2shoe View Post
Sorry: replace "yourmailserver.net" with the appropriate servers for your email service provider.
I get both same error:
Connecting To "mymailserver.net"... could not open connection to the host, on port 25: connect failed.

I wondering any possible there any service affect the tcp is not up? I did install the webmin and stop some of the
action boot up.

Please advise, thanks
 
Old 12-08-2010, 06:08 AM   #7
teebones
Member
 
Registered: Aug 2005
Location: /home/teebones
Distribution: sometimes this, sometimes that..
Posts: 502

Rep: Reputation: 56
1) check if it uses 25 and 110! not all mailservers use the standard ports. some use 587 and 995
etc.. consult the mail provider (manual/faq/support) for the right ports.

2) you could, just for a very short test, try to connect to the server without firewall activated.
(remember to do it very shortly, max 10 sec.) if it then works, it's definitely your machine blocking something (firewall block). If it still doesn't work, it's something else, and not firewall related. (could be a typo of the server name, a problem at their location)
 
Old 12-08-2010, 07:42 PM   #8
gd2shoe
Member
 
Registered: Jun 2004
Location: Northern CA
Distribution: Debian
Posts: 835

Rep: Reputation: 49
Ok, so if you connect directly to the modem, you have no problem. If you're behind the firewall, you cannot telnet your mail server on 25/110. That does sound like it's being blocked. (We're still assuming you're indeed using 25/110, and that you could successfully telnet those if you were directly connected.)

This one could be tricky. It would help to give us any and all information you feel comfortable sharing. (This is a firewall, so I can understand some reticence.) Such as:
Code:
ifconfig
cat /etc/shorewall/zones
cat /etc/shorewall/interfaces
cat /etc/shorewall/policy
cat /etc/shorewall/hosts
I don't think there's a problem with your rules (though you probably have too many), but maybe you have your interfaces switched?

Also make sure you're internal machine has an IP ("ifconfig") address and route ("route -n"). Let us know if you have a DHCP server setup on your firewall.
 
Old 12-09-2010, 12:49 AM   #9
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,411

Rep: Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397
Just FYI, 3.x is out of support at RH https://access.redhat.com/support/po...pdates/errata/, except for those who pay extra for Exetended support at RH.
Not sure how this affects Centos clone...
 
Old 12-14-2010, 04:57 AM   #10
yoyoman0606
LQ Newbie
 
Registered: Dec 2010
Posts: 8

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by gd2shoe View Post
Ok, so if you connect directly to the modem, you have no problem. If you're behind the firewall, you cannot telnet your mail server on 25/110. That does sound like it's being blocked. (We're still assuming you're indeed using 25/110, and that you could successfully telnet those if you were directly connected.)

This one could be tricky. It would help to give us any and all information you feel comfortable sharing. (This is a firewall, so I can understand some reticence.) Such as:
Code:
ifconfig
cat /etc/shorewall/zones
cat /etc/shorewall/interfaces
cat /etc/shorewall/policy
cat /etc/shorewall/hosts
I don't think there's a problem with your rules (though you probably have too many), but maybe you have your interfaces switched?

Also make sure you're internal machine has an IP ("ifconfig") address and route ("route -n"). Let us know if you have a DHCP server setup on your firewall.
what is the route -n? DHCP server?? i dont think i setup it on my firewall.

below are my setting

# Shorewall version 4 - Zones File
#
# For information about this file, type "man shorewall-zones"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4

#
# Shorewall version 4 - Interfaces File
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/sh...nterfaces.html
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
loc eth1 detect
net eth0 detect



#
# Shorewall version 4 - Policy File
#
# For information about entries in this file, type "man shorewall-policy"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT CONNLIMIT:
# LEVEL BURST MASK
loc net REJECT
net all DROP info
ALL all REJECT info



#
# Shorewall version 4 - Hosts file
#
# For information about entries in this file, type "man shorewall-hosts"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-hosts.html
#
###############################################################################
#ZONE HOST(S) OPTIONS
 
Old 12-14-2010, 05:55 PM   #11
gd2shoe
Member
 
Registered: Jun 2004
Location: Northern CA
Distribution: Debian
Posts: 835

Rep: Reputation: 49
"ifconfig" shows how the interfaces are setup, including the associated IP addresses.
"route -n" shows how the systems routing table is setup, by IP address.

DHCP is the protocol that automatically assigns IP addresses. Unless you've manually set IP addresses (recommended on your firewall), each machine needs to have a DHCP server on it's immediate physical network. That service assigns IP addresses and tells computers where to send data to reach the Internet. Without it, your internal computers might be able to talk to one another if they guess 169.*.*.* addresses, but they won't be able to send data beyond the local area network.

I suggest adding the "routefilter" option to your interface file, line "eth0". This prevents certain attacks, and is included in the Shorewall intro sample.

(You appear to have no rule between loc and net allowing http, yet you have a rule between net and $FW permitting tcp port 80. I'm not sure what you're doing here...)

Things look ok, generally. I have to ask, though, can your client system can access the Internet at all when it's behind the firewall? Shorewall could be perfectly fine, but you'll still be offline if you have an IP or DHCP problem. It might be wise to reset the modem when plugging it back into the firewall. (If it's a cable modem, it might be required.)

(part of why I asked for "ifconfig" and "route -n"; you'll also want to check the client machine. If it's running Windows, you'll want "ipconfig" or find the adapter, right click-> status-> support.)
 
Old 12-14-2010, 10:40 PM   #12
yoyoman0606
LQ Newbie
 
Registered: Dec 2010
Posts: 8

Original Poster
Rep: Reputation: 0
[QUOTE=gd2shoe;4191530]"ifconfig" shows how the interfaces are setup, including the associated IP addresses.
"route -n" shows how the systems routing table is setup, by IP address.

I suggest adding the "routefilter" option to your interface file, line "eth0". This prevents certain attacks, and is included in the Shorewall intro sample.

(You appear to have no rule between loc and net allowing http, yet you have a rule between net and $FW permitting tcp port 80. I'm not sure what you're doing here...)

Things look ok, generally. I have to ask, though, can your client system can access the Internet at all when it's behind the firewall? Shorewall could be perfectly fine, but you'll still be offline if you have an IP or DHCP problem. It might be wise to reset the modem when plugging it back into the firewall. (If it's a cable modem, it might be required.)
QUOTE]

I actually follow one of my friend guide. So far, i still not fully understand the rules which is really need and not need.
i using the squid to allow the specify client ip to browse internet using port 8080. So those client can browse internet perfectly. But outlook express fail to download mail or send mail through port 25 and 110.

below are the ifcfg for eth0 n eth1. From below i wondering am i missing anything else?...boardcast???

DEVICE=eth0
BOOTPROTO=static
HWADDR=00:26:5A:EB:60:6C
ONBOOT=yes
TYPE=Ethernet
NETMASK=255.255.255.0
IPADDR=10.170.43.66
USERCTL=no
PEERDNS=yes
GATEWAY=10.170.43.65

DEVICE=eth1
BOOTPROTO=static
HWADDR=00:11:09:18:863
ONBOOT=yes
TYPE=Ethernet
NETMASK=255.255.0.0
IPADDR=10.1.124.102
USERCTL=no
PEERDNS=yes

thanks
 
Old 12-15-2010, 12:38 AM   #13
gd2shoe
Member
 
Registered: Jun 2004
Location: Northern CA
Distribution: Debian
Posts: 835

Rep: Reputation: 49
So your client system can reach the web through a proxy? That's good. Make certain your client system is set to treat the firewall system as its Gateway (ie 10.1.124.102). Just because it can reach the firewall doesn't mean that it knows it can find the Internet there.
 
Old 12-15-2010, 01:59 AM   #14
yoyoman0606
LQ Newbie
 
Registered: Dec 2010
Posts: 8

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by gd2shoe View Post
So your client system can reach the web through a proxy? That's good. Make certain your client system is set to treat the firewall system as its Gateway (ie 10.1.124.102). Just because it can reach the firewall doesn't mean that it knows it can find the Internet there.
yup, my client can reach the web through proxy. So, what can i do next? Do you have any idea?
 
Old 12-15-2010, 04:35 AM   #15
gd2shoe
Member
 
Registered: Jun 2004
Location: Northern CA
Distribution: Debian
Posts: 835

Rep: Reputation: 49
And... What is the gateway set to on the client? (By the by, what OS is running on the client system?)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
rules for port 25 and port 110 yoyoman0606 Linux - Server 0 12-02-2010 11:15 PM
What I need to run on Port 110 vikasumit Linux - Software 6 05-19-2006 04:28 AM
SSH on port 25 or 110 idahoakl Linux - Networking 7 11-13-2005 09:58 AM
Cannot telnet to port 110 Lostboys Linux - Newbie 11 04-19-2005 03:12 AM
changing port 110 jonfa Linux - Networking 3 03-03-2002 04:09 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 08:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration