[iptables]Box closed very well
 

I'm running a little intranet server (LAMP). Based on some examples that I found floating around on the net, I created the below firewall configuration to seal it. This does not mean that I fully understand how iptables work. Unfortunately the configuration works too well.

My web application needs to act as an smtp-client to a MS exchange server (172.31.212.12 on port 25) so it can send emails.

As far as I understand the below config, port 25 is open for outgoing traffic. So I assume that my problem is in the incoming traffic (replies from the MS exchange server).

Which rule(s) do I need to add so my application can receive the replies; the bold line below was the one that made sense to me, but does not work.

If you add "-j LOG" rules before chain decisions are made you get a better view of what fails and why.
Easiest way to start TS with Iptables.

I'm not very good with iptables, but your FTP rules appear to be backwards, by the way. The data channel (20) is a connection from the FTP server to the FTP client. It goes in the opposite direction as the command channel (21) and passive FTP data channel. Incidentally, you seem to have opened up traffic to any port with your passive FTP rule (if it's coming from 172.31.212.19). This is probably not what you meant to do. You should modify your FTP server configuration to restrict what port it uses for passive FTP (say, 8000-9000), then only open the firewall for those ports, not everything between 1024 & 65535 (that's effectively pretty much every ephemeral port).

If the other rules work (particularly the HTTPS rule) then you shouldn't need anything to allow return replies that are part of an existing TCP connection. I think your SMTP rule is backwards. My guess is -s = source and what you really want is -d = destination?

By the way, what machine is that firewall on? Is it on your webserver, or on a different machine? Could you do a brief diagram to show us what your network looks like?

Main problem was that the IP address and dport/sport were incorrect. An additional problem came in as dns lookups were also blocked so the hostname in the application could not be resolved.

new rule(s):The first one is not perfect yet, I must figure out the IP addresses.

@unSpawn
Thanks, it helped once I figured out how to get to the log results.

Outstanding question with regards to logging:
I used dmesg to check the log results. Is there another way? I could not straight away find a relevant logfile although I tried to find files that were modified less than x minutes ago.

@chort
I will look into the ftp issue. Those rules were determined by trial and error and (unfortunately) one stops once it's working (and there might be obsolete stuff in there).

I've finally found time to work on the FTP part. Here's just an update; if someone still sees a mistake, feedback is appreciated.

This box is currently in WimS' local network, but the rules are prepared for the office network as well.