Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
11-03-2009, 02:20 AM
|
#1
|
LQ Newbie
Registered: May 2009
Posts: 10
Rep:
|
HELP Ip tables configuration for Outlook express allowing SSL port 25 and 995
Hello everyone. I hope you can help me on my problem regarding allowing ports SSL 25 and 995 to pass through my iptables.
Here is my current iptables configuration.
Quote:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Masquerade and Route
#-A POSTROUTING -o eth1 -j MASQUERADE
#-A POSTROUTING -o eth0 -j MASQUERADE
# BOSS IP -A POSTROUTING -s PRIVATEIP -j SNAT --to PUBLICIP
-A POSTROUTING -s 192.168.1.101 -j SNAT --to xxx.xx.xx.xx
-A POSTROUTING -s 192.168.1.8 -j SNAT --to xxx.xx.xx.xx
# other desktops allowing only ports 25 and 110 on email
#USER PC -A POSTROUTING -s PRIVATEIP -p tcp --dport 25 -j SNAT --to PUBLICIP
-A POSTROUTING -s 192.168.1.61 -p tcp --dport 25 -j SNAT --to xxx.xx.xx.xx
-A POSTROUTING -s 192.168.1.61 -p tcp --dport 110 -j SNAT --to xxx.xx.xx.xx
-A POSTROUTING -s 192.168.1.61 -p tcp --dport 995 -j SNAT --to xxx.xx.xx.xx
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#Allow self access by loopback interface
-A INPUT -i lo -p all -j ACCEPT
-A OUTPUT -o lo -p all -j ACCEPT
# Accept established connections
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
# Open HTTP and other ports
# eth1 - public
# eth0 - private
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp --dport 8080 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT
-P INPUT DROP
COMMIT
|
|
|
|
11-04-2009, 12:08 AM
|
#2
|
LQ Newbie
Registered: May 2009
Posts: 10
Original Poster
Rep:
|
Anyone?
|
|
|
11-04-2009, 09:57 AM
|
#3
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Have you tried adding a couple lines for those ports in the "Open HTTP and other ports" section?
|
|
|
11-04-2009, 08:11 PM
|
#4
|
LQ Newbie
Registered: May 2009
Posts: 10
Original Poster
Rep:
|
Quote:
Originally Posted by win32sux
Have you tried adding a couple lines for those ports in the "Open HTTP and other ports" section?
|
# Open HTTP and other ports
# eth1 - public
# eth0 - private
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT
-A INPUT -p tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp --dport 8080 -j ACCEPT
the port 25 and 995? yes nothing happened
|
|
|
11-04-2009, 08:35 PM
|
#5
|
LQ Newbie
Registered: May 2009
Posts: 10
Original Poster
Rep:
|
Though the postrouted pc can actually telnet the ports
#USER PC -A POSTROUTING -s PRIVATEIP -p tcp --dport 25 -j SNAT --to PUBLICIP
-A POSTROUTING -s 192.168.1.61 -p tcp --dport 25 -j SNAT --to xxx.xx.xx.xx
-A POSTROUTING -s 192.168.1.61 -p tcp --dport 110 -j SNAT --to xxx.xx.xx.xx
-A POSTROUTING -s 192.168.1.61 -p tcp --dport 995 -j SNAT --to xxx.xx.xx.xx
|
|
|
11-04-2009, 08:57 PM
|
#6
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Wait, I had interpreted this as you wanting to allow connections to this box on ports 25 and 995. That doesn't seem like it's the case now, though. This iptables box is doing NAT, right? So do you want to allow outbound (from LAN to WAN) connections to ports 25 and 995, or do you need to forward inbound connections to hosts on the LAN side? Please clarify.
|
|
|
11-04-2009, 10:57 PM
|
#7
|
LQ Newbie
Registered: May 2009
Posts: 10
Original Poster
Rep:
|
Quote:
Originally Posted by win32sux
Wait, I had interpreted this as you wanting to allow connections to this box on ports 25 and 995. That doesn't seem like it's the case now, though. This iptables box is doing NAT, right? So do you want to allow outbound (from LAN to WAN) connections to ports 25 and 995, or do you need to forward inbound connections to hosts on the LAN side? Please clarify.
|
Hello sir thank you for replying.
I want my client computer to access the port 25 and 995 only. SO that they can Download the outlook express message using my proxy as gateway.
for example
Private 192.168.1.3 Public IP 202.xx.xx.xx <==-- This is my proxy pc where my iptables reside it has public IP also
192.168.1.10 <==-- This is my Client computer that uses outlook express port 25 and 995 SSL. I use the 192.168.1.3 as a Gateway and I can telnet to ports 25 and 995 but i cant download emails.
Im thinking it has something to do with IP talbes the outlook thingy..
Im only allowing ports 25 and 995 to the client to prevent them using P2P downloaders.
I got no problem downloading OUTLOOK when i use the BOSS CONFIG
# BOSS IP -A POSTROUTING -s PRIVATEIP -j SNAT --to PUBLICIP
-A POSTROUTING -s 192.168.1.101 -j SNAT --to xxx.xx.xx.xx
|
|
|
11-04-2009, 11:06 PM
|
#8
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
How many interfaces do you have? Which are LAN and WAN?
|
|
|
11-04-2009, 11:15 PM
|
#9
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
In any case, something like this is probably all you need:
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE -s 192.168.1.10 -d 202.xx.xx.xx \
-m multiport --dports 25,995 -m state --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
Just make sure these really are the only packets you want to forward.
Typically people will start with this objective, then realize they need other stuff (such as DNS).
Last edited by win32sux; 11-04-2009 at 11:17 PM.
|
|
|
11-04-2009, 11:18 PM
|
#10
|
LQ Newbie
Registered: May 2009
Posts: 10
Original Poster
Rep:
|
PRIVATE LAN
Boss interface - No Restrictions
Client/Ordinary employee Interface - Ports Allowed is 25 and 995 only. But use squid for http web browsing
Both of these interfaces are connected to my proxy server In private Lan. in which they use my proxy server as a gateway to connect outside.
Last edited by KarlRojero; 11-04-2009 at 11:22 PM.
|
|
|
11-04-2009, 11:43 PM
|
#11
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by KarlRojero
PRIVATE LAN
Boss interface - No Restrictions
Client/Ordinary employee Interface - Ports Allowed is 25 and 995 only. But use squid for http web browsing
Both of these interfaces are connected to my proxy server In private Lan. in which they use my proxy server as a gateway to connect outside.
|
Okay so you've got three interfaces (two LAN and one WAN). You want packets arriving on one of the LAN interfaces to get forwarded, without restrictions. On the other LAN interface, you want only TCP packets with destination port 25 or 995 (and a specific destination IP) to get forwarded, and you want Squid to handle the rest. Is this correct?
Last edited by win32sux; 11-05-2009 at 12:16 AM.
|
|
|
11-05-2009, 12:27 AM
|
#12
|
LQ Newbie
Registered: May 2009
Posts: 10
Original Poster
Rep:
|
Quote:
Originally Posted by win32sux
Okay so you've got three interfaces (two LAN and one WAN). You want packets arriving on one of the LAN interfaces to get forwarded, without restrictions. On the other LAN interface, you want only TCP packets with destination port 25 or 995 (and a specific destination IP) to get forwarded, and you want Squid to handle the rest. Is this correct?
|
Yes sir this is correct.. I got no problem with squid handling the two interfaces. I mean both can connect to it.
The LAN interface without restriction is OK. Meaning i can download messages from outlook.
Quote:
# BOSS IP -A POSTROUTING -s PRIVATEIP -j SNAT --to PUBLICIP
-A POSTROUTING -s 192.168.1.101 -j SNAT --to xxx.xx.xx.xx
|
Hence the other LAN interface with restriction that uses port 25 and 995 only is the one i had a problem with.
Quote:
#USER PC -A POSTROUTING -s PRIVATEIP -p tcp --dport 25 -j SNAT --to PUBLICIP
-A POSTROUTING -s 192.168.1.61 -p tcp --dport 25 -j SNAT --to xxx.xx.xx.xx
-A POSTROUTING -s 192.168.1.61 -p tcp --dport 995 -j SNAT --to xxx.xx.xx.xx
|
Thank you so much for your patience I am newbie to this one.
|
|
|
11-05-2009, 09:15 AM
|
#13
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Okay then, this script should get you started (it does everything I described):
Code:
#!/bin/sh
IPT="/sbin/iptables"
WAN_IFACE="eth0"
LAN1_IFACE="eth1"
LAN2_IFACE="eth2"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $LAN1_IFACE -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i $LAN2_IFACE --dport 3128 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i $LAN1_IFACE -o $WAN_IFACE -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p TCP -i $LAN2_IFACE -o $WAN_IFACE -d 202.xx.xx.xx \
-m multiport --dports 25,995 -m state --state NEW -j ACCEPT
$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
Last edited by win32sux; 11-05-2009 at 09:21 AM.
|
|
|
All times are GMT -5. The time now is 09:41 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|