LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-03-2009, 02:20 AM   #1
KarlRojero
LQ Newbie
 
Registered: May 2009
Posts: 10

Rep: Reputation: 0
HELP Ip tables configuration for Outlook express allowing SSL port 25 and 995


Hello everyone. I hope you can help me on my problem regarding allowing ports SSL 25 and 995 to pass through my iptables.

Here is my current iptables configuration.

Quote:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Masquerade and Route

#-A POSTROUTING -o eth1 -j MASQUERADE
#-A POSTROUTING -o eth0 -j MASQUERADE

# BOSS IP -A POSTROUTING -s PRIVATEIP -j SNAT --to PUBLICIP
-A POSTROUTING -s 192.168.1.101 -j SNAT --to xxx.xx.xx.xx
-A POSTROUTING -s 192.168.1.8 -j SNAT --to xxx.xx.xx.xx

# other desktops allowing only ports 25 and 110 on email

#USER PC -A POSTROUTING -s PRIVATEIP -p tcp --dport 25 -j SNAT --to PUBLICIP

-A POSTROUTING -s 192.168.1.61 -p tcp --dport 25 -j SNAT --to xxx.xx.xx.xx
-A POSTROUTING -s 192.168.1.61 -p tcp --dport 110 -j SNAT --to xxx.xx.xx.xx
-A POSTROUTING -s 192.168.1.61 -p tcp --dport 995 -j SNAT --to xxx.xx.xx.xx

COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

#Allow self access by loopback interface
-A INPUT -i lo -p all -j ACCEPT
-A OUTPUT -o lo -p all -j ACCEPT

# Accept established connections
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset

# Open HTTP and other ports
# eth1 - public
# eth0 - private
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp --dport 8080 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT
-P INPUT DROP
COMMIT
 
Old 11-04-2009, 12:08 AM   #2
KarlRojero
LQ Newbie
 
Registered: May 2009
Posts: 10

Original Poster
Rep: Reputation: 0
Anyone?
 
Old 11-04-2009, 09:57 AM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Have you tried adding a couple lines for those ports in the "Open HTTP and other ports" section?
 
Old 11-04-2009, 08:11 PM   #4
KarlRojero
LQ Newbie
 
Registered: May 2009
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by win32sux View Post
Have you tried adding a couple lines for those ports in the "Open HTTP and other ports" section?
# Open HTTP and other ports
# eth1 - public
# eth0 - private
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT
-A INPUT -p tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp --dport 8080 -j ACCEPT


the port 25 and 995? yes nothing happened
 
Old 11-04-2009, 08:35 PM   #5
KarlRojero
LQ Newbie
 
Registered: May 2009
Posts: 10

Original Poster
Rep: Reputation: 0
Though the postrouted pc can actually telnet the ports

#USER PC -A POSTROUTING -s PRIVATEIP -p tcp --dport 25 -j SNAT --to PUBLICIP

-A POSTROUTING -s 192.168.1.61 -p tcp --dport 25 -j SNAT --to xxx.xx.xx.xx
-A POSTROUTING -s 192.168.1.61 -p tcp --dport 110 -j SNAT --to xxx.xx.xx.xx
-A POSTROUTING -s 192.168.1.61 -p tcp --dport 995 -j SNAT --to xxx.xx.xx.xx
 
Old 11-04-2009, 08:57 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Wait, I had interpreted this as you wanting to allow connections to this box on ports 25 and 995. That doesn't seem like it's the case now, though. This iptables box is doing NAT, right? So do you want to allow outbound (from LAN to WAN) connections to ports 25 and 995, or do you need to forward inbound connections to hosts on the LAN side? Please clarify.
 
Old 11-04-2009, 10:57 PM   #7
KarlRojero
LQ Newbie
 
Registered: May 2009
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by win32sux View Post
Wait, I had interpreted this as you wanting to allow connections to this box on ports 25 and 995. That doesn't seem like it's the case now, though. This iptables box is doing NAT, right? So do you want to allow outbound (from LAN to WAN) connections to ports 25 and 995, or do you need to forward inbound connections to hosts on the LAN side? Please clarify.

Hello sir thank you for replying.

I want my client computer to access the port 25 and 995 only. SO that they can Download the outlook express message using my proxy as gateway.

for example

Private 192.168.1.3 Public IP 202.xx.xx.xx <==-- This is my proxy pc where my iptables reside it has public IP also

192.168.1.10 <==-- This is my Client computer that uses outlook express port 25 and 995 SSL. I use the 192.168.1.3 as a Gateway and I can telnet to ports 25 and 995 but i cant download emails.

Im thinking it has something to do with IP talbes the outlook thingy..

Im only allowing ports 25 and 995 to the client to prevent them using P2P downloaders.

I got no problem downloading OUTLOOK when i use the BOSS CONFIG

# BOSS IP -A POSTROUTING -s PRIVATEIP -j SNAT --to PUBLICIP
-A POSTROUTING -s 192.168.1.101 -j SNAT --to xxx.xx.xx.xx
 
Old 11-04-2009, 11:06 PM   #8
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
How many interfaces do you have? Which are LAN and WAN?
 
Old 11-04-2009, 11:15 PM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
In any case, something like this is probably all you need:
Code:
iptables -P FORWARD DROP

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE -s 192.168.1.10 -d 202.xx.xx.xx \
-m multiport --dports 25,995 -m state --state NEW -j ACCEPT

iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
Just make sure these really are the only packets you want to forward.

Typically people will start with this objective, then realize they need other stuff (such as DNS).

Last edited by win32sux; 11-04-2009 at 11:17 PM.
 
Old 11-04-2009, 11:18 PM   #10
KarlRojero
LQ Newbie
 
Registered: May 2009
Posts: 10

Original Poster
Rep: Reputation: 0
PRIVATE LAN
Boss interface - No Restrictions
Client/Ordinary employee Interface - Ports Allowed is 25 and 995 only. But use squid for http web browsing

Both of these interfaces are connected to my proxy server In private Lan. in which they use my proxy server as a gateway to connect outside.

Last edited by KarlRojero; 11-04-2009 at 11:22 PM.
 
Old 11-04-2009, 11:43 PM   #11
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by KarlRojero View Post
PRIVATE LAN
Boss interface - No Restrictions
Client/Ordinary employee Interface - Ports Allowed is 25 and 995 only. But use squid for http web browsing

Both of these interfaces are connected to my proxy server In private Lan. in which they use my proxy server as a gateway to connect outside.
Okay so you've got three interfaces (two LAN and one WAN). You want packets arriving on one of the LAN interfaces to get forwarded, without restrictions. On the other LAN interface, you want only TCP packets with destination port 25 or 995 (and a specific destination IP) to get forwarded, and you want Squid to handle the rest. Is this correct?

Last edited by win32sux; 11-05-2009 at 12:16 AM.
 
Old 11-05-2009, 12:27 AM   #12
KarlRojero
LQ Newbie
 
Registered: May 2009
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by win32sux View Post
Okay so you've got three interfaces (two LAN and one WAN). You want packets arriving on one of the LAN interfaces to get forwarded, without restrictions. On the other LAN interface, you want only TCP packets with destination port 25 or 995 (and a specific destination IP) to get forwarded, and you want Squid to handle the rest. Is this correct?
Yes sir this is correct.. I got no problem with squid handling the two interfaces. I mean both can connect to it.

The LAN interface without restriction is OK. Meaning i can download messages from outlook.

Quote:
# BOSS IP -A POSTROUTING -s PRIVATEIP -j SNAT --to PUBLICIP
-A POSTROUTING -s 192.168.1.101 -j SNAT --to xxx.xx.xx.xx

Hence the other LAN interface with restriction that uses port 25 and 995 only is the one i had a problem with.

Quote:
#USER PC -A POSTROUTING -s PRIVATEIP -p tcp --dport 25 -j SNAT --to PUBLICIP
-A POSTROUTING -s 192.168.1.61 -p tcp --dport 25 -j SNAT --to xxx.xx.xx.xx
-A POSTROUTING -s 192.168.1.61 -p tcp --dport 995 -j SNAT --to xxx.xx.xx.xx

Thank you so much for your patience I am newbie to this one.
 
Old 11-05-2009, 09:15 AM   #13
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Okay then, this script should get you started (it does everything I described):
Code:
#!/bin/sh

IPT="/sbin/iptables"
WAN_IFACE="eth0"
LAN1_IFACE="eth1"
LAN2_IFACE="eth2"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $LAN1_IFACE -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i $LAN2_IFACE --dport 3128 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i $LAN1_IFACE -o $WAN_IFACE -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p TCP -i $LAN2_IFACE -o $WAN_IFACE -d 202.xx.xx.xx \
-m multiport --dports 25,995 -m state --state NEW -j ACCEPT

$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

Last edited by win32sux; 11-05-2009 at 09:21 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
I can't send mails using Outlook Express and Microsoft Outlook cyberonyx LinuxQuestions.org Member Intro 1 01-14-2009 12:44 PM
Ms Outlook Express/Outlook questions-Is there a Linux solution? Sunguraaa General 2 06-26-2007 08:21 AM
OutLook Express rafid Linux - Newbie 3 10-26-2006 03:58 PM
Squid not allowing Outlook express niranjan_mr Linux - Software 2 10-10-2005 08:04 AM
Outlook Express? glyndwr Linux - Newbie 5 07-07-2004 09:16 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration