iptables

depaul · 01-06-2004, 10:42 AM

i have 2 network cards in my server my firewall on eth0 is public and set to high and i have 2 ports active 25 and 443 ... eth1 is trusted on a private network ... i have to set a iptables command to make my port 443 on eth0 public side available to use on the net... and i would like to disable gateway to internet...any suggestions?

Ciccio · 01-06-2004, 11:02 AM

echo 0 > /proc/sys/net/ipv4/ip_forward (put that in rc.local and you will never route again) However, rh8 already has routing disabled.

With iptables just do:

iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT

depaul · 01-06-2004, 11:33 AM

tried it at root command prompt ... no success ... i listed the iptables ... the rule is there... no success

peter_robb · 01-09-2004, 07:26 AM

quote..
With iptables just do:

iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT

That would merely add the rule to the end of the list.
There are more than likely earlier rules which divert that traffic before the last rule... (esp with LOKKIT)

This rule belongs in a proper place... but without knowing the previous rules or what you used to make the rules with, you will have to experiment putting them 1st or lower and in the chain that is compatible with your existing rules...

To list the current rules on the screen, do iptables-save

depaul · 01-12-2004, 01:17 PM

here is the detail of my iptables rules ... do you know where and how to addthe rule ...

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Lokkit-0-50-INPUT (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:https flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- dns.clmginc.com anywhere udp spt:domain
ACCEPT udp -- dns3.videotron.net anywhere udp spt:domain
ACCEPT udp -- ns3.bellglobal.com anywhere udp spt:domain
REJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp reject-with icmp-port-unreachable

Ciccio · 01-12-2004, 01:52 PM

use lokkit to modify the ruleset.

lokkit, is the firewall configuration tool of RedHat Linux. Personally I don't like it, I prefer using the CLI to create the iptables rules... but it's not a bad tool.

depaul · 01-12-2004, 01:59 PM

i did try the lokkit its working fine if i am on my subnet if external i am rejected ...

Ciccio · 01-12-2004, 02:58 PM

well, probably because you are using two different NICs. Try adding a similar rule for the other interface.

depaul · 01-12-2004, 03:59 PM

i tried another thing
i removed all firewall with lokkit on both nic
i have the same problem ... cant connect from internet only on my subnet
i did check if the firewall is active ... nope all ports are visible (firewall rule 443 and 25 only)
port 25 is sending only to internet ... no receiving...

Any suggestions...

Ciccio · 01-12-2004, 06:24 PM

ok, please post here the output of iptables-save (or iptables -nL) and the output of netstat -l

I don't understand what you want to do.

The problems you are having are really hard to solve without a testing environment...

is anything listening on port 25 or 443?

Are you wure you aren't working over port 80. or 8080.. some systems are configured to do https on port 8080 or even on port 80 (if they don't use http).

Now... I think your problem is somewhere else with port 25. What MTA are you using?

depaul · 01-13-2004, 09:10 AM

Hello,

Ciccio at your request here is the info iptables -nL and netstat -l

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Lokkit-0-50-INPUT (2 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 flags:0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x16/0x02
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 207.96.251.194 0.0.0.0/0 udp spt:53
ACCEPT udp -- 205.151.222.250 0.0.0.0/0 udp spt:53
ACCEPT udp -- 198.235.216.130 0.0.0.0/0 udp spt:53
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp reject-with icmp-port-unreachable

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:32768 *:* LISTEN
tcp 0 0 localhost:32769 *:* LISTEN
tcp 0 0 *

op3 *:* LISTEN
tcp 0 0 localhost:783 *:* LISTEN
tcp 0 0 *:imap *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:x11 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
udp 0 0 *:32768 *:*
udp 0 0 *:659 *:*
udp 0 0 *:sunrpc *:*
udp 0 0 *:631 *:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 3212 /tmp/ssh-XX7380xB/agent.2944
unix 2 [ ACC ] STREAM LISTENING 2903 /tmp/.font-unix/fs7100
unix 2 [ ACC ] STREAM LISTENING 3023 /tmp/.gdm_socket
unix 2 [ ACC ] STREAM LISTENING 2799 /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 3033 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 3326 /tmp/.ICE-unix/2944
unix 2 [ ACC ] STREAM LISTENING 3373 /tmp/.fam_socket
unix 2 [ ACC ] STREAM LISTENING 3243 /tmp/orbit-mailadmin/linc-b80-0-38f04c664383c
unix 2 [ ACC ] STREAM LISTENING 3336 /tmp/orbit-mailadmin/linc-bb2-0-33e31c7fca2dc
unix 2 [ ACC ] STREAM LISTENING 3235 /tmp/orbit-mailadmin/linc-bb0-0-2bac536035b8c
unix 2 [ ACC ] STREAM LISTENING 3357 /tmp/orbit-mailadmin/linc-bb4-0-38f04c66f3ac6
unix 2 [ ACC ] STREAM LISTENING 3444 /tmp/orbit-mailadmin/linc-bc1-0-46b8af6b26bec
unix 2 [ ACC ] STREAM LISTENING 3474 /tmp/orbit-mailadmin/linc-bc9-0-437c2f669998e
unix 2 [ ACC ] STREAM LISTENING 3492 /tmp/orbit-mailadmin/linc-bc5-0-437c2f66b074c
unix 2 [ ACC ] STREAM LISTENING 3517 /tmp/orbit-mailadmin/linc-bc7-0-310a7eb1467eb
unix 2 [ ACC ] STREAM LISTENING 3534 /tmp/orbit-mailadmin/linc-bcc-0-310a7eb1609ff
unix 2 [ ACC ] STREAM LISTENING 3662 /tmp/orbit-mailadmin/linc-bd7-0-16ac2de9345e6
unix 2 [ ACC ] STREAM LISTENING 3692 /tmp/orbit-mailadmin/linc-bd0-0-16ac2de9c627a
unix 2 [ ACC ] STREAM LISTENING 3730 /tmp/orbit-mailadmin/linc-bd9-0-58b344e4c6461

i want yo use squirrel mail on https over the internet and smtp to relay mail

i nmap my public address smtp 25 and https on 443 are visible
my local address is trusted so all ports are visible

Ciccio · 01-13-2004, 09:52 AM

thought so. You have nothing listening on port 443 (https). About port 25... well, now this is most likely a configuration problem of both, the http daemon and the smtp daemon. What are you using in each case?

depaul · 01-13-2004, 10:05 AM

i agree but ... i need help ... apache on port 443 and sendmail for 25 ...

Ciccio · 01-13-2004, 01:02 PM

Ok, I do not use apache with ssl support, but here[apache-ssl.org] is a good place to start.

About squierrelmail... well the documentation is good... and it's also in their homepage.

I am really sorry, but I cannot help you with the configuration of either server. So I suggest you read older threads here or start a new one dedicated to that.

depaul · 01-13-2004, 02:14 PM

no one know ... probably no choice ... go back to microsoft exchange.... more expensive but less headeache ...