Hi,

I setup my iptables firewall.
Before setup firewall, my Redhat 9 server is serving email function with Qmail. All work properly.
Other is our customized program using PHP language have PHP mail function. All work properly.

Service iptables is down. Email can send out and recieve.
service iptables on. Email can't send out.

I check my iptables ports. open smtp and pop3.

I can't activate my iptables firewall because of that matter.

here is my iptables output

[root@localhost user]# /sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
LOG_ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
LOG_ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dptop3
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:783
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp dpt:15883
ACCEPT all -- localhost.localdomain anywhere
icmp_packets icmp -- anywhere anywhere
LOG_DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:telnet
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dptop3
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:783
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp dpt:15883
ACCEPT all -- anywhere localhost.localdomain
icmp_packets icmp -- anywhere anywhere
LOG_DROP all -- anywhere anywhere

Chain LOG_ACCEPT (2 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `[IPTABLES ACCEPT] : '
ACCEPT all -- anywhere anywhere

Chain LOG_DROP (2 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `[IPTABLES DROP] : '
DROP all -- anywhere anywhere

Chain icmp_packets (2 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- my ip anywhere icmp echo-request
DROP icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded


if anything wrong, please suggest me.

Thanks,
novice06

Do you get any log messages appearing in the system logs? Your LOG_DROP chain
should be producing log messages if packets are being dropped.

From what you've posted your rules look ok, but it would probably help to see the full ruleset (either post the output of iptables -vnL or the contents of iptables-save > firewall.rules). Mask any public IP addresses.

Hi,

I saw log of drop the packets.
First, I post is output of command #iptables -L
Now I post my firewall script.


*nat
:PREROUTING ACCEPT [127173:7033011]
:POSTROUTING ACCEPT [31583:2332178]
:OUTPUT ACCEPT [32021:2375633]
COMMIT

*mangle
:PREROUTING ACCEPT [444:43563]
:INPUT ACCEPT [444:43563]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:144198]
:POSTROUTING ACCEPT [402:144198]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j D
ROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT


*filter
:INPUT DROP [1:242]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LOG_DROP - [0:0]
:LOG_ACCEPT - [0:0]
:icmp_packets - [0:0]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j LOG_ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j LOG_ACCEPT
#-A INPUT -p tcp -m tcp --dport 43 -j ACCEPT
#A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 15883 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p icmp -j icmp_packets
-A INPUT -j LOG_DROP

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
#-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
#A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 15883 -j ACCEPT
-A OUTPUT -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p icmp -j icmp_packets
-A OUTPUT -j LOG_DROP

-A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-tcp-options --log-ip-options
-A LOG_DROP -j DROP

-A LOG_ACCEPT -j LOG --log-prefix "[IPTABLES ACCEPT] : " --log-tcp-options --log-ip-options
-A LOG_ACCEPT -j ACCEPT


-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A icmp_packets -s my online ip -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
COMMIT

Please send me any suggestion.
Thanks for your previous suggestion.

Yours,
novice06

Could you post some of the messages from the logs? I think the problem might have to do with certain local traffic over the loopback adapter being blocked. Not all traffic over loopback has a source of 127.0.0.1 which can sometimes cause problems. I'm not sure without seeing the log msgs though.

Hi,

This are log of iptables.

Mar 22 15:39:07 localhost kernel: [IPTABLES DROP] : IN= OUT=eth0 SRC=my online ip(not local loopback) DST=202.157.163.157 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=60621 DF PROTO=UDP SPT=32930 DPT=53 LEN=53
Mar 22 15:39:10 localhost kernel: [IPTABLES DROP] : IN= OUT=eth0 SRC=my online ip(not local loopback) DST=202.157.131.118 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=60969 DF PROTO=UDP SPT=32930 DPT=53 LEN=53
Mar 22 15:40:01 localhost kernel: [IPTABLES DROP] : IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:20:ed:58:4b:84:08:00 SRC=202.172.235.15 DST=202.172.235.63 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=29207 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 22 15:40:02 localhost kernel: [IPTABLES DROP] : IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:20:ed:58:4b:84:08:00 SRC=202.172.235.15 DST=202.172.235.63 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=29225 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 22 15:40:02 localhost kernel: [IPTABLES DROP] : IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:20:ed:58:4b:84:08:00 SRC=202.172.235.15 DST=202.172.235.63 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=29240 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 22 15:40:03 localhost kernel: [IPTABLES DROP] : IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:12:3f:73:ae:d4:08:00 SRC=202.172.235.36 DST=202.172.235.63 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=4550 PROTO=UDP SPT=138 DPT=138 LEN=209
Mar 22 15:40:34 localhost kernel: [IPTABLES DROP] : IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:e0:18:c2:d4:4b:08:00 SRC=202.172.235.12 DST=202.172.235.63 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=39941 PROTO=UDP SPT=138 DPT=138 LEN=209
Mar 22 15:40:37 localhost kernel: [IPTABLES DROP] : IN= OUT=eth0 SRC=my ip again DST=202.157.163.157 LEN=55 TOS=0x00 PREC=0x00 TTL=64 ID=4144 DF PROTO=UDP SPT=32930 DPT=53 LEN=35

Please send me your suggestion.
Thanks for your instance suggestion

novice06

Looks like you are dropping outgoing DNS lookups. Try allowing outgoing UDP traffic on port 53 (you already have a rule for it, but it's commented out).

Thanks alot,

Your suggestion is exactly the problem.
Now my problem is settle.

novice06

Glad I could help.

Hi Capt_Caveman,

After successfully configure iptables with ur suggestion, i got request from our ISP to open for their network management server.

so, i add one line. This is correct?
-A icmp_packets -s my online ip -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -s ISP ip -p icmp -m icmp --icmp-type 8 -j ACCEPT

Thanks,
novice06

Hi,

Sorry for questioning all. Now i test install one line.
ok.

Thanks,
novice06