LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 01-29-2008, 05:35 PM   #1
kaplan71
Member
 
Registered: Nov 2003
Posts: 808

Rep: Reputation: 39
Problem Connecting to IMAP and SMTP server through iptables firewall


Hi there --

I have a server running IMAP and SMTP that has the iptables firewall running on it. I set up within a script that activates and configures the firewall several exceptions for inbound and outbound IMAP and SMTP traffic. A 'sanitized' version of the script is shown below:

Code:
#!/bin/sh

IPTABLES=/sbin/iptables

### flush existing rules and set chain policy to DROP
echo "[+] Flushing existing iptables rules..."
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# Create blacklist chains
# A chain has to be created via -N before you can jump to it with -j
$IPTABLES -N BLACKIN
$IPTABLES -N BLACKOUT

# NOTE: The system will not be used for routing, so the syntax '-i eth0'
# will not be used. Also, the loopback address can be used to connect to
# local services.

##### INPUT chain ######
# 
echo "[+] Setting up INPUT chain..."

# Check blacklist before doing anything
$IPTABLES -A INPUT -j BLACKIN

### state tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### ACCEPT RULES
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
### Accept connections to ports 80 and 443
$IPTABLES -A INPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
### Accept connections to ports 25 and 110
$IPTABLES -A INPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 110 --syn -m state --state NEW -j ACCEPT
### Accept connections from <ip address># Make sure to include these entries in the OUTPUT chain.
$IPTABLES -A INPUT -p icmp -s <ip address>-j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 5666 -s <ip address>-j ACCEPT
$IPTABLES -A INPUT -p udp --dport 5666 -s <ip address>-j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -s <ip address>-j ACCEPT
$IPTABLES -A INPUT -p udp --dport 22 -s <ip address>-j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 25 -s <ip address>-j ACCEPT
$IPTABLES -A INPUT -p udp --dport 25 -s <ip address>-j ACCEPT

### default INPUT log rule
$IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP" --log-ip-options --log-tcp-options

##### OUTPUT chain #####
#
echo "[+] Setting up OUTPUT chain..."

# Check blacklist
$IPTABLES -A INPUT -j BLACKOUT

### state tracking rules
$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### ACCEPT rules for allowing connections out
$IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 110 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -d <ip address>-j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 5666 -d <ip address>-j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 5666 -d <ip address>-j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -d <ip address>-j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 22 -d <ip address>-j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 25 -d <ip address>-j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 25 -d <ip address>-j ACCEPT 

### default OUTPUT LOG rule
$IPTABLES -A OUTPUT -o ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

# Note: Not fowarding any packets, so chain can be empty
##### FORWARD chain #####
#
echo "[+] Setting up FORWARD chain..."

# Maybe not a bad idea to leave the log rule in for the FORWARD chain
# IF you ever see packets from here, there's something up (new config perhaps?)
### default LOG rule
$IPTABLES -A FORWARD -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

##### BLACKLIST chains #####
#
echo "[+] Setting up Blacklist..."

# The BLACKIN chain detects incoming packets from naughty sources.
# NOTE that specifying protocol (-p), destination (-d), or interface (-i)
# is pointless as you should want to drop packets from these sources
# NO MATTER WHAT (and in most cases, dest and int will always be true).
$IPTABLES -A BLACKIN -s <ip address> -j DROP
# If a packet hasn't matched the above and gotten dropped execution
# will jump back into INPUT chain and continue processing.
# Add to list as necessary

# The BLACKOUT chain detects outgoing packets to bad sources.
# Pretty much the same as BLACKIN, just in the opposite direction
# (-d instead of -s)
$IPTABLES -A BLACKOUT -d <ip address> -j DROP
# Add to list as necessary

exit
### EOF ###
When the firewall is activated, users trying to connect to the server via their respective e-mail clients get timeout messages which appear to point to port 110 which is the IMAP server. Does anyone have any ideas as to why this happening, and how I can correct it? Thanks.
 
Old 01-30-2008, 11:15 AM   #2
internetSurfer
Member
 
Registered: Jan 2008
Location: w3c
Distribution: Slackware 12 Zenwalk 5.2
Posts: 71

Rep: Reputation: 16
imapd - IMAP server process
http://linux.die.net/man/8/imapd

Quote:
-T timeout

The number of seconds that the process will wait for a new
connection before shutting down. Note that a value of 0
(zero) will disable the timeout. The default is 60.
 
Old 01-30-2008, 03:48 PM   #3
kaplan71
Member
 
Registered: Nov 2003
Posts: 808

Original Poster
Rep: Reputation: 39
Hi there --

Thanks for your reply. We are using the dovecot IMAP server on the system in question. I checked the dovecot man page, and there was no option listed for timeout.

Is there one for dovecot, or do I need to come up with a different solution?
 
Old 01-31-2008, 08:30 AM   #4
internetSurfer
Member
 
Registered: Jan 2008
Location: w3c
Distribution: Slackware 12 Zenwalk 5.2
Posts: 71

Rep: Reputation: 16
Dovecot 0.99.14 IMAP Server on RedHat Linux 9
http://www.xenocafe.com/tutorials/li...rver/index.php

Quote:
Your remote system will timeout while attempting to
connect to your IMAP server if it can't get to port 143.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up an SMTP/IMAP mail server. swamprat SUSE / openSUSE 2 06-15-2007 09:02 AM
most prefered mail server (pop/imap) and smtp cope Linux - Server 2 04-04-2007 09:15 AM
Can't get to IMAP server through iptables firewall/router matthanley Linux - Networking 0 05-05-2004 07:09 PM
IMAP & SMTP running on a server htm Linux - Software 2 03-25-2004 07:42 PM
email server setup (IMAP/SMTP) xaxol Linux - Networking 25 10-04-2003 02:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 04:41 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration