Hi there --
I have a server running IMAP and SMTP that has the iptables firewall running on it. I set up within a script that activates and configures the firewall several exceptions for inbound and outbound IMAP and SMTP traffic. A 'sanitized' version of the script is shown below:
Code:
#!/bin/sh
IPTABLES=/sbin/iptables
### flush existing rules and set chain policy to DROP
echo "[+] Flushing existing iptables rules..."
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# Create blacklist chains
# A chain has to be created via -N before you can jump to it with -j
$IPTABLES -N BLACKIN
$IPTABLES -N BLACKOUT
# NOTE: The system will not be used for routing, so the syntax '-i eth0'
# will not be used. Also, the loopback address can be used to connect to
# local services.
##### INPUT chain ######
#
echo "[+] Setting up INPUT chain..."
# Check blacklist before doing anything
$IPTABLES -A INPUT -j BLACKIN
### state tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### ACCEPT RULES
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
### Accept connections to ports 80 and 443
$IPTABLES -A INPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
### Accept connections to ports 25 and 110
$IPTABLES -A INPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 110 --syn -m state --state NEW -j ACCEPT
### Accept connections from <ip address># Make sure to include these entries in the OUTPUT chain.
$IPTABLES -A INPUT -p icmp -s <ip address>-j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 5666 -s <ip address>-j ACCEPT
$IPTABLES -A INPUT -p udp --dport 5666 -s <ip address>-j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -s <ip address>-j ACCEPT
$IPTABLES -A INPUT -p udp --dport 22 -s <ip address>-j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 25 -s <ip address>-j ACCEPT
$IPTABLES -A INPUT -p udp --dport 25 -s <ip address>-j ACCEPT
### default INPUT log rule
$IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP" --log-ip-options --log-tcp-options
##### OUTPUT chain #####
#
echo "[+] Setting up OUTPUT chain..."
# Check blacklist
$IPTABLES -A INPUT -j BLACKOUT
### state tracking rules
$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### ACCEPT rules for allowing connections out
$IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 110 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -d <ip address>-j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 5666 -d <ip address>-j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 5666 -d <ip address>-j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -d <ip address>-j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 22 -d <ip address>-j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 25 -d <ip address>-j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 25 -d <ip address>-j ACCEPT
### default OUTPUT LOG rule
$IPTABLES -A OUTPUT -o ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
# Note: Not fowarding any packets, so chain can be empty
##### FORWARD chain #####
#
echo "[+] Setting up FORWARD chain..."
# Maybe not a bad idea to leave the log rule in for the FORWARD chain
# IF you ever see packets from here, there's something up (new config perhaps?)
### default LOG rule
$IPTABLES -A FORWARD -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
##### BLACKLIST chains #####
#
echo "[+] Setting up Blacklist..."
# The BLACKIN chain detects incoming packets from naughty sources.
# NOTE that specifying protocol (-p), destination (-d), or interface (-i)
# is pointless as you should want to drop packets from these sources
# NO MATTER WHAT (and in most cases, dest and int will always be true).
$IPTABLES -A BLACKIN -s <ip address> -j DROP
# If a packet hasn't matched the above and gotten dropped execution
# will jump back into INPUT chain and continue processing.
# Add to list as necessary
# The BLACKOUT chain detects outgoing packets to bad sources.
# Pretty much the same as BLACKIN, just in the opposite direction
# (-d instead of -s)
$IPTABLES -A BLACKOUT -d <ip address> -j DROP
# Add to list as necessary
exit
### EOF ###
When the firewall is activated, users trying to connect to the server via their respective e-mail clients get timeout messages which appear to point to port 110 which is the IMAP server. Does anyone have any ideas as to why this happening, and how I can correct it? Thanks.
