partial answers to two replies ... On 8/17/2011 6:07 AM, Rick Sewill wrote: > May I suggest inserting an entry, at this spot, for mail, something like the > following. > -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT > The goal of the previous line is to jump to "ACCEPT" for any mail packet > establishing a new connection. > > Instead of the above line, you might want to specify a source IP address range > to limit which IP addresses can send mail to your machine. > -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -s 192.168.2.0/24 -j > ACCEPT On 8/17/2011 12:49 PM, Roberto Ragusa wrote: > I would have just duplicated the ssh rule, which works, for port 23. > > -A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT > First, there are other parts of your email that I need to reply to separately, I just wanted to group the two actions into a single email. I tried what you suggested, ending up with iptables of: +++ [...] 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:23 6 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited +++ and a second version of: [...] 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 ACCEPT tcp -- 192.168.2.0/24 0.0.0.0/0 state NEW tcp dpt:23 6 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited +++ I ran the tests again and observed that: telnet <name> 23 returns with Connection refused telnet <name> 25 returns with No route to host telnet <name> returns with Connection refused This confirms that the rules are doing something, just not what I want Looking in the /var/log/messages of the machine I am trying to telnet to, I think I am seeing a change in which the following is printed out (the first is for either the telnet to 23 or the generic telnet and the second is the telnet to 25): +++ Aug 17 21:24:07 chalupa kernel: [ 4661.818442] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1e:8c:c3:21:d6:08:00 SRC=192.168.2.100 DST=192.168.2.255 LEN=234 TOS=0x00 PREC=0x00 TTL=128 ID=63637 PROTO=UDP SPT=138 DPT=138 LEN=214 Aug 17 21:25:14 chalupa kernel: [ 4728.256249] IN=eth0 OUT= MAC=00:e0:81:00:4c:b0:00:e0:81:00:62:94:08:00 SRC=192.168.2.11 DST=192.168.2.10 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=53181 DF PROTO=TCP SPT=34288 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 +++ What is puzzling is that I see the dport is no longer 23, its 138 and the PROTO is now UDP instead of TCP (???) I also noticed that I began seeing one of the new messages showing up in the log of the machine sending the request (when I was trying to have iptable entries for them, all three tests would show up in destination machine log) I tried dropping my firewall and all security on my Linksys WRT54GL (test machines are wired connections into it) and only the telnet 25 shows up in logs ... all other messages are gone. The telnet requests didn't make it through with firewall/security down. I don't even know what question to ask at this point. It feels like progress (and I can send a full dump of everything) and I certainly have a better understanding of iptables, but the dport/PROTO change is left field to me. Thanks, Paul ps: other questions from all replies answered in another email ... I've got this testing down to a point where I am can restore to known state with confidence -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
