I am having a problem implementing iptables with Courier's pop3
daemon. If I disable iptables, everything works fine. As soon as I
enable it, pop3 will stop working for messages over 32K. Small
messages will go through with no problems, but large ones will time
out.
I get this message from OE: "Your POP3 server has not responded in 60
seconds." And an option to stop or continue waiting. I can wait as
long as I want, but it will not download the message.
This problem only exists with connections coming from outside our
network. Connections from within the network can download large
messages with no problems.
Has anyone seen this before? I would like to implement iptables for
more security, but I can't do it if this problem persists.
My server is:
P4 2.8, 1GB RAM
CentOS 4.3 (fully patched)
Courier 0.53.1
My iptables rules were initially created with
system-config-securitylevel and then modified from there. The current
rules are:
Chain INPUT (policy ACCEPT)
target prot opt in out source destination
RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt in out source destination
RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt in out source destination
ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:587
ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- * * 172.16.0.0/16 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-host-prohibited
I have found information on Google indicating that this might be a
problem with the MTU or MSS setting, but the solutions given seemed to
be aimed at the end user rather than the server. I tried them anyway,
but they didn't seem to help.
This is what was generally suggested:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu
It didn't get any hits on the FORWARD chain. I put it on the OUTPUT
chain and it got some hits there, but didn't have any effect on the
problem. I also tried the --set-mss option with the same lack of
results.
I appreciate any suggestions.
--
Bowie
