Re: Port 25

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, 2005-02-06 at 13:51, Ted Gervais wrote:
> I have a problem getting mail packets to go out with my present firewall
> setup.

is the mail server on a machine behind the firewall, or running on the
firewall itself?

> What I have is a firewall that blocks/drops everything at the start and
> then it goes on to allow access through specific ports. For Port 25 or
> smtp to work, I have the following line which I was hoping to have mail
> coming and going with this statement. However, outgoing mail can go, but
> incoming has a problem:
> 
> /usr/sbin/iptables -A INPUT -p tcp --destination-port 25 -j ACCEPT

this allows TCP port 25 connections to the firewall itself.

> I also tried the following two lines to see if things would work but to no
> avail..:
> 
> iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $UNPRIVPORTS \
> --dport 25 -j ACCEPT

that allows the firewall itself to send TCP packets out interface
$INTERNET with if the source IP is $IPADDR, source port is $UNPRIVPORTS
and the destination port is 25.

> iptables -A INPUT -i $INTERNET -p tcp ! --syn --sport 25 -d $IPADDR \
> --dport $UNPRIVPORTS -j ACCEPT

allows TCP packets destined for the firewall itself inbound on interface
$INTERNET with flag SYN unset out of SYN, ACK, and RST, a source port of
25, destination IP $IPADDR and a destination port of $UNPRIVPORTS

> So, if I take the firewall down, mail comes and goes just great..
> What am I not seeing here??

first off--let me introduce you to a rule that (IMHO) should be at the
top of all your built-in filter chains (INPUT, OUTPUT, FORWARD):

  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

which will eliminate things like mr. "iptables -A INPUT -i $INTERNET -p
tcp ! --syn --sport 25 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT"
above...

second--if the mail server is running on a machine other than the
firewall itself--you need to be added rules to the FORWARD chain of the
filter table, not INPUT/OUTPUT.

all this (and much more) knowledge can dropped on a brother at:

  http://iptables-tutorial.frozentux.net/iptables-tutorial.html

-j

--
"I bent my wookie."
	--The Simpsons
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux