Re: [LARTC] iptables : Incoming mail and ping problem
- Forwarded message from Shaheen Hossain [EMAIL PROTECTED] - From: Shaheen Hossain [EMAIL PROTECTED] Subject: Re: Thanks for willing to help Date: Wed, 12 Feb 2003 01:53:02 +0600 Thanks Bartek, this was of great help. As a result, my mail is now functional. Great, thanks. - Original Message - From: Bartek Krajnik [EMAIL PROTECTED] To: Shaheen Hossain [EMAIL PROTECTED] Sent: Tuesday, February 11, 2003 5:28 PM Subject: Re: Thanks for willing to help bk On Sun, Feb 09, 2003 at 08:56:36PM +0600, Shaheen Hossain wrote: bk sh Dear Bartek, thanks for willing to help. Since the mail is not working, please respond back to [EMAIL PROTECTED] File II works for email and pinging to the server. Strangely File I does not, difference I can see is in line 162. Thanks again. I really appreciate it. bk sh bk sh -- shaheen hossain bk sh bk Line 162 from fileI: bk $IPTABLES -A allowed -p TCP -j DROP bk fileII: bk $IPTABLES -A allowed -p TCP -j REJECT bk there shouldn't be problems. bk bk Do You know about this? bk less /usr/src/linux-2.4.20/include/linux/icmp.h bk #define ICMP_ECHO 8 /* Echo Request */ bk #define ICMP_TIME_EXCEEDED 11 /* Time Exceeded*/ bk bk Scenariowith fileI. bk Now, when someone tries from world bk # telnet 203.76.102.44 25 bk first SYN packet goes to: bk $IPTABLES -A INPUT -i $INET_IFACE -p tcp -j LOG --log-prefix IPTABLES TCP-IN: bk $IPTABLES -A INPUT -i $INET_IFACE -p tcp -j DROP bk bk You don't have instruction like: bk $IPTABLES -A INPUT -p tcp -j tcp_packets bk bk So it should be: bk $IPTABLES -A INPUT -i $INET_IFACE -p tcp -j tcp_packets bk $IPTABLES -A INPUT -i $INET_IFACE -p tcp -j LOG --log-prefix IPTABLES TCP-IN: bk $IPTABLES -A INPUT -i $INET_IFACE -p tcp -j DROP bk bk Now after: bk # telnet 203.76.102.44 25 bk first SYN packet goes to: bk $IPTABLES -A INPUT -i $INET_IFACE -p tcp -j tcp_packets bk $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed bk and it's OK. bk From your server goes back packet: bk $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets bk $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT bk And next: bk $IPTABLES -A INPUT -i $INET_IFACE -p tcp -j tcp_packets bk $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed bk and should be OK. bk bk With icmp: bk # ping 203.76.102.44 bk $IPTABLES -A INPUT -i $INET_IFACE -p icmp -j LOG --log-prefix IPTABLES ICMP-IN: bk $IPTABLES -A INPUT -i $INET_IFACE -p icmp -j DROP bk bk When you change this: bk $IPTABLES -A INPUT -i $INET_IFACE -p icmp -j icmp_packets bk $IPTABLES -A INPUT -i $INET_IFACE -p icmp -j LOG --log-prefix IPTABLES ICMP-IN: bk $IPTABLES -A INPUT -i $INET_IFACE -p icmp -j DROP bk bk packet icmp-request (ping) goes: bk $IPTABLES -A INPUT -i $INET_IFACE -p icmp -j icmp_packets bk $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT bk bk Now from Your server echo-response (pong): bk $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT bk bk IMHO Your scripts needs more work. bk Read somewhere about TCP/ICMP/UDP protocols. bk bk Best regards, bk Bartek. bk -- bk GPG-Key: bkhttp://www.bartek.bicom.pl/public_key.txt bkpub 1024D/948DE45D 2002-12-12 Bartek Krajnik [EMAIL PROTECTED] bkPrimary key fingerprint: 95E9 8E2D 1801 7864 2244 6EAA 03E5 764D 948D E45D bk bk bk - End forwarded message - ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] iptables : Incoming mail and ping problem
On Thu, Feb 06, 2003 at 07:38:54PM +0600, Shaheen Hossain wrote: Diff between File I ( iptablesRC ) and File II (iptablesRC.2). File I works for incoming mail. File II does not for incoming mail, neither does pinging to this server to its external interface NIC IP. I could not figure out what the difference in these port allowing, reject or accept commands which are keeping the in-coming mail from coming on a RH Linux 7.3. Please help. Thanks. -- [shossain@mohican shossain]$ diff /home/admin/firewall/iptablesRC /home/admin/firewall/iptablesRC.2 | more 162c162 $IPTABLES -A allowed -p TCP -j REJECT --- $IPTABLES -A allowed -p TCP -j DROP 185,187c185,187 $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1503 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3389 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 5001:65535 -j allowed --- $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1500:65535 -j allowed 192,200c192,200 $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 22 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 25 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 42 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 80 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 113 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 143 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 174 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 443 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 5001:65535 -j ACCEPT --- $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 22 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 25 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 42 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 80 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 113 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 143 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 174 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 443 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 1500:65535 -j ACCEPT 262d261 268d266 Send both files, not differences. -- GPG-Key: http://www.bartek.bicom.pl/public_key.txt pub 1024D/948DE45D 2002-12-12 Bartek Krajnik [EMAIL PROTECTED] Primary key fingerprint: 95E9 8E2D 1801 7864 2244 6EAA 03E5 764D 948D E45D ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] iptables : Incoming mail and ping problem
Diff between File I ( iptablesRC ) and File II (iptablesRC.2). File I works for incoming mail. File II does not for incoming mail, neither does pinging to this server to its external interface NIC IP. I could not figure out what the difference in these port allowing, reject or accept commands which are keeping the in-coming mail from coming on a RH Linux 7.3. Please help. Thanks. -- [shossain@mohican shossain]$ diff /home/admin/firewall/iptablesRC /home/admin/firewall/iptablesRC.2 | more162c162 $IPTABLES -A allowed -p TCP -j REJECT--- $IPTABLES -A allowed -p TCP -j DROP185,187c185,187 $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1503 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3389 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 5001:65535 -j allowed--- $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1500:65535 -j allowed192,200c192,200 $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 22 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 25 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 42 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 80 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 113 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 143 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 174 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 443 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 5001:65535 -j ACCEPT--- $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 22 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 25 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 42 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 80 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 113 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 143 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 174 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 443 -j ACCEPT $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 1500:65535 -j ACCEPT262d261268d266