Re: [LARTC] iptables : Incoming mail and ping problem

[Bartek Krajnik]

- Forwarded message from Shaheen Hossain [EMAIL PROTECTED] -

From: Shaheen Hossain [EMAIL PROTECTED]
Subject: Re: Thanks for willing to help
Date: Wed, 12 Feb 2003 01:53:02 +0600

Thanks Bartek, this was of great help. As a result, my mail is now
functional. Great, thanks.


- Original Message -
From: Bartek Krajnik [EMAIL PROTECTED]
To: Shaheen Hossain [EMAIL PROTECTED]
Sent: Tuesday, February 11, 2003 5:28 PM
Subject: Re: Thanks for willing to help


bk On Sun, Feb 09, 2003 at 08:56:36PM +0600, Shaheen Hossain wrote:
bk sh Dear Bartek, thanks for willing to help. Since the mail is not working,
please respond back to [EMAIL PROTECTED] File II works for email and
pinging to the server. Strangely File I does not, difference I can see is in
line 162. Thanks again. I really appreciate it.
bk sh
bk sh -- shaheen hossain
bk sh
bk Line 162 from fileI:
bk $IPTABLES -A allowed -p TCP -j DROP
bk   fileII:
bk $IPTABLES -A allowed -p TCP -j REJECT
bk there shouldn't be problems.
bk
bk Do You know about this?
bk less /usr/src/linux-2.4.20/include/linux/icmp.h
bk #define ICMP_ECHO   8   /* Echo Request */
bk #define ICMP_TIME_EXCEEDED  11  /* Time Exceeded*/
bk
bk Scenariowith fileI.
bk Now, when someone tries from world
bk # telnet 203.76.102.44 25
bk first SYN packet goes to:
bk $IPTABLES -A INPUT  -i $INET_IFACE -p tcp -j LOG --log-prefix IPTABLES
TCP-IN: 
bk $IPTABLES -A INPUT  -i $INET_IFACE -p tcp -j DROP
bk
bk You don't have instruction like:
bk $IPTABLES -A INPUT -p tcp -j tcp_packets
bk
bk So it should be:
bk $IPTABLES -A INPUT  -i $INET_IFACE -p tcp -j tcp_packets
bk $IPTABLES -A INPUT  -i $INET_IFACE -p tcp -j LOG --log-prefix IPTABLES
TCP-IN: 
bk $IPTABLES -A INPUT  -i $INET_IFACE -p tcp -j DROP
bk
bk Now after:
bk # telnet 203.76.102.44 25
bk first SYN packet goes to:
bk $IPTABLES -A INPUT  -i $INET_IFACE -p tcp -j tcp_packets
bk $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
bk and it's OK.
bk From your server goes back packet:
bk $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
bk $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
bk And next:
bk $IPTABLES -A INPUT  -i $INET_IFACE -p tcp -j tcp_packets
bk $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
bk and should be OK.
bk
bk With icmp:
bk # ping 203.76.102.44
bk $IPTABLES -A INPUT  -i $INET_IFACE -p icmp -j LOG --log-prefix IPTABLES
ICMP-IN: 
bk $IPTABLES -A INPUT  -i $INET_IFACE -p icmp -j DROP
bk
bk When you change this:
bk $IPTABLES -A INPUT  -i $INET_IFACE -p icmp -j icmp_packets
bk $IPTABLES -A INPUT  -i $INET_IFACE -p icmp -j LOG --log-prefix IPTABLES
ICMP-IN: 
bk $IPTABLES -A INPUT  -i $INET_IFACE -p icmp -j DROP
bk
bk packet icmp-request (ping) goes:
bk $IPTABLES -A INPUT  -i $INET_IFACE -p icmp -j icmp_packets
bk $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
bk
bk Now from Your server echo-response (pong):
bk $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
bk
bk IMHO Your scripts needs more work.
bk Read somewhere about TCP/ICMP/UDP protocols.
bk
bk Best regards,
bk Bartek.
bk --
bk GPG-Key:
bkhttp://www.bartek.bicom.pl/public_key.txt
bkpub  1024D/948DE45D 2002-12-12 Bartek Krajnik [EMAIL PROTECTED]
bkPrimary key fingerprint: 95E9 8E2D 1801 7864 2244  6EAA 03E5 764D 948D
E45D
bk
bk
bk
- End forwarded message -


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] iptables : Incoming mail and ping problem

[Bartek Krajnik]

On Thu, Feb 06, 2003 at 07:38:54PM +0600, Shaheen Hossain wrote:
 Diff between File I ( iptablesRC ) and File II (iptablesRC.2). File I works for 
incoming mail. File II does not for incoming mail, neither does pinging to this 
server to its external interface NIC IP. 
 
 I could not figure out what the difference in these port allowing, reject or accept 
commands which are keeping the in-coming mail from coming on a RH Linux 7.3. Please 
help. Thanks.
 
 --
 [shossain@mohican shossain]$ diff /home/admin/firewall/iptablesRC 
/home/admin/firewall/iptablesRC.2 |  more
 162c162
  $IPTABLES -A allowed -p TCP -j REJECT
 ---
  $IPTABLES -A allowed -p TCP -j DROP
 185,187c185,187
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1503 -j allowed
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3389 -j allowed
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 5001:65535 -j allowed
 ---
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1500:65535 -j allowed
 192,200c192,200
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 22 -j ACCEPT
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 25 -j ACCEPT
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 42 -j ACCEPT
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 80 -j ACCEPT
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 113 -j ACCEPT
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 143 -j ACCEPT
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 174 -j ACCEPT
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 443 -j ACCEPT
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 5001:65535 -j ACCEPT
 ---
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 22 -j ACCEPT
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 25 -j ACCEPT
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 42 -j ACCEPT
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 80 -j ACCEPT
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 113 -j ACCEPT
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 143 -j ACCEPT
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 174 -j ACCEPT
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 443 -j ACCEPT
  $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 1500:65535 -j ACCEPT
 262d261
 
 268d266
 
Send both files, not differences.

-- 
GPG-Key:
   http://www.bartek.bicom.pl/public_key.txt
   pub  1024D/948DE45D 2002-12-12 Bartek Krajnik [EMAIL PROTECTED]
   Primary key fingerprint: 95E9 8E2D 1801 7864 2244  6EAA 03E5 764D 948D E45D


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/