On Thu, Aug 18, 2011 at 7:21 AM, Paul Allen Newell <pnew...@cs.cmu.edu> wrote: > partial answers to two replies ... > > On 8/17/2011 6:07 AM, Rick Sewill wrote: >> May I suggest inserting an entry, at this spot, for mail, something like the >> following. >> -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT >> The goal of the previous line is to jump to "ACCEPT" for any mail packet >> establishing a new connection.
That rule would have worked. > On 8/17/2011 12:49 PM, Roberto Ragusa wrote: >> I would have just duplicated the ssh rule, which works, for port 23. >> >> -A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT This rule will not work. The difference being the port. 23 is for telnet (the protocol, not the command). You need the rule with 25, which would be for SMTP and the port the mailserver is probably listening on. > I tried what you suggested, ending up with iptables of: > +++ > [...] > 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 > 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:23 > 6 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 > 7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with > icmp-host-prohibited > +++ > and a second version of: > [...] > 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 > 5 ACCEPT tcp -- 192.168.2.0/24 0.0.0.0/0 state NEW tcp > dpt:23 > 6 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 > 7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with > icmp-host-prohibited > +++ > > I ran the tests again and observed that: > > telnet <name> 23 returns with Connection refused That is correct, because the firewall is open, but there is no telnet-daemon running. > telnet <name> 25 returns with No route to host No route to host?? > telnet <name> returns with Connection refused This is in fact the same as the first command, as telnet defaults to use the port 23. > Looking in the /var/log/messages of the machine I am trying to telnet > to, I think I am seeing a change in which the following is printed out > (the first is for either the telnet to 23 or the generic telnet and the > second is the telnet to 25): > +++ > Aug 17 21:24:07 chalupa kernel: [ 4661.818442] IN=eth0 OUT= > MAC=ff:ff:ff:ff:ff:ff:00:1e:8c:c3:21:d6:08:00 SRC=192.168.2.100 > DST=192.168.2.255 LEN=234 TOS=0x00 PREC=0x00 TTL=128 ID=63637 PROTO=UDP > SPT=138 DPT=138 LEN=214 This is the machine sending out a broadcast for some samba service? > Aug 17 21:25:14 chalupa kernel: [ 4728.256249] IN=eth0 OUT= > MAC=00:e0:81:00:4c:b0:00:e0:81:00:62:94:08:00 SRC=192.168.2.11 > DST=192.168.2.10 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=53181 DF PROTO=TCP > SPT=34288 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 This is the remote being denied access to port 25, as you had not added port 25, but port 23. > I tried dropping my firewall and all security on my Linksys WRT54GL > (test machines are wired connections into it) and only the telnet 25 > shows up in logs ... all other messages are gone. The telnet requests > didn't make it through with firewall/security down. How did you drop your firewall on the server? if you would have turned it off, it would not have logged the port 25 connection... Two things: First, try without any firewall (service iptables stop), or enter a first line like: iptables -I INPUT -j ACCEPT, just so we can isolate the problem. If that fails, look what actually gets send on the server (tcpdump -i eth0 -nnl port 25). -- Regards, Andre -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines