From: Cedric B. <cb...@ai...> - 2003-03-20 22:19:54
|
Does anyone have any suggestions. When I have my firewall up and running with the beneath rules I am able to connect to the login page and login , but after logging in I get an error msg:"unablesqm to connect to your mail server". When I drop the firewall everything works OK. Also I am unable to telnet into the localhost port (ie.. telnet localhost 25). What could it be? Thx, Subject: Re: [SM-USERS] Using Squirrelmail and iptables From: <cb...@ai...> Date: Wed, March 19, 2003 5:24 pm To: <jo...@sq...> > Hello Cedric, > On Wednesday, March 19, 2003, Cedric Brown wrote... > >> iptables -A INPUT -p UDP -i eth0 -s 0.0.0.0/0 --destination-port 143 >> -j ACCEPT > > Did you set SquirrelMail to connect on localhost? If so, you're > missing a rule to allow all from localhost... localhost doesn't run > over eth0. Although, if this is all of your rules, then what you setup > is rather pointless as there doesn't seem to be any blocking rules. > > -- > Jonathan Angliss > (jo...@sq...) Beneath is a copy of my firewall script. Unless I am missing something I am allowing localhost out, but when I try to telnet into any port from localhost (ie...telnet localhost 25) it times out. Plz advise. # (1) Policies (default) iptables -P INPUT DROP #iptables -P OUTPUT DROP iptables -P FORWARD DROP # (2) User-defined chains for ACCEPTed TCP packets #iptables -N okay #iptables -A okay -p TCP --syn -j ACCEPT #iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT #iptables -A okay -p TCP -j DROP # (3) INPUT chain rules # Rules for incoming packets from LAN ###Rejected Addresses #iptables -A INPUT -p all -i eth1 -s XXX.XXX.XXX.XXX-j REJECT ###Allowed Addresses iptables -A INPUT -p all -i eth1 -s XXX.XXX.0.0/16 -j ACCEPT iptables -A INPUT -p all -i l0 -s 127.0.0.1 -j ACCEPT iptables -A INPUT -p all -i l0 -s xxx.xxx.xxx.xxx -j ACCEPT iptables -A INPUT -p all -i l0 -s xxx.xxx.xxx.xxx -j ACCEPT iptables -A INPUT -p all -i eth1 -s 172.24.255.255 -j ACCEPT # Packets for established connections #iptables -A INPUT -p ALL -d xxx.xxx.xxx.xxx -m state --state ESTABLISHED,RELATED -j ACCEPT #Added by SLS on 1/20/03 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # TCP Rules iptables -A INPUT -p TCP -i eth0 -s 0.0.0.0/0 --destination-port 21 -j ACCEPT iptables -A INPUT -p TCP -i eth0 -s 0.0.0.0/0 --destination-port 22 -j ACCEPT iptables -A INPUT -p TCP -i eth0 -s 0.0.0.0/0 --destination-port 80 -j ACCEPT iptables -A INPUT -p TCP -i eth0 -s 0.0.0.0/0 --destination-port 443 -j ACCEPT iptables -A INPUT -p TCP -i eth0 -s 0.0.0.0/0 --destination-port 110 -j ACCEPT iptables -A INPUT -p TCP -i eth0 -s 0.0.0.0/0 --destination-port 1812 -j ACCEPT iptables -A INPUT -p TCP -i eth0 -s 0.0.0.0/0 --destination-port 1813 -j ACCEPT iptables -A INPUT -p TCP -i eth0 -s 0.0.0.0/0 --destination-port 25 -j ACCEPT #Added by CB on 1/9/03 iptables -A INPUT -p TCP -i eth0 -s 0.0.0.0/0 --destination-port 143 -j ACCEPT #Added by SLS on 1/20/03 iptables -A INPUT -p TCP -i eth0 -s 0.0.0.0/0 --destination-port 51075 -j ACCEPT iptables -A INPUT -p TCP -i eth0 -s 0.0.0.0/0 --destination-port 993 -j ACCEPT # UDP rules iptables -A INPUT -p UDP -i eth0 -s 0.0.0.0/0 --destination-port 53 -j ACCEPT iptables -A INPUT -p UDP -i eth0 -s 0.0.0.0/0 --destination-port 1812 -j ACCEPT iptables -A INPUT -p UDP -i eth0 -s 0.0.0.0/0 --destination-port 1813 -j ACCEPT #Added by CB on 1/9/03 iptables -A INPUT -p UDP -i eth0 -s 0.0.0.0/0 --destination-port 143 -j ACCEPT #Added by CB on 1/31/03 iptables -A INPUT -p UDP -i eth0 -s 0.0.0.0/0 --destination-port 21 -j ACCEPT #Added by SLS on 1/20/03 iptables -A INPUT -p UDP -i eth0 -s 0.0.0.0/0 --destination-port 993 -j ACCEPT #Added by SLS on 03/11/03 iptables -A INPUT -p UDP -i eth0 -s 0.0.0.0/0 --destination-port 51075 -j ACCEPT # ICMP rules iptables -A INPUT -p ICMP -i eth0 -s 0.0.0.0/0 --icmp-type 8 -j ACCEPT iptables -A INPUT -p ICMP -i eth0 -s 0.0.0.0/0 --icmp-type 11 -j ACCEPT # (4) FORWARD chain rules #Accept the packets we want to forward ###Rejected Addresses #iptables -A FORWARD -i eth0 -s -j REJECT ###Allowed Addresses iptables -A FORWARD -i eth1 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # (5) OUTPUT chain rules # Only output packets with local addresses (no spoofing) iptables -A OUTPUT -m state --state ESTABLISHED,RELATED iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT iptables -A OUTPUT -p ALL -s xxx.xxx.xxx.xxx -j ACCEPT iptables -A OUTPUT -p ALL -s 172.24.10.10 -j ACCEPT # (6) POSTROUTING chain rules iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source xxx.xxx.xxx.xxx ### Port Forwarding ### iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 51075 -j DNAT --to-destination 172.24.10.11 |