INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS
Come Join Us!
Are you a
Computer / IT professional?
Join Tek-Tips now!
- Talk With Other Members
- Be Notified Of Responses
To Your Posts
- Keyword Search
- One-Click Access To Your
Favorite Forums
- Automated Signatures
On Your Posts
- Best Of All, It's Free!
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.
Partner With Us!
"Best Of Breed" Forums Add Stickiness To Your Site
(Download This Button Today!)
Feedback
"...you guys have given us a way of asking a question and getting some very timely feedback from other users so we don't have to re-invent the wheel time and again..."
Geography
Where in the world do Tek-Tips members come from?
|
iptables blocking email to server
|
|
I am at a bit of a loss with iptables. the main application running on this server requires certain settings in iptables but there are so many settings im not sure what is what. it generally works fine though the only problem at the moment seems to be that it is blocking the server from receiving emails and i am not sure how to go about fixing that. (im almost sure its iptables because when i stop iptables email is received just fine). this is the full settings list. If anyone could tell me which commands to enter to get receiving email working that would be awesome. Thanks! CODEChain INPUT (policy ACCEPT)
target prot opt source destination
acctboth all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- 0.0.0.0/8 anywhere
DROP all -- 100.64.0.0/10 anywhere
DROP all -- 127.0.0.0/8 anywhere
DROP all -- 169.254.0.0/16 anywhere
DROP all -- 192.0.0.0/24 anywhere
DROP all -- 192.0.2.0/24 anywhere
DROP all -- 198.18.0.0/15 anywhere
DROP all -- 198.51.100.0/24 anywhere
DROP all -- 203.0.113.0/24 anywhere
DROP all -- base-address.mcast.net/4 anywhere
DROP all -- 240.0.0.0/4 anywhere
TMP_DROP all -- anywhere anywhere
TALLOW all -- anywhere anywhere
TDENY all -- anywhere anywhere
TGALLOW all -- anywhere anywhere
TGDENY all -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpts:epmap:netbios-ssn
DROP udp -- anywhere anywhere udp dpts:epmap:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:login
DROP udp -- anywhere anywhere udp dpt:who
DROP tcp -- anywhere anywhere tcp dpt:efs
DROP udp -- anywhere anywhere udp dpt:router
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
DROP udp -- anywhere anywhere udp dpt:microsoft-ds
DROP tcp -- anywhere anywhere tcp dpt:ms-sql-s
DROP udp -- anywhere anywhere udp dpt:ms-sql-s
DROP tcp -- anywhere anywhere tcp dpt:ms-sql-m
DROP udp -- anywhere anywhere udp dpt:ms-sql-m
DROP tcp -- anywhere anywhere tcp dpt:search-agent
DROP udp -- anywhere anywhere udp dpt:search-agent
DROP tcp -- anywhere anywhere tcp dpt:ingreslock
DROP udp -- anywhere anywhere udp dpt:ingreslock
DROP tcp -- anywhere anywhere tcp dpt:ctx-bridge
DROP udp -- anywhere anywhere udp dpt:ctx-bridge
IN_SANITY all -- anywhere anywhere
FRAG_UDP all -- anywhere anywhere
PZERO all -- anywhere anywhere
P2P all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:sunrpc
ACCEPT tcp -- anywhere anywhere tcp dpt:nfs
ACCEPT tcp -- anywhere anywhere tcp dpt:infowave
ACCEPT tcp -- anywhere anywhere tcp dpt:radsec
ACCEPT tcp -- anywhere anywhere tcp dpt:gnunet
ACCEPT tcp -- anywhere anywhere tcp dpt:eli
ACCEPT tcp -- anywhere anywhere tcp dpt:nbx-ser
ACCEPT tcp -- anywhere anywhere tcp dpt:nbx-dir
ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp
ACCEPT tcp -- anywhere anywhere tcp dpt:scp-config
ACCEPT tcp -- anywhere anywhere tcp dpt:10002
ACCEPT tcp -- anywhere anywhere tcp dpt:10003
ACCEPT tcp -- anywhere anywhere tcp dpt:10005
ACCEPT tcp -- anywhere anywhere tcp dpt:892
ACCEPT tcp -- anywhere anywhere tcp dpt:filenet-rpc
ACCEPT tcp -- anywhere anywhere tcp dpt:32803
ACCEPT tcp -- anywhere anywhere tcp dpt:pftp
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:sunrpc
ACCEPT udp -- anywhere anywhere udp dpt:nfs
ACCEPT udp -- anywhere anywhere udp dpt:ndmp
ACCEPT udp -- anywhere anywhere udp dpt:scp-config
ACCEPT udp -- anywhere anywhere udp dpt:10002
ACCEPT udp -- anywhere anywhere udp dpt:10003
ACCEPT udp -- anywhere anywhere udp dpt:10005
ACCEPT udp -- anywhere anywhere udp dpt:892
ACCEPT udp -- anywhere anywhere udp dpt:filenet-rpc
ACCEPT udp -- anywhere anywhere udp dpt:32803
ACCEPT udp -- anywhere anywhere udp dpt:pftp
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable limit: avg 30/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp redirect limit: avg 30/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp time-exceeded limit: avg 30/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp echo-reply limit: avg 30/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp type 30 limit: avg 30/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 30/sec burst 5
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- resolver.[DATACENTER].net anywhere udp spt:domain dpts:1023:65535
ACCEPT tcp -- resolver.[DATACENTER].net anywhere tcp spt:domain dpts:1023:65535
DROP tcp -- anywhere anywhere tcp spt:domain dpts:1023:65535
DROP udp -- anywhere anywhere udp spt:domain dpts:1023:65535
ACCEPT udp -- resolver.[DATACENTER].net anywhere udp spt:domain dpts:1023:65535
ACCEPT tcp -- resolver.[DATACENTER].net anywhere tcp spt:domain dpts:1023:65535
DROP tcp -- anywhere anywhere tcp spt:domain dpts:1023:65535
DROP udp -- anywhere anywhere udp spt:domain dpts:1023:65535
ACCEPT tcp -- anywhere anywhere tcp spts:1023:65535 dpt:ftp state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports ftp,ftp-data state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere multiport dports ftp,ftp-data state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh dpts:login:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ssh flags:FIN,SYN,RST,ACK/SYN state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:ssh state ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW udp dpts:traceroute:33534
DROP tcp -- anywhere anywhere
DROP udp -- anywhere anywhere
DROP all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
acctboth all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
DROP all -- anywhere 0.0.0.0/8
DROP all -- anywhere 100.64.0.0/10
DROP all -- anywhere 127.0.0.0/8
DROP all -- anywhere 169.254.0.0/16
DROP all -- anywhere 192.0.0.0/24
DROP all -- anywhere 192.0.2.0/24
DROP all -- anywhere 198.18.0.0/15
DROP all -- anywhere 198.51.100.0/24
DROP all -- anywhere 203.0.113.0/24
DROP all -- anywhere base-address.mcast.net/4
DROP all -- anywhere 240.0.0.0/4
TMP_DROP all -- anywhere anywhere
TALLOW all -- anywhere anywhere
TDENY all -- anywhere anywhere
TGALLOW all -- anywhere anywhere
TGDENY all -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpts:epmap:netbios-ssn
DROP udp -- anywhere anywhere udp dpts:epmap:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:login
DROP udp -- anywhere anywhere udp dpt:who
DROP tcp -- anywhere anywhere tcp dpt:efs
DROP udp -- anywhere anywhere udp dpt:router
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
DROP udp -- anywhere anywhere udp dpt:microsoft-ds
DROP tcp -- anywhere anywhere tcp dpt:ms-sql-s
DROP udp -- anywhere anywhere udp dpt:ms-sql-s
DROP tcp -- anywhere anywhere tcp dpt:ms-sql-m
DROP udp -- anywhere anywhere udp dpt:ms-sql-m
DROP tcp -- anywhere anywhere tcp dpt:search-agent
DROP udp -- anywhere anywhere udp dpt:search-agent
DROP tcp -- anywhere anywhere tcp dpt:ingreslock
DROP udp -- anywhere anywhere udp dpt:ingreslock
DROP tcp -- anywhere anywhere tcp dpt:ctx-bridge
DROP udp -- anywhere anywhere udp dpt:ctx-bridge
OUT_SANITY all -- anywhere anywhere
FRAG_UDP all -- anywhere anywhere
PZERO all -- anywhere anywhere
P2P all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT udp -- anywhere resolver.[DATACENTER].net udp spts:1023:65535 dpt:domain
ACCEPT tcp -- anywhere resolver.[DATACENTER].net tcp spts:1023:65535 dpt:domain
ACCEPT udp -- anywhere resolver.[DATACENTER].net udp spts:1023:65535 dpt:domain
ACCEPT tcp -- anywhere resolver.[DATACENTER].net tcp spts:1023:65535 dpt:domain
ACCEPT udp -- anywhere resolver.[DATACENTER].net udp spts:1023:65535 dpt:domain
ACCEPT tcp -- anywhere resolver.[DATACENTER].net tcp spts:1023:65535 dpt:domain
ACCEPT udp -- anywhere resolver.[DATACENTER].net udp spts:1023:65535 dpt:domain
ACCEPT tcp -- anywhere resolver.[DATACENTER].net tcp spts:1023:65535 dpt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:1023:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports ftp,ftp-data state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere multiport dports ftp,ftp-data state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW udp dpts:traceroute:33534
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
Chain FRAG_UDP (2 references)
target prot opt source destination
DROP udp -f anywhere anywhere
Chain IN_SANITY (1 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
Chain OUT_SANITY (1 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
Chain P2P (2 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:kazaa reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp spt:kazaa dpts:1024:65534 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp spts:1024:65534 dpt:kazaa reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp spt:kazaa dpts:1024:65534 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:3d-nfsd reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp spt:3d-nfsd dpts:1024:65534 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp spts:1024:65534 dpt:3d-nfsd reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp spt:3d-nfsd dpts:1024:65534 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp spts:1024:65534 dpts:smaclmgr:traversal reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp spts:smaclmgr:traversal dpts:1024:65534 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp spts:1024:65534 dpts:smaclmgr:traversal reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp spts:smaclmgr:traversal dpts:1024:65534 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:6257 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp spt:6257 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp spts:1024:65534 dpt:6257 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp spt:6257 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:6699 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp spt:6699 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp spts:1024:65534 dpt:6699 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp spt:6699 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:gnutella-svc reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp spt:gnutella-svc dpts:1024:65534 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp spts:1024:65534 dpt:gnutella-svc reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp spt:gnutella-svc dpts:1024:65534 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:gnutella-rtr reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp spt:gnutella-rtr dpts:1024:65534 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp spts:1024:65534 dpt:gnutella-rtr reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp spt:gnutella-rtr dpts:1024:65534 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp spts:1024:65534 dpts:6881:6889 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp spts:6881:6889 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp spts:1024:65534 dpts:6881:6889 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp spts:6881:6889 dpts:1024:65534 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:gnutella-svc reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp spt:gnutella-svc dpts:1024:65534 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp spts:1024:65534 dpt:gnutella-svc reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp spt:gnutella-svc dpts:1024:65534 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:interwise reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp spt:interwise dpts:1024:65534 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp spts:1024:65534 dpt:interwise reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp spt:interwise dpts:1024:65534 reject-with icmp-port-unreachable
Chain PROHIBIT (0 references)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain PZERO (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:0
DROP udp -- anywhere anywhere udp dpt:0
DROP tcp -- anywhere anywhere tcp spt:0
DROP udp -- anywhere anywhere udp spt:0
Chain RESET (0 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
Chain TALLOW (2 references)
target prot opt source destination
Chain TDENY (2 references)
target prot opt source destination
Chain TGALLOW (2 references)
target prot opt source destination
Chain TGDENY (2 references)
target prot opt source destination
Chain TMP_DROP (2 references)
target prot opt source destination
Chain acctboth (2 references)
target prot opt source destination
tcp -- os.[OURDOMAIN].net anywhere tcp dpt:http
tcp -- anywhere os.[OURDOMAIN].net tcp spt:http
tcp -- os.[OURDOMAIN].net anywhere tcp dpt:smtp
tcp -- anywhere os.[OURDOMAIN].net tcp spt:smtp
tcp -- os.[OURDOMAIN].net anywhere tcp dpt:pop3
tcp -- anywhere os.[OURDOMAIN].net tcp spt:pop3
icmp -- os.[OURDOMAIN].net anywhere
icmp -- anywhere os.[OURDOMAIN].net
tcp -- os.[OURDOMAIN].net anywhere
tcp -- anywhere os.[OURDOMAIN].net
udp -- os.[OURDOMAIN].net anywhere
udp -- anywhere os.[OURDOMAIN].net
all -- os.[OURDOMAIN].net anywhere
all -- anywhere os.[OURDOMAIN].net
tcp -- o-ns2.[OURDOMAIN].net anywhere tcp dpt:http
tcp -- anywhere o-ns2.[OURDOMAIN].net tcp spt:http
tcp -- o-ns2.[OURDOMAIN].net anywhere tcp dpt:smtp
tcp -- anywhere o-ns2.[OURDOMAIN].net tcp spt:smtp
tcp -- o-ns2.[OURDOMAIN].net anywhere tcp dpt:pop3
tcp -- anywhere o-ns2.[OURDOMAIN].net tcp spt:pop3
icmp -- o-ns2.[OURDOMAIN].net anywhere
icmp -- anywhere o-ns2.[OURDOMAIN].net
tcp -- o-ns2.[OURDOMAIN].net anywhere
tcp -- anywhere o-ns2.[OURDOMAIN].net
udp -- o-ns2.[OURDOMAIN].net anywhere
udp -- anywhere o-ns2.[OURDOMAIN].net
all -- o-ns2.[OURDOMAIN].net anywhere
all -- anywhere o-ns2.[OURDOMAIN].net
all -- anywhere anywhere site | http://thomassmart.com / http://thomassmart.hk
blog | http://weblog.thomassmart.com
|
|
|
gorge544 (IS/IT--Management) |
1 Jul 12 18:34 |
I believe iptables reads your config from top to bottom so make sure you are not dropping anything before the smtp rule.
Try putting the smtp rule towards the top. |
|
|
Noway2 (Programmer) |
2 Jul 12 8:48 |
I agree with gorge544, in fact this looks like it could be your problem:
CODEDROP tcp -- anywhere anywhere
DROP udp -- anywhere anywhere
DROP all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
Looking at your IPTables configuration, I would seriously advocate a massive overhaul of it. I would suggest you start by identifying what you need to accomplish, as in what traffic you want to allow. Keep the focus on what you want to allow don't worry about what you want to drop. Once you have identified this, write a new IPTables configuration that sets the policy to accept so that you can safely flush the rules without losing connection, write a line for your accepts, and then create a default DROP rule. Realize, that this will allow only what you specify and remove everything else. Hence it will no longer be necessary to have specialized rules for things like "reject kazaa" as they will be completely redundant. Also keep in mind that each rule consumes (processing) resources and the simpler you can make your table the better. Another example is the code section I quoted above. Notice that you have three rules, drop TCP, drop UDP, and DROP ALL. Unless these are different interfaces, this is uselessly redundant and the drop all would suffice.
Here is an excellent IPTables tutorial. If you Google "bodhi zazen iptables" you will find this one, as well as his others that will be of benefit to you.
|
|
|
 |
|
Talk To Other Members
Read More Threads Like This One