Outgoing SMTP Mystery

Outgoing SMTP Mystery

[Michael Hudin]

[-- Attachment #1: Type: text/plain, Size: 2823 bytes --]

Okay, so I've gotten everything running fine in my tables as far as HTTP, SSH and POP go, but I'm having a problem with SMTP (I have a qmail server).  I can send SMTP out just fine, but no other server can send it in for some reason.  It would appear in the logs that it is forwarding fine, but it is still not allowing connections on port 25.  My setup is Public Interface: eth0 - 10.10.10.254 Private Interface eth1 - 192.168.77.1  My firewall also serves as a gateway for the private LAN and a VPN server running FreeSWAN.  The MX records are set up to point at 10.10.10.252 as the mail server and as you can see below, that is indeed forwarding (or at least it should be).  I've always assumed that the numbers in the brackets were port allowances and that may be my problem, but if they were, I wouldn't be able to get to SSH and HTTP. Also, if anyone has any security suggestions, since I just cobbled this together to get it working, they wouldn't fall on deaf ears.

Here are my tables:

*nat
:PREROUTING ACCEPT [241:88600]
:POSTROUTING ACCEPT [0:9862]
:OUTPUT ACCEPT [68:4275]
-A PREROUTING -d 10.10.10.252 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.77.2
-A PREROUTING -d 10.10.10.252 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.77.2
-A PREROUTING -d 10.10.10.251 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.77.2
-A PREROUTING -d 10.10.10.250 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.77.2
-A PREROUTING -d 10.10.10.250 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.77.2
-A POSTROUTING -o eth0 -j SNAT --to-source 10.10.10.254
-A POSTROUTING -o eth1 -j SNAT --to-source 10.10.10.254
COMMIT

*mangle
:PREROUTING ACCEPT [18365:3221456]
:INPUT ACCEPT [10886:760348]
:FORWARD ACCEPT [7269:2438049]
:OUTPUT ACCEPT [8009:752540]
:POSTROUTING ACCEPT [15177:3182145]
COMMIT

*filter
:INPUT ACCEPT [0:229546]
:FORWARD ACCEPT [363:1553786]
:OUTPUT ACCEPT [2:619341]
-A INPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -p tcp -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 110 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 25 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -p tcp -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -p ah -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT





Michael Hudin
Sentinel Systems Support
www.zoetrope.com

[-- Attachment #2: Type: text/html, Size: 3962 bytes --]

Re: Outgoing SMTP Mystery

[Antony Stone]

On Tuesday 04 June 2002 11:18 pm, Michael Hudin wrote:

>  I can send SMTP out just fine, but no other server can send it in for some
> reason.

> -A POSTROUTING -o eth0 -j SNAT --to-source 10.10.10.254
> -A POSTROUTING -o eth1 -j SNAT --to-source 10.10.10.254

I really don't like the look of those two rules together.   You're saying 
that any packet going out of the external interface should bear the source 
address of the external interface - pretty standard.   But you're also saying 
that any packet going out of the *internal* interface should also have the 
source address of the external interface - why ???

Do you have any access control rules on your SMTP server - is it fussy about 
the IP addresses it accepts connections from ?

What happens if you telnet to port 25 on the mail server from your firewall ?


Antony.

Re: Outgoing SMTP Mystery

[Travis Crook]

My bad.  I will fix the rule so that anything going out the internal
interface will have the ip of the internal interface!

Thanks for pointing that out.

Travis Crook
Visions Beyond

----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.samba.org>
Sent: Tuesday, June 04, 2002 4:37 PM
Subject: Re: Outgoing SMTP Mystery


> On Tuesday 04 June 2002 11:18 pm, Michael Hudin wrote:
>
> >  I can send SMTP out just fine, but no other server can send it in for
some
> > reason.
>
> > -A POSTROUTING -o eth0 -j SNAT --to-source 10.10.10.254
> > -A POSTROUTING -o eth1 -j SNAT --to-source 10.10.10.254
>
> I really don't like the look of those two rules together.   You're saying
> that any packet going out of the external interface should bear the source
> address of the external interface - pretty standard.   But you're also
saying
> that any packet going out of the *internal* interface should also have the
> source address of the external interface - why ???
>
> Do you have any access control rules on your SMTP server - is it fussy
about
> the IP addresses it accepts connections from ?
>
> What happens if you telnet to port 25 on the mail server from your
firewall ?
>
>
> Antony.
>
>

Re: Outgoing SMTP Mystery

[Michael Hudin]

Yeah, the internal interface was rather pointless and I've changed it to the
internal gateway.  It ultimately doesn't matter because the file in qmail
that I'm using allows anything from the subnet and the external IP to relay.

I have tried to telnet in and can get to it fine without being rejected.
This one has got me stumped.

-michael

----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.samba.org>
Sent: Tuesday, June 04, 2002 3:37 PM
Subject: Re: Outgoing SMTP Mystery


> On Tuesday 04 June 2002 11:18 pm, Michael Hudin wrote:
>
> >  I can send SMTP out just fine, but no other server can send it in for
some
> > reason.
>
> > -A POSTROUTING -o eth0 -j SNAT --to-source 10.10.10.254
> > -A POSTROUTING -o eth1 -j SNAT --to-source 10.10.10.254
>
> I really don't like the look of those two rules together.   You're saying
> that any packet going out of the external interface should bear the source
> address of the external interface - pretty standard.   But you're also
saying
> that any packet going out of the *internal* interface should also have the
> source address of the external interface - why ???
>
> Do you have any access control rules on your SMTP server - is it fussy
about
> the IP addresses it accepts connections from ?
>
> What happens if you telnet to port 25 on the mail server from your
firewall ?
>
>
> Antony.
>
>
>

Re: Outgoing SMTP Mystery

[Antony Stone]

On Tuesday 04 June 2002 11:18 pm, Michael Hudin wrote:

>  I've always assumed that the numbers in the brackets were port allowances

No, they're not (although I can't say what they are - I don't use 
iptables-save).   If you look at the numbers, many of them are larger than 
65535, so they're certainly not port numbers :-)

> Here are my tables:
>
> *nat
>
> :PREROUTING ACCEPT [241:88600]
> :POSTROUTING ACCEPT [0:9862]
> :OUTPUT ACCEPT [68:4275]
>
> *mangle
>
> :PREROUTING ACCEPT [18365:3221456]
> :INPUT ACCEPT [10886:760348]
> :FORWARD ACCEPT [7269:2438049]
> :OUTPUT ACCEPT [8009:752540]
> :POSTROUTING ACCEPT [15177:3182145]
>
> *filter
>
> :INPUT ACCEPT [0:229546]
> :FORWARD ACCEPT [363:1553786]
> :OUTPUT ACCEPT [2:619341]

I find this interesting - you have a default ACCEPT policy on all your chains 
- specifically on FORWARD, and I cannot see any rules you have included which 
DROP or REJECT packets..... so is there really any filtering going on in your 
firewall, or is it in fact just an open router doing some network address 
translation !?

I know this doesn't exactly solve your problem, but I wonder if it means the 
problem isn't on your firewall ?

Perhaps you could check the routing table on your SMTP server - what does it 
have for a default gateway address ?


Antony.

Re: Outgoing SMTP Mystery

[Michael Hudin]

Yeah, I was assuming that there were no default drop rules.  I'll make sure
to implement those.

I did realize that my /etc/hosts file was still set to the old subnet.  I
corrected that, but it still is having the same problem.  The gateway on the
mail machine is set correctly and remember that I can POP in and out and
SMTP out.  I just can't get SMTP in for some mind boggling reason.

-michael

----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.samba.org>
Sent: Tuesday, June 04, 2002 4:46 PM
Subject: Re: Outgoing SMTP Mystery


> On Tuesday 04 June 2002 11:18 pm, Michael Hudin wrote:
>
> >  I've always assumed that the numbers in the brackets were port
allowances
>
> No, they're not (although I can't say what they are - I don't use
> iptables-save).   If you look at the numbers, many of them are larger than
> 65535, so they're certainly not port numbers :-)
>
> > Here are my tables:
> >
> > *nat
> >
> > :PREROUTING ACCEPT [241:88600]
> > :POSTROUTING ACCEPT [0:9862]
> > :OUTPUT ACCEPT [68:4275]
> >
> > *mangle
> >
> > :PREROUTING ACCEPT [18365:3221456]
> > :INPUT ACCEPT [10886:760348]
> > :FORWARD ACCEPT [7269:2438049]
> > :OUTPUT ACCEPT [8009:752540]
> > :POSTROUTING ACCEPT [15177:3182145]
> >
> > *filter
> >
> > :INPUT ACCEPT [0:229546]
> > :FORWARD ACCEPT [363:1553786]
> > :OUTPUT ACCEPT [2:619341]
>
> I find this interesting - you have a default ACCEPT policy on all your
chains
> - specifically on FORWARD, and I cannot see any rules you have included
which
> DROP or REJECT packets..... so is there really any filtering going on in
your
> firewall, or is it in fact just an open router doing some network address
> translation !?
>
> I know this doesn't exactly solve your problem, but I wonder if it means
the
> problem isn't on your firewall ?
>
> Perhaps you could check the routing table on your SMTP server - what does
it
> have for a default gateway address ?
>
>
> Antony.
>
>
>

Re: Outgoing SMTP Mystery

[patrick conlin]

Just as a side note, the numbers in the brackets are how
iptables-save/restore keeps the counter information.

[packets:bytes]

on 6/4/02 19:46, Antony@Soft-Solutions.co.uk wrote:

>> :PREROUTING ACCEPT [241:88600]

-=p=-

Re: Outgoing SMTP Mystery

[Michael Hudin]

That would be a good way to test.  Unfortunately I don't have telnet setup
on any machines that are external to the firewall and have qmail running.
When I went to port 25 using telnet, it did appear to authenticate me
through one of the usernames, but I may be mistaken since I'm not very
knowledgeable about telnet.

Omar, thanks for the offlist help with the port forwarding by the way.  This
has to be one of the useful and helpful groups of people out there.

-michael

----- Original Message -----
From: "Omar Castaneda Acosta" <omar@idea.com.mx>
To: "Michael Hudin" <hudin@zoetrope.com>
Sent: Wednesday, June 05, 2002 11:03 AM
Subject: RE: Outgoing SMTP Mystery


Well, if you can connect to port 25 from the someplace on the external
side of your firewall, then the port forwarding is working ok.
try manually (using telnet) sending an email thru a connection being
portfw'ed to your qmail server.

-----Original Message-----
From: Michael Hudin [mailto:hudin@zoetrope.com]
Sent: Wednesday, June 05, 2002 11:59 AM
To: netfilter@lists.samba.org
Subject: Re: Outgoing SMTP Mystery

Yeah, I was assuming that there were no default drop rules.  I'll make
sure
to implement those.

I did realize that my /etc/hosts file was still set to the old subnet.
I
corrected that, but it still is having the same problem.  The gateway on
the
mail machine is set correctly and remember that I can POP in and out and
SMTP out.  I just can't get SMTP in for some mind boggling reason.

-michael

----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.samba.org>
Sent: Tuesday, June 04, 2002 4:46 PM
Subject: Re: Outgoing SMTP Mystery


> On Tuesday 04 June 2002 11:18 pm, Michael Hudin wrote:
>
> >  I've always assumed that the numbers in the brackets were port
allowances
>
> No, they're not (although I can't say what they are - I don't use
> iptables-save).   If you look at the numbers, many of them are larger
than
> 65535, so they're certainly not port numbers :-)
>
> > Here are my tables:
> >
> > *nat
> >
> > :PREROUTING ACCEPT [241:88600]
> > :POSTROUTING ACCEPT [0:9862]
> > :OUTPUT ACCEPT [68:4275]
> >
> > *mangle
> >
> > :PREROUTING ACCEPT [18365:3221456]
> > :INPUT ACCEPT [10886:760348]
> > :FORWARD ACCEPT [7269:2438049]
> > :OUTPUT ACCEPT [8009:752540]
> > :POSTROUTING ACCEPT [15177:3182145]
> >
> > *filter
> >
> > :INPUT ACCEPT [0:229546]
> > :FORWARD ACCEPT [363:1553786]
> > :OUTPUT ACCEPT [2:619341]
>
> I find this interesting - you have a default ACCEPT policy on all your
chains
> - specifically on FORWARD, and I cannot see any rules you have
included
which
> DROP or REJECT packets..... so is there really any filtering going on
in
your
> firewall, or is it in fact just an open router doing some network
address
> translation !?
>
> I know this doesn't exactly solve your problem, but I wonder if it
means
the
> problem isn't on your firewall ?
>
> Perhaps you could check the routing table on your SMTP server - what
does
it
> have for a default gateway address ?
>
>
> Antony.
>
>
>