pop3 and dns

pop3 and dns

[Fritz Mesedilla]

Greetings!
I have been looking for the answer to this through google...

How do I allow POP3 through my iptables rules?

I have done this...
$IPTABLES -A FORWARD -p tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 53 -j ACCEPT

$IPTABLES -A FORWARD -p tcp --dport 110 -j ACCEPT

I included the dns forward rule to allow the internal clients to be able to resolve pop3 domain names. 

The problems:
1) They still can't resolve domain names.
2) POP3 can't seem to pass through going outside from the internal clients.

Please advise me to what I still need to add. Thanks.

Cheers,

fritz <www.mesedilla.com>
---
+ Basta Ikaw Lord



----------------------------------------------------------------------
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately by e-mail and delete this e-mail from your
system. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent
those of the company. Finally, the recipient should check this email
and any attachments for the presence of viruses. The company accepts
no liability for any damage caused by any virus transmitted by this
email. 

Overture Media, Inc.
Direct Line: (632) 635-4785
Trunkline:   (632) 631-8971 Local 146
Fax: (632) 637-2206
Level 1 Summit Media Offices, Robinsons Galleria EDSA Cor. Ortigas Ave., Quezon City 1100

Re: pop3 and dns

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 2255 bytes --]

On Tue, 2004-05-04 at 11:40, Fritz Mesedilla wrote:
> Greetings!
> I have been looking for the answer to this through google...
> 
> How do I allow POP3 through my iptables rules?
> 
> I have done this...
> $IPTABLES -A FORWARD -p tcp --dport 53 -j ACCEPT
> $IPTABLES -A FORWARD -p udp --dport 53 -j ACCEPT
> 
> $IPTABLES -A FORWARD -p tcp --dport 110 -j ACCEPT
> 
> I included the dns forward rule to allow the internal clients to be able to resolve pop3 domain names. 
> 
> The problems:
> 1) They still can't resolve domain names.
> 2) POP3 can't seem to pass through going outside from the internal clients.
> 
> Please advise me to what I still need to add. Thanks.
> 

From what you show above, it's difficult to say. Are you using nat and
private ips on the inside? Are you just forwarding all traffic via your
iptables router and all your clients have public ips? Are you using
private ips on the inside and doing nat at the router?


> Cheers,
> 
> fritz <www.mesedilla.com>
> ---
> + Basta Ikaw Lord
> 
> 
> 
> ----------------------------------------------------------------------
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the sender immediately by e-mail and delete this e-mail from your
> system. Please note that any views or opinions presented in this
> email are solely those of the author and do not necessarily represent
> those of the company. Finally, the recipient should check this email
> and any attachments for the presence of viruses. The company accepts
> no liability for any damage caused by any virus transmitted by this
> email. 
> 
> Overture Media, Inc.
> Direct Line: (632) 635-4785
> Trunkline:   (632) 631-8971 Local 146
> Fax: (632) 637-2206
> Level 1 Summit Media Offices, Robinsons Galleria EDSA Cor. Ortigas Ave., Quezon City 1100
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: pop3 and dns

[Antony Stone]

On Tuesday 04 May 2004 10:40 am, Fritz Mesedilla wrote:

> Greetings!
> I have been looking for the answer to this through google...
>
> How do I allow POP3 through my iptables rules?
>
> I have done this...
> $IPTABLES -A FORWARD -p tcp --dport 53 -j ACCEPT
> $IPTABLES -A FORWARD -p udp --dport 53 -j ACCEPT
>
> $IPTABLES -A FORWARD -p tcp --dport 110 -j ACCEPT

These look fine as they are, however you will need a rule to allow the reply 
packets, and perhaps one to SNAT your Internet-bound packets if you are using 
private addresses on your network.

> The problems:
> 1) They still can't resolve domain names.
> 2) POP3 can't seem to pass through going outside from the internal clients.

Questions:
1. Can clients access anything by IP address rather than hostname?
2. Do any other services work, such as web browsing (assuming you have rules 
to allow other servies)?

Suggestions:
1. Describe your network setup to us.
2. Show us all your netfilter rules.

Regards,

Antony.

-- 
90% of networking problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.

                                                     Please reply to the list;
                                                           please don't CC me.

RE: pop3 and dns

[Fritz Mesedilla]

> From what you show above, it's difficult to say. Are you using nat and
> private ips on the inside? 
> Are you just forwarding all traffic via your
> iptables router and all your clients have public ips? 
> Are you using private ips on the inside and doing nat at the router?

Yes. We have public ips on the outside while we have private ips on the inside doing nat through iptables and not through the router as we do not have control of the router.

For example,

202.78.90.166 <-> iptables <-> 192.168.247.11
202.78.90.166 <-> iptables <-> 192.168.247.12

For web browsing I have squid proxy. So normally, clients do not have to resolve domain names as squid proxy does it for them. Now I need to allow clients to resolve domain names to be able to retrieve pop3 from their other mail servers.

Thanks again!



Cheers,

fritz <www.mesedilla.com>
---
+ Basta Ikaw Lord

----------------------------------------------------------------------
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately by e-mail and delete this e-mail from your
system. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent
those of the company. Finally, the recipient should check this email
and any attachments for the presence of viruses. The company accepts
no liability for any damage caused by any virus transmitted by this
email. 

Overture Media, Inc.
Direct Line: (632) 635-4785
Trunkline:   (632) 631-8971 Local 146
Fax: (632) 637-2206
Level 1 Summit Media Offices, Robinsons Galleria EDSA Cor. Ortigas Ave., Quezon City 1100

RE: pop3 and dns

[Fritz Mesedilla]

> These look fine as they are, however you will need a rule to 
> allow the reply 
> packets, and perhaps one to SNAT your Internet-bound packets 
> if you are using 
> private addresses on your network.

Oh... How do I do that? Can you give me a sample rule?


> Questions:
> 1. Can clients access anything by IP address rather than hostname?
> 2. Do any other services work, such as web browsing (assuming 
> you have rules 
> to allow other servies)?

Clients cannot access anything except web browsing through the Squid proxy.

> 
> Suggestions:
> 1. Describe your network setup to us.
> 2. Show us all your netfilter rules.


We have public ips on the outside while we have private ips on the inside doing nat through iptables and not through the router as we do not have control of the router.

For example,

202.78.90.166 <-> iptables <-> 192.168.247.11
202.78.90.166 <-> iptables <-> 192.168.247.12

For web browsing I have squid proxy. So normally, clients do not have to resolve domain names as squid proxy does it for them. Now I need to allow clients to resolve domain names to be able to retrieve pop3 from their other mail servers.

Thanks again!


Cheers,

fritz <www.mesedilla.com>
---
+ Basta Ikaw Lord


FIREWALL.SH
#!/bin/bash
#
# IP Firewall script for iptables
#
# Copyright (C) 2003-2004  Fritz Mesedilla <fritz@mesedilla.com>
#



###############################################################################
#
# Local Settings
#

IPTABLES="/sbin/iptables"





###############################################################################
#
# Load Modules
#

echo "Loading kernel modules..."

#/sbin/depmod -a

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_MASQUERADE

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_mark
#/sbin/modprobe ipt_tcpmss
#/sbin/modprobe multiport
#/sbin/modprobe ipt_unclean
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc





###############################################################################
#
# Kernel Parameter Configuration
#

echo "Kernel configuration..."


###### Required to enable IPv4 forwarding. ####################################
echo "1" > /proc/sys/net/ipv4/ip_forward


###### This enables SYN flood protection. #####################################
echo "1" > /proc/sys/net/ipv4/tcp_syncookies


###### Spoof protection #######################################################
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter


###### Prevents smurfs and similar DoS nasty attacks. #########################
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts


###### Stops "190.200.1.11 sent an invalid ICMP error to a broadcast." ########
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses


###### Turn off ECN ###########################################################
echo "0" > /proc/sys/net/ipv4/tcp_ecn





###############################################################################
#
# Flush Any Existing Rules or Chains
#

echo "Flushing Tables..."


###### Reset Default Policies #################################################
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT

$IPTABLES -t nat -F

$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F OUTPUT
$IPTABLES -F

echo "Firewall completely flushed!  Now running with no firewall."





###############################################################################
#
# Filter Table
#
###############################################################################


##### Set Default Policies ####################################################

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT




###############################################################################
#
# Anti-DoS Chain
#

echo "Processing Anti-DoS chain..."


###### Syn-flood chain #######################################################
$IPTABLES -N syn-flood
$IPTABLES -A syn-flood -i eth0 -m limit --limit 75/s --limit-burst 100 -j RETURN
$IPTABLES -A syn-flood -i eth1 -j RETURN
$IPTABLES -A syn-flood -j LOG --log-prefix "SYN-FLOOD: "
$IPTABLES -A syn-flood -j DROP

$IPTABLES -A INPUT -i eth0 -p tcp --syn -j syn-flood
$IPTABLES -A INPUT -i eth1 -p tcp --syn -j syn-flood




###############################################################################
#
# Notes
# 192.168.247.xxx - firewall private ip addresses
# 192.167.220.xxx - clients private ip addresses
#
# 202.138.128.xxx - public ip addresses
#




###############################################################################
#
# INPUT Chain
#

echo "Processing INPUT chain..."


###### Allow established connection ###########################################
$IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT


###### Port 80 Incoming - Web Server ##########################################
$IPTABLES -A INPUT -p tcp -d 192.168.247.231 --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -d 192.168.247.232 --dport 80 -j ACCEPT

$IPTABLES -A INPUT -p tcp -d 192.168.247.205 --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -d 192.168.247.206 --dport 80 -j ACCEPT


###### Port 22 Incoming - SSH #################################################
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#$IPTABLES -A INPUT -p tcp -s 192.167.220.21 --dport 22 -j ACCEPT
#$IPTABLES -A INPUT -p tcp -s 202.138.128.44 --dport 22 -j ACCEPT


###### Port 25 from internet to mail.overturemedia.com ########################
$IPTABLES -A INPUT -p tcp -i eth0 -d 192.168.247.230 --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i eth0 -d 192.168.247.204 --dport 25 -j ACCEPT


###### Port 25 from overlord.overturemedia.com to linux relay #################
$IPTABLES -A INPUT -p tcp -i eth1 -d 192.167.220.101 -s 192.167.220.102 --dport 25 -j ACCEPT


###### Port 123 time server ####################################################
$IPTABLES -A INPUT -p tcp -m tcp -s 192.167.220.102 --dport 123 --syn -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp -s 192.167.220.102 --dport 123 -j ACCEPT


###### Port 137:139 - fritz/mark/samba ########################################
$IPTABLES -A INPUT -p tcp -s 192.167.220.21 --dport 137:139 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 192.167.220.24 --dport 137:139 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 192.167.220.102 --dport 137:139 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 192.167.220.103 --dport 137:139 -j ACCEPT

$IPTABLES -A INPUT -p udp -s 192.167.220.21 --dport 137:139 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 192.167.220.24 --dport 137:139 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 192.167.220.102 --dport 137:139 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 192.167.220.103 --dport 137:139 -j ACCEPT

$IPTABLES -A INPUT -p udp -s 192.167.220.102 --sport 137:139 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 192.167.220.103 --sport 137:139 -j ACCEPT


###### Port 3128 incoming #####################################################
$IPTABLES -A INPUT -p tcp -i eth1 -s 192.167.220.21 --dport 3128 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i eth1 -s 192.167.220.22 --dport 3128 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i eth1 -s 192.167.220.23 --dport 3128 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i eth1 -s 192.167.220.24 --dport 3128 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i eth1 -s 192.167.220.25 --dport 3128 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i eth1 -s 192.167.220.26 --dport 3128 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i eth1 -s 192.167.220.102 --dport 3128 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i eth1 -s 192.167.220.103 --dport 3128 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i eth1 -s 192.167.220.104 --dport 3128 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i eth1 -s 192.167.220.105 --dport 3128 -j ACCEPT


###### Port 8888 Incoming - fritz/Webmin ##############################################
$IPTABLES -A INPUT -p tcp -i eth1 -s 192.167.220.21 --dport 8888 -j ACCEPT


###### Port 9200/9201 Incoming Wap Server #####################################
$IPTABLES -A INPUT -p udp -s 202.138.128.44 -d 192.168.247.206 --dport 9200 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 202.138.128.44 -d 192.168.247.206 --dport 9201 -j ACCEPT


###### loopback interface #####################################################
$IPTABLES -A INPUT -i lo -p ALL -j ACCEPT

 
###### drop everything else ###################################################
#$IPTABLES -A INPUT -p ALL -s 0/0 -j LOG --log-level DEBUG --log-prefix "DROPPED: "
$IPTABLES -A INPUT -p ALL -s 0/0 -j DROP




###############################################################################
#
# FORWARD Chain
#

echo "Processing FORWARD chain..."


###### dns ####################################################################
$IPTABLES -A FORWARD -p tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 53 -j ACCEPT

$IPTABLES -A FORWARD -p tcp --dport 110 -j LOG --log-prefix "POP3:"
$IPTABLES -A FORWARD -p tcp --dport 110 -j ACCEPT



###############################################################################
#
# OUTPUT Chain
#

echo "Processing OUTPUT chain..."

$IPTABLES -A OUTPUT -p tcp -j ACCEPT
$IPTABLES -A OUTPUT -p udp -j ACCEPT


###### loopback interface #####################################################
$IPTABLES -A OUTPUT -o lo -p ALL -j ACCEPT





###############################################################################
#
# NAT Chain
#

echo "Processing NAT..."

###### Transparent Proxy ######################################################
$IPTABLES -t nat -A PREROUTING -i eth1 -s 192.167.220.0/255.255.255.0 -p tcp --dport 80 -j REDIRECT --to-port 3128


###### Allow established connections ##########################################
$IPTABLES -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT



###### Development Server's Web Server NAT ####################################
#
#


###### Visitor to Firewall to Server #########################################
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.247.203 --dport 80 -j DNAT --to 192.167.220.22
$IPTABLES -A FORWARD -p tcp -i eth0 -o eth1 -d 192.167.220.22 --dport 80 -j ACCEPT

###### Server Reply to Firewall to Visitor ###################################
$IPTABLES -A FORWARD -p tcp -i eth1 -o eth0 -s 192.167.220.22 --sport 80 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -p tcp -o eth1 -d 192.167.220.22 --dport 80 -j MASQUERADE



###### office static nats #####################################################
#
#


###### fritz - sql ############################################################
$IPTABLES -A FORWARD -p tcp -i eth1 -o eth0 -s 192.167.220.21 -m multiport --dport 1433 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -p tcp -o eth0 -s 192.167.220.21 -m multiport --dport 1433 -j SNAT --to-source 192.168.247.11


###### jun - radmin,sql #######################################################
$IPTABLES -A FORWARD -p tcp -i eth1 -o eth0 -s 192.167.220.22 -m multiport --dport 4899,1433 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -p tcp -o eth0 -s 192.167.220.22 -m multiport --dport 4899,1433 -j SNAT --to-source 192.168.247.12



echo "IPTables firewall implemented."


###############################################################################
#
# Routing Table
#

route add -net 202.138.159.0 gw 190.200.1.246 netmask 255.255.255.0
route add -net 192.168.247.0 gw 190.200.1.246 netmask 255.255.255.0


echo "Routing table to Local Peer implemented."

----------------------------------------------------------------------
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately by e-mail and delete this e-mail from your
system. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent
those of the company. Finally, the recipient should check this email
and any attachments for the presence of viruses. The company accepts
no liability for any damage caused by any virus transmitted by this
email. 

Overture Media, Inc.
Direct Line: (632) 635-4785
Trunkline:   (632) 631-8971 Local 146
Fax: (632) 637-2206
Level 1 Summit Media Offices, Robinsons Galleria EDSA Cor. Ortigas Ave., Quezon City 1100

Re: pop3 and dns

[Antony Stone]

On Wednesday 05 May 2004 5:58 am, Fritz Mesedilla wrote:

> > These look fine as they are, however you will need a rule to
> > allow the reply packets, and perhaps one to SNAT your Internet-bound
> > packets if you are using private addresses on your network.
>
> Oh... How do I do that? Can you give me a sample rule?

Well, your ruleset already contains a rule to allow the reply packets through 
the FORWARD chain (although it is somewhat confusingly listed under the NAT 
section of your rules), so I assume you're asking about SNAT.   Here's an 
example rule to allow clients to access remote POP3 services:

iptables -A POSTROUTING -t nat -p tcp --dport 110 -j SNAT --to w.x.y.z

where w.x.y.z is the external address of the firewall which you would like the 
packets to have when they leave the machine.

By the way, what made you decide to use 192.167.220.x addresses for your 
clients?   That is not a reserved address range, and is part of a block 
registered to the University of Ferrara in Italy.

> > Suggestions:
> > 1. Describe your network setup to us.
> > 2. Show us all your netfilter rules.
>
> We have public ips on the outside while we have private ips on the inside
> doing nat through iptables and not through the router as we do not have
> control of the router.

Other information which would be useful if we need to answer any more 
questions are: what interface names on the firewall connect to the inside and 
outside, and how have you interconnected the two different network ranges you 
appear to be using 192.168.247.x and 192.167.220.x ?

> For web browsing I have squid proxy. So normally, clients do not have to
> resolve domain names as squid proxy does it for them. Now I need to allow
> clients to resolve domain names to be able to retrieve pop3 from their
> other mail servers.

Where is the DNS server which the clients are expected to access for this?   
Are you running one on your network (good idea) or are they supposed to 
access one run by your ISP (works, but will be slower and uses a bit more 
bandwidth)?

Regards,

Antony.

-- 
G- GIT/E d- s+:--(-) a+ C++++$ UL++++$ P+(---)>++ L+++(++++)$ !E W(-) N(-) o? 
w-- O !M V+++(--) !PS !PE Y+ PGP+> t- tv@ b+++ DI++ D--- e++>+++ h++ r@? 5? 
!X- !R K--?

                                                     Please reply to the list;
                                                           please don't CC me.

Re: pop3 and dns

[Alistair Tonner]

On May 5, 2004 12:58 am, Fritz Mesedilla wrote:
> > These look fine as they are, however you will need a rule to
> > allow the reply
> > packets, and perhaps one to SNAT your Internet-bound packets
> > if you are using
> > private addresses on your network.
>
> Oh... How do I do that? Can you give me a sample rule?
>
> > Questions:
> > 1. Can clients access anything by IP address rather than hostname?
> > 2. Do any other services work, such as web browsing (assuming
> > you have rules
> > to allow other servies)?
>
> Clients cannot access anything except web browsing through the Squid proxy.
>
> > Suggestions:
> > 1. Describe your network setup to us.
> > 2. Show us all your netfilter rules.
>
> We have public ips on the outside while we have private ips on the inside
> doing nat through iptables and not through the router as we do not have
> control of the router.
>
> For example,
>
> 202.78.90.166 <-> iptables <-> 192.168.247.11
> 202.78.90.166 <-> iptables <-> 192.168.247.12
>
> For web browsing I have squid proxy. So normally, clients do not have to
> resolve domain names as squid proxy does it for them. Now I need to allow
> clients to resolve domain names to be able to retrieve pop3 from their
> other mail servers.
>
> Thanks again!
>

	Looking at your included ruleset I don't see any NAT of the (already) allowed 
DNS and POP3 requests -- You have forward rules that will allow the DNS 
requests out the forward chain, but you are only MASQUERADING the port 80 
requests.

      Try adding a duplicate of the MASQUERADE rule to TCP and UDP port 53.
       If the pop3 is in the routable internet space, you need to MASQUERADE 
that as well.

	Alistair

	


>


	<much snippage for Brevity  >

RE: pop3 and dns

[Fritz Mesedilla]

> By the way, what made you decide to use 192.167.220.x 
> addresses for your 
> clients?   That is not a reserved address range, and is part 
> of a block 
> registered to the University of Ferrara in Italy.

- It was assigned to me by our mother company.


> Other information which would be useful if we need to answer any more 
> questions are: what interface names on the firewall connect 
> to the inside and 
> outside, and how have you interconnected the two different 
> network ranges you 
> appear to be using 192.168.247.x and 192.167.220.x ?

eth0 
 - for the external ip addresses
 - used by the internet to receive postfix mail that is relayed inside to an exchange server

eth1
 - used by internal clients


diagram:

    internet
       |
       |
eth0 (192.168.247.xxx)
       |
 firewall server
       |
eth1 (192.167.220.xxx)
       |
       |
internal clients






> Where is the DNS server which the clients are expected to 
> access for this?   
> Are you running one on your network (good idea) or are they 
> supposed to 
> access one run by your ISP (works, but will be slower and 
> uses a bit more 
> bandwidth)?

- we are using our isp's dns. we do not run our own dns.

Thanks again!


Cheers,

fritz <www.mesedilla.com>
---
+ Basta Ikaw Lord



----------------------------------------------------------------------
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately by e-mail and delete this e-mail from your
system. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent
those of the company. Finally, the recipient should check this email
and any attachments for the presence of viruses. The company accepts
no liability for any damage caused by any virus transmitted by this
email. 

Overture Media, Inc.
Direct Line: (632) 635-4785
Trunkline:   (632) 631-8971 Local 146
Fax: (632) 637-2206
Level 1 Summit Media Offices, Robinsons Galleria EDSA Cor. Ortigas Ave., Quezon City 1100

Re: pop3 and dns

[Peter Marshall]

I have an aside question ... Do you need to listen on both tcp and udp port
53 for DNS ?  Can you just listen on the UDP one ?  Does it require both ?

Thank you,

Peter Marshall


----- Original Message ----- 
From: "Fritz Mesedilla" <fritz.mesedilla@overturemedia.com>
To: "Netfilter Mailing List (E-mail)" <netfilter@lists.netfilter.org>
Sent: Tuesday, May 04, 2004 6:40 AM
Subject: pop3 and dns



Greetings!
I have been looking for the answer to this through google...

How do I allow POP3 through my iptables rules?

I have done this...
$IPTABLES -A FORWARD -p tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 53 -j ACCEPT

$IPTABLES -A FORWARD -p tcp --dport 110 -j ACCEPT

I included the dns forward rule to allow the internal clients to be able to
resolve pop3 domain names.

The problems:
1) They still can't resolve domain names.
2) POP3 can't seem to pass through going outside from the internal clients.

Please advise me to what I still need to add. Thanks.

Cheers,

fritz <www.mesedilla.com>
---
+ Basta Ikaw Lord



----------------------------------------------------------------------
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately by e-mail and delete this e-mail from your
system. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent
those of the company. Finally, the recipient should check this email
and any attachments for the presence of viruses. The company accepts
no liability for any damage caused by any virus transmitted by this
email.

Overture Media, Inc.
Direct Line: (632) 635-4785
Trunkline:   (632) 631-8971 Local 146
Fax: (632) 637-2206
Level 1 Summit Media Offices, Robinsons Galleria EDSA Cor. Ortigas Ave.,
Quezon City 1100

Re: pop3 and dns

[Alexander Samad]

[-- Attachment #1: Type: text/plain, Size: 2262 bytes --]

On Tue, May 11, 2004 at 10:37:36AM -0300, Peter Marshall wrote:
> I have an aside question ... Do you need to listen on both tcp and udp port
> 53 for DNS ?  Can you just listen on the UDP one ?  Does it require both ?
> 

udp for normal requests
tcp for zone transfers

A

> Thank you,
> 
> Peter Marshall
> 
> 
> ----- Original Message ----- 
> From: "Fritz Mesedilla" <fritz.mesedilla@overturemedia.com>
> To: "Netfilter Mailing List (E-mail)" <netfilter@lists.netfilter.org>
> Sent: Tuesday, May 04, 2004 6:40 AM
> Subject: pop3 and dns
> 
> 
> 
> Greetings!
> I have been looking for the answer to this through google...
> 
> How do I allow POP3 through my iptables rules?
> 
> I have done this...
> $IPTABLES -A FORWARD -p tcp --dport 53 -j ACCEPT
> $IPTABLES -A FORWARD -p udp --dport 53 -j ACCEPT
> 
> $IPTABLES -A FORWARD -p tcp --dport 110 -j ACCEPT
> 
> I included the dns forward rule to allow the internal clients to be able to
> resolve pop3 domain names.
> 
> The problems:
> 1) They still can't resolve domain names.
> 2) POP3 can't seem to pass through going outside from the internal clients.
> 
> Please advise me to what I still need to add. Thanks.
> 
> Cheers,
> 
> fritz <www.mesedilla.com>
> ---
> + Basta Ikaw Lord
> 
> 
> 
> ----------------------------------------------------------------------
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the sender immediately by e-mail and delete this e-mail from your
> system. Please note that any views or opinions presented in this
> email are solely those of the author and do not necessarily represent
> those of the company. Finally, the recipient should check this email
> and any attachments for the presence of viruses. The company accepts
> no liability for any damage caused by any virus transmitted by this
> email.
> 
> Overture Media, Inc.
> Direct Line: (632) 635-4785
> Trunkline:   (632) 631-8971 Local 146
> Fax: (632) 637-2206
> Level 1 Summit Media Offices, Robinsons Galleria EDSA Cor. Ortigas Ave.,
> Quezon City 1100
> 
> 
> 
> 
> 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: pop3 and dns

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 2751 bytes --]

On Wed, 2004-05-12 at 06:22, Alexander Samad wrote:
> On Tue, May 11, 2004 at 10:37:36AM -0300, Peter Marshall wrote:
> > I have an aside question ... Do you need to listen on both tcp and udp port
> > 53 for DNS ?  Can you just listen on the UDP one ?  Does it require both ?
> > 
> 
> udp for normal requests
> tcp for zone transfers

and large answers ...

> 
> A
> 
> > Thank you,
> > 
> > Peter Marshall
> > 
> > 
> > ----- Original Message ----- 
> > From: "Fritz Mesedilla" <fritz.mesedilla@overturemedia.com>
> > To: "Netfilter Mailing List (E-mail)" <netfilter@lists.netfilter.org>
> > Sent: Tuesday, May 04, 2004 6:40 AM
> > Subject: pop3 and dns
> > 
> > 
> > 
> > Greetings!
> > I have been looking for the answer to this through google...
> > 
> > How do I allow POP3 through my iptables rules?
> > 
> > I have done this...
> > $IPTABLES -A FORWARD -p tcp --dport 53 -j ACCEPT
> > $IPTABLES -A FORWARD -p udp --dport 53 -j ACCEPT
> > 
> > $IPTABLES -A FORWARD -p tcp --dport 110 -j ACCEPT
> > 
> > I included the dns forward rule to allow the internal clients to be able to
> > resolve pop3 domain names.
> > 
> > The problems:
> > 1) They still can't resolve domain names.
> > 2) POP3 can't seem to pass through going outside from the internal clients.
> > 
> > Please advise me to what I still need to add. Thanks.
> > 
> > Cheers,
> > 
> > fritz <www.mesedilla.com>
> > ---
> > + Basta Ikaw Lord
> > 
> > 
> > 
> > ----------------------------------------------------------------------
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual or entity to whom they
> > are addressed. If you have received this email in error please notify
> > the sender immediately by e-mail and delete this e-mail from your
> > system. Please note that any views or opinions presented in this
> > email are solely those of the author and do not necessarily represent
> > those of the company. Finally, the recipient should check this email
> > and any attachments for the presence of viruses. The company accepts
> > no liability for any damage caused by any virus transmitted by this
> > email.
> > 
> > Overture Media, Inc.
> > Direct Line: (632) 635-4785
> > Trunkline:   (632) 631-8971 Local 146
> > Fax: (632) 637-2206
> > Level 1 Summit Media Offices, Robinsons Galleria EDSA Cor. Ortigas Ave.,
> > Quezon City 1100
> > 
> > 
> > 
> > 
> > 
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: pop3 and dns

[Dana Bourgeois]

Ray Leach wrote:
> On Wed, 2004-05-12 at 06:22, Alexander Samad wrote:
> 
>>On Tue, May 11, 2004 at 10:37:36AM -0300, Peter Marshall wrote:
>>
>>>I have an aside question ... Do you need to listen on both tcp and udp port
>>>53 for DNS ?  Can you just listen on the UDP one ?  Does it require both ?
>>>
>>
>>udp for normal requests
>>tcp for zone transfers
> 
> 
> and large answers ...

...where a 'large answer' is usually taken to be a UDP packet of more 
than 512 bytes.


Dana Bourgeois

<snip>

Re: pop3 and dns

[Cedric Blancher]

Le mer 12/05/2004 à 21:14, Dana Bourgeois a écrit :
> >>tcp for zone transfers
> > and large answers ...
> ...where a 'large answer' is usually taken to be a UDP packet of more 
> than 512 bytes.

I don't quite understand the meaning of this answer... So, I clarify.

When a DNS server has to reply on UDP with more than 512 bytes of data,
it sends back an answer with TC bit (truncated) set to let client know
answer is not complete and have him send it again using TCP.

The reason seems to be tied to old 576 bytes MTU which leaves a bit more
than 512 bytes for answer datas.


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: pop3 and dns

[Dick St.Peters]

Cedric Blancher writes:
> Le mer 12/05/2004 à 21:14, Dana Bourgeois a écrit :
> > >>tcp for zone transfers
> > > and large answers ...
> > ...where a 'large answer' is usually taken to be a UDP packet of more 
> > than 512 bytes.
> 
> I don't quite understand the meaning of this answer... So, I clarify.
> 
> When a DNS server has to reply on UDP with more than 512 bytes of data,
> it sends back an answer with TC bit (truncated) set to let client know
> answer is not complete and have him send it again using TCP.

To add my own bit of clarification, it's not large answers that need
TCP open, it's requests that have large answers.  If the client gets a
UDP answer with the TC bit set, it should send the query again using a
TCP connection ... and the server must listen for such connections
... and its firewall must let them through.

--
Dick St.Peters, stpeters@NetHeaven.com 

Re: pop3 and dns

[cldavis]

> -----Original Message-----
> From: Dick St.Peters [mailto:stpeters@NetHeaven.com]
> Sent: Wednesday, May 12, 2004 09:21 PM
> To: 'Cedric Blancher'
> Cc: 'Netfilter Mailing List'
> Subject: Re: pop3 and dns
>
> Cedric Blancher writes:
> > Le mer 12/05/2004 à 21:14, Dana Bourgeois a écrit :
> > > >>tcp for zone transfers
> > > > and large answers ...
> > > ...where a 'large answer' is usually taken to be a UDP packet of more
> > > than 512 bytes.
> >
> > I don't quite understand the meaning of this answer... So, I clarify.
> >
> > When a DNS server has to reply on UDP with more than 512 bytes of data,
> > it sends back an answer with TC bit (truncated) set to let client know
> > answer is not complete and have him send it again using TCP.
>
> To add my own bit of clarification, it's not large answers that need
> TCP open, it's requests that have large answers.  If the client gets a
> UDP answer with the TC bit set, it should send the query again using a
> TCP connection ... and the server must listen for such connections
> ... and its firewall must let them through.
<snip>

In following this post...

I currently only allow port 53/udp through my wall for dns. I haven't noticed many

In the even that someone is able to comprimise a dns server, what would be the best way to restrict tcp zone transfers at the firewall? Rate limiting comes to my mind, any suggestions on the actual limits?

Other suggestions?

Thanks!
Christopher Davis

RE: pop3 and dns

[Mark E. Donaldson]

 

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of
cldavis@speakeasy.net
Sent: Wednesday, May 12, 2004 6:40 PM
To: netfilter@lists.netfilter.org
Subject: Re: pop3 and dns


> -----Original Message-----
> From: Dick St.Peters [mailto:stpeters@NetHeaven.com]
> Sent: Wednesday, May 12, 2004 09:21 PM
> To: 'Cedric Blancher'
> Cc: 'Netfilter Mailing List'
> Subject: Re: pop3 and dns
> 
> Cedric Blancher writes:
> > Le mer 12/05/2004 à 21:14, Dana Bourgeois a écrit :
> > > >>tcp for zone transfers
> > > > and large answers ...
> > > ...where a 'large answer' is usually taken to be a UDP packet of 
> > > more than 512 bytes.
> > 
> > I don't quite understand the meaning of this answer... So, I clarify.
> > 
> > When a DNS server has to reply on UDP with more than 512 bytes of 
> > data, it sends back an answer with TC bit (truncated) set to let 
> > client know answer is not complete and have him send it again using TCP.
> 
> To add my own bit of clarification, it's not large answers that need 
> TCP open, it's requests that have large answers.  If the client gets a 
> UDP answer with the TC bit set, it should send the query again using a 
> TCP connection ... and the server must listen for such connections ... 
> and its firewall must let them through.
<snip>

In following this post...

I currently only allow port 53/udp through my wall for dns. I haven't
noticed many 

In the even that someone is able to comprimise a dns server, what would be
the best way to restrict tcp zone transfers at the firewall? Rate limiting
comes to my mind, any suggestions on the actual limits?

Other suggestions?

Thanks!
Christopher Davis

Christopher - You should never rely on your firewall to restrict zone
transfers. You should create an ACL in your named.conf file for hosts
permitted to request zone transfers, and then apply this against the
allow-transfers parameter.  Example below:

# Allow zone transfers from these name servers
acl "xfers" {
	192.168.1.1;
	192.168.2.1;
	localhost;
};

##########################
# ZONE TRANSFER
##########################
# Only allow hosts in the "xfers" acl do zone transfers
allow-transfer { xfers; };