debugging iptables

debugging iptables

[Mark Tessier]

I've set up a small network with 2 subnets: LAN and DMZ. The LAN and DMZ are
connected by a rh7.1 running a iptables choke firewall. The rc.firewall
script is based on Ziegler's chpt 6 choke firewall script. When I run the
rc.firewall script I get several errors that I'm hoping someone can help me
with. Here's a look at those errors:

iptables v1.2.1a: host/network `smtpx.xxxx.xx' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.1a: host/network `smtpx.xxxx.xx' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.1a: host/network `mail.yyyy.com' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.1a: host/network `mail.yyyy.com' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.1a: host/network `news.cis.dfn.de' not found
Try `iptables -h' or 'iptables --help' for more information.
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `1024:65535'

Here's the section that some of these  errors refer to:

# Sending Mail to the Mail Gateway Server (TCP Port 25)

iptables -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \
         -s $LAN_ADDRESSES --sport $UNPRIVPORTS \
         -d $SMTP_SERVER --dport 25 \
         -m state --state NEW -j ACCEPT

iptables -A OUTPUT -o $DMZ_INTERFACE -p tcp \
         -s $DMZ_IPADDR --sport $UNPRIVPORTS \
         -d $SMTP_SERVER --dport 25 \
         -m state --state NEW -j ACCEPT

###############################################################

# Retrieving Mail as a POP Client (TCP Port 110)

iptables -A FORWARD -i $LAN_INTERFACE -o $DMZ_INTERFACE -p tcp \
         -s $LAN_ADDRESSES --sport $UNPRIVPORTS \
         -d $POP_SERVER --dport 110 \
         -m state --state NEW -j ACCEPT

iptables -A OUTPUT -o $DMZ_INTERFACE -p tcp \
         -s $DMZ_IPADDR --sport $UNPRIVPORTS \
         -d $POP_SERVER --dport 110 \
         -m state --state NEW -j ACCEPT

I'm not sure why the script causes these error messages, while others like accessing an HTTP server doesn't produce any error mesages. DNS rules are prior to these rules.

-- 
Thanks,

Mark




-- 
Thanks,

Mark

Re: debugging iptables

[Antony Stone]

On Monday 17 June 2002 9:59 pm, Mark Tessier wrote:

> iptables v1.2.1a: host/network `smtpx.xxxx.xx' not found
> Try `iptables -h' or 'iptables --help' for more information.

[ Etc..... ]

What are the values of the variables $SMTP_SERVER and $POP_SERVER in your 
script ?

> I'm not sure why the script causes these error messages, while others like
> accessing an HTTP server doesn't produce any error mesages. DNS rules are
> prior to these rules.

What are your DNS rules ?

 

Antony.

Re: debugging iptables

[Antony Stone]

On Monday 17 June 2002 10:33 pm, Mark Tessier wrote:

> > What are the values of the variables $SMTP_SERVER and $POP_SERVER in your
> > script ?
>
> SMTP_SERVER="smtp1.my.isp.ca"
> POP_SERVER="mail.my.isp.com"

Okay, so your firewall needs to be able to resolve hostnames at the time it 
processes any rules containing these names.   Are you sure it can do that at 
that time ?

I see FORWARD and OUTPUT rules for destination port 53, but what rules do you 
have for allowing packets into the INPUT chain so that the DNS server can 
reply ?

Also, I'm a bit puzzled at your labelling of the interfaces - am I right in 
thinking you have an internal network interface called $LAN_INTERFACE, and an 
external interface called $DMZ_INTERFACE ?   It's more common to use DMZ for 
a second 'internal' interface which has some access from the inside, and some 
from the outside, rather than to label the external interface like this...

I assume you have the recommended DROP policy on your INPUT and OUTPUT 
chains, so try putting a LOG line at the end of each of those and see what 
gets logged (just before getting dropped).   I'll bet something gets logged 
from your INPUT chain which doesn't look good.....

 

Antony.