* [LARTC] iptables : Incoming mail and ping problem
@ 2003-02-06 13:38 Shaheen Hossain
2003-02-07 14:14 ` Bartek Krajnik
2003-02-12 8:29 ` Bartek Krajnik
0 siblings, 2 replies; 3+ messages in thread
From: Shaheen Hossain @ 2003-02-06 13:38 UTC (permalink / raw)
To: lartc
[-- Attachment #1: Type: text/plain, Size: 2229 bytes --]
Diff between File I ( iptablesRC ) and File II (iptablesRC.2). File I works for incoming mail. File II does not for incoming mail, neither does pinging to this server to its external interface NIC IP.
I could not figure out what the difference in these port allowing, reject or accept commands which are keeping the in-coming mail from coming on a RH Linux 7.3. Please help. Thanks.
------------------------------------------------------------------------------
[shossain@mohican shossain]$ diff /home/admin/firewall/iptablesRC /home/admin/firewall/iptablesRC.2 | more
162c162
< $IPTABLES -A allowed -p TCP -j REJECT
---
> $IPTABLES -A allowed -p TCP -j DROP
185,187c185,187
< $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1503 -j allowed
< $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3389 -j allowed
< $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 5001:65535 -j allowed
---
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1500:65535 -j allowed
192,200c192,200
< $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 22 -j ACCEPT
< $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 25 -j ACCEPT
< $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 42 -j ACCEPT
< $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 80 -j ACCEPT
< $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 113 -j ACCEPT
< $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 143 -j ACCEPT
< $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 174 -j ACCEPT
< $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 443 -j ACCEPT
< $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 5001:65535 -j ACCEPT
---
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 22 -j ACCEPT
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 25 -j ACCEPT
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 42 -j ACCEPT
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 80 -j ACCEPT
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 113 -j ACCEPT
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 143 -j ACCEPT
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 174 -j ACCEPT
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 443 -j ACCEPT
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 1500:65535 -j ACCEPT
262d261
<
268d266
<
[-- Attachment #2: Type: text/html, Size: 2960 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [LARTC] iptables : Incoming mail and ping problem
2003-02-06 13:38 [LARTC] iptables : Incoming mail and ping problem Shaheen Hossain
@ 2003-02-07 14:14 ` Bartek Krajnik
2003-02-12 8:29 ` Bartek Krajnik
1 sibling, 0 replies; 3+ messages in thread
From: Bartek Krajnik @ 2003-02-07 14:14 UTC (permalink / raw)
To: lartc
On Thu, Feb 06, 2003 at 07:38:54PM +0600, Shaheen Hossain wrote:
> Diff between File I ( iptablesRC ) and File II (iptablesRC.2). File I works for incoming mail. File II does not for incoming mail, neither does pinging to this server to its external interface NIC IP.
>
> I could not figure out what the difference in these port allowing, reject or accept commands which are keeping the in-coming mail from coming on a RH Linux 7.3. Please help. Thanks.
>
> ------------------------------------------------------------------------------
> [shossain@mohican shossain]$ diff /home/admin/firewall/iptablesRC /home/admin/firewall/iptablesRC.2 | more
> 162c162
> < $IPTABLES -A allowed -p TCP -j REJECT
> ---
> > $IPTABLES -A allowed -p TCP -j DROP
> 185,187c185,187
> < $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1503 -j allowed
> < $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3389 -j allowed
> < $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 5001:65535 -j allowed
> ---
> > $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1500:65535 -j allowed
> 192,200c192,200
> < $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 22 -j ACCEPT
> < $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 25 -j ACCEPT
> < $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 42 -j ACCEPT
> < $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 80 -j ACCEPT
> < $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 113 -j ACCEPT
> < $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 143 -j ACCEPT
> < $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 174 -j ACCEPT
> < $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 443 -j ACCEPT
> < $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 5001:65535 -j ACCEPT
> ---
> > $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 22 -j ACCEPT
> > $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 25 -j ACCEPT
> > $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 42 -j ACCEPT
> > $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 80 -j ACCEPT
> > $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 113 -j ACCEPT
> > $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 143 -j ACCEPT
> > $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 174 -j ACCEPT
> > $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 443 -j ACCEPT
> > $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 1500:65535 -j ACCEPT
> 262d261
> <
> 268d266
> <
Send both files, not differences.
--
GPG-Key:
http://www.bartek.bicom.pl/public_key.txt
pub 1024D/948DE45D 2002-12-12 Bartek Krajnik <bartek@bicom.pl>
Primary key fingerprint: 95E9 8E2D 1801 7864 2244 6EAA 03E5 764D 948D E45D
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [LARTC] iptables : Incoming mail and ping problem
2003-02-06 13:38 [LARTC] iptables : Incoming mail and ping problem Shaheen Hossain
2003-02-07 14:14 ` Bartek Krajnik
@ 2003-02-12 8:29 ` Bartek Krajnik
1 sibling, 0 replies; 3+ messages in thread
From: Bartek Krajnik @ 2003-02-12 8:29 UTC (permalink / raw)
To: lartc
----- Forwarded message from Shaheen Hossain <shaheen@o2oSoft.com> -----
From: "Shaheen Hossain" <shaheen@o2oSoft.com>
Subject: Re: Thanks for willing to help
Date: Wed, 12 Feb 2003 01:53:02 +0600
Thanks Bartek, this was of great help. As a result, my mail is now
functional. Great, thanks.
----- Original Message -----
From: "Bartek Krajnik" <bartek@bicom.pl>
To: "Shaheen Hossain" <shaheen@o2oSoft.com>
Sent: Tuesday, February 11, 2003 5:28 PM
Subject: Re: Thanks for willing to help
bk> On Sun, Feb 09, 2003 at 08:56:36PM +0600, Shaheen Hossain wrote:
bk> sh> Dear Bartek, thanks for willing to help. Since the mail is not working,
please respond back to shaheen@o2oSoft.com. File II works for email and
pinging to the server. Strangely File I does not, difference I can see is in
line 162. Thanks again. I really appreciate it.
bk> sh>
bk> sh> -- shaheen hossain
bk> sh>
bk> Line 162 from fileI:
bk> $IPTABLES -A allowed -p TCP -j DROP
bk> fileII:
bk> $IPTABLES -A allowed -p TCP -j REJECT
bk> there shouldn't be problems.
bk>
bk> Do You know about this?
bk> less /usr/src/linux-2.4.20/include/linux/icmp.h
bk> #define ICMP_ECHO 8 /* Echo Request */
bk> #define ICMP_TIME_EXCEEDED 11 /* Time Exceeded */
bk>
bk> Scenariowith fileI.
bk> Now, when someone tries from world
bk> # telnet 203.76.102.44 25
bk> first SYN packet goes to:
bk> $IPTABLES -A INPUT -i $INET_IFACE -p tcp -j LOG --log-prefix "IPTABLES
TCP-IN: "
bk> $IPTABLES -A INPUT -i $INET_IFACE -p tcp -j DROP
bk>
bk> You don't have instruction like:
bk> $IPTABLES -A INPUT -p tcp -j tcp_packets
bk>
bk> So it should be:
bk> $IPTABLES -A INPUT -i $INET_IFACE -p tcp -j tcp_packets
bk> $IPTABLES -A INPUT -i $INET_IFACE -p tcp -j LOG --log-prefix "IPTABLES
TCP-IN: "
bk> $IPTABLES -A INPUT -i $INET_IFACE -p tcp -j DROP
bk>
bk> Now after:
bk> # telnet 203.76.102.44 25
bk> first SYN packet goes to:
bk> $IPTABLES -A INPUT -i $INET_IFACE -p tcp -j tcp_packets
bk> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
bk> and it's OK.
bk> From your server goes back packet:
bk> $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
bk> $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
bk> And next:
bk> $IPTABLES -A INPUT -i $INET_IFACE -p tcp -j tcp_packets
bk> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
bk> and should be OK.
bk>
bk> With icmp:
bk> # ping 203.76.102.44
bk> $IPTABLES -A INPUT -i $INET_IFACE -p icmp -j LOG --log-prefix "IPTABLES
ICMP-IN: "
bk> $IPTABLES -A INPUT -i $INET_IFACE -p icmp -j DROP
bk>
bk> When you change this:
bk> $IPTABLES -A INPUT -i $INET_IFACE -p icmp -j icmp_packets
bk> $IPTABLES -A INPUT -i $INET_IFACE -p icmp -j LOG --log-prefix "IPTABLES
ICMP-IN: "
bk> $IPTABLES -A INPUT -i $INET_IFACE -p icmp -j DROP
bk>
bk> packet icmp-request (ping) goes:
bk> $IPTABLES -A INPUT -i $INET_IFACE -p icmp -j icmp_packets
bk> $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
bk>
bk> Now from Your server echo-response (pong):
bk> $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
bk>
bk> IMHO Your scripts needs more work.
bk> Read somewhere about TCP/ICMP/UDP protocols.
bk>
bk> Best regards,
bk> Bartek.
bk> --
bk> GPG-Key:
bk> http://www.bartek.bicom.pl/public_key.txt
bk> pub 1024D/948DE45D 2002-12-12 Bartek Krajnik <bartek@bicom.pl>
bk> Primary key fingerprint: 95E9 8E2D 1801 7864 2244 6EAA 03E5 764D 948D
E45D
bk>
bk>
bk>
----- End forwarded message -----
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-02-12 8:29 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-02-06 13:38 [LARTC] iptables : Incoming mail and ping problem Shaheen Hossain
2003-02-07 14:14 ` Bartek Krajnik
2003-02-12 8:29 ` Bartek Krajnik
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.