Re: [LARTC] iptables : Incoming mail and ping problem

From: Bartek Krajnik <bartek@bicom.pl>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] iptables : Incoming mail and ping problem
Date: Wed, 12 Feb 2003 08:29:58 +0000	[thread overview]
Message-ID: <marc-lartc-104503865608853@msgid-missing> (raw)
In-Reply-To: <marc-lartc-104453889815152@msgid-missing>

----- Forwarded message from Shaheen Hossain <shaheen@o2oSoft.com> -----

From: "Shaheen Hossain" <shaheen@o2oSoft.com>
Subject: Re: Thanks for willing to help
Date: Wed, 12 Feb 2003 01:53:02 +0600

Thanks Bartek, this was of great help. As a result, my mail is now
functional. Great, thanks.

----- Original Message -----
From: "Bartek Krajnik" <bartek@bicom.pl>
To: "Shaheen Hossain" <shaheen@o2oSoft.com>
Sent: Tuesday, February 11, 2003 5:28 PM
Subject: Re: Thanks for willing to help

bk> On Sun, Feb 09, 2003 at 08:56:36PM +0600, Shaheen Hossain wrote:
bk> sh> Dear Bartek, thanks for willing to help. Since the mail is not working,
please respond back to shaheen@o2oSoft.com. File II works for email and
pinging to the server. Strangely File I does not, difference I can see is in
line 162. Thanks again. I really appreciate it.
bk> sh>
bk> sh> -- shaheen hossain
bk> sh>
bk> Line 162 from fileI:
bk> $IPTABLES -A allowed -p TCP -j DROP
bk>               fileII:
bk> $IPTABLES -A allowed -p TCP -j REJECT
bk> there shouldn't be problems.
bk>
bk> Do You know about this?
bk> less /usr/src/linux-2.4.20/include/linux/icmp.h
bk> #define ICMP_ECHO               8       /* Echo Request                 */
bk> #define ICMP_TIME_EXCEEDED      11      /* Time Exceeded                */
bk>
bk> Scenariowith fileI.
bk> Now, when someone tries from world
bk> # telnet 203.76.102.44 25
bk> first SYN packet goes to:
bk> $IPTABLES -A INPUT  -i $INET_IFACE -p tcp -j LOG --log-prefix "IPTABLES
TCP-IN: "
bk> $IPTABLES -A INPUT  -i $INET_IFACE -p tcp -j DROP
bk>
bk> You don't have instruction like:
bk> $IPTABLES -A INPUT -p tcp -j tcp_packets
bk>
bk> So it should be:
bk> $IPTABLES -A INPUT  -i $INET_IFACE -p tcp -j tcp_packets
bk> $IPTABLES -A INPUT  -i $INET_IFACE -p tcp -j LOG --log-prefix "IPTABLES
TCP-IN: "
bk> $IPTABLES -A INPUT  -i $INET_IFACE -p tcp -j DROP
bk>
bk> Now after:
bk> # telnet 203.76.102.44 25
bk> first SYN packet goes to:
bk> $IPTABLES -A INPUT  -i $INET_IFACE -p tcp -j tcp_packets
bk> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
bk> and it's OK.
bk> From your server goes back packet:
bk> $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
bk> $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
bk> And next:
bk> $IPTABLES -A INPUT  -i $INET_IFACE -p tcp -j tcp_packets
bk> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
bk> and should be OK.
bk>
bk> With icmp:
bk> # ping 203.76.102.44
bk> $IPTABLES -A INPUT  -i $INET_IFACE -p icmp -j LOG --log-prefix "IPTABLES
ICMP-IN: "
bk> $IPTABLES -A INPUT  -i $INET_IFACE -p icmp -j DROP
bk>
bk> When you change this:
bk> $IPTABLES -A INPUT  -i $INET_IFACE -p icmp -j icmp_packets
bk> $IPTABLES -A INPUT  -i $INET_IFACE -p icmp -j LOG --log-prefix "IPTABLES
ICMP-IN: "
bk> $IPTABLES -A INPUT  -i $INET_IFACE -p icmp -j DROP
bk>
bk> packet icmp-request (ping) goes:
bk> $IPTABLES -A INPUT  -i $INET_IFACE -p icmp -j icmp_packets
bk> $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
bk>
bk> Now from Your server echo-response (pong):
bk> $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
bk>
bk> IMHO Your scripts needs more work.
bk> Read somewhere about TCP/ICMP/UDP protocols.
bk>
bk> Best regards,
bk> Bartek.
bk> --
bk> GPG-Key:
bk>    http://www.bartek.bicom.pl/public_key.txt
bk>    pub  1024D/948DE45D 2002-12-12 Bartek Krajnik <bartek@bicom.pl>
bk>    Primary key fingerprint: 95E9 8E2D 1801 7864 2244  6EAA 03E5 764D 948D
E45D
bk>
bk>
bk>
----- End forwarded message -----

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/