pop3 and vpn

pop3 and vpn

[Vinod H]

Hi, 


I am Vinod, I have Redhat Linux 9 as my firewall and mailserver and I 
want to open pop3(110) port and We have Cisco VPN installed on our UK 
office and from here we are trying to connect to the VPN server through 


Cisco VPN Client installed on one of the windows 2000 pro client 
machine, if I connect through some internet dialup I am able to connect 


but if I go through our internet gateway that is our firewall I am not 
able to connect. 


I don't know if I want to open some port in the firewall so that my vpn 


works fine, following is my iptables 


# Generated by iptables-save v1.2.9 on Tue Jun 15 15:16:30 2004 
*mangle 
:PREROUTING ACCEPT [7589140:3899377832] 
:INPUT ACCEPT [1296105:906900344] 
:FORWARD ACCEPT [6292332:2992176682] 
:OUTPUT ACCEPT [836464:135776667] 
:POSTROUTING ACCEPT [7126045:3127754859] 
COMMIT 
# Completed on Tue Jun 15 15:16:30 2004 
# Generated by iptables-save v1.2.9 on Tue Jun 15 15:16:30 2004 
*nat 
:PREROUTING ACCEPT [376941:25700390] 
:POSTROUTING ACCEPT [5165:313017] 
:OUTPUT ACCEPT [10977:675933] 
-A PREROUTING -d 22.8.33.9 -i eth0 -p tcp -m tcp --dport 80 -j DNAT 
--to-destination 192.168.0.1 
-A PREROUTING -d 22.8.33.9 -i eth0 -p tcp -m tcp --dport 21 -j DNAT 
--to-destination 192.168.0.1 
-A PREROUTING -d 22.8.33.9 -i eth0 -p tcp -m tcp --dport 20 -j DNAT 
--to-destination 192.168.0.1 
-A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT 
# Completed on Tue Jun 15 15:16:30 2004 
# Generated by iptables-save v1.2.9 on Tue Jun 15 15:16:30 2004 
*filter 
:ICMPINBOUND - [0:0] 
:LINVALID - [0:0] 
:SMB - [0:0] 
:INPUT DROP [0:0] 
:LDROP - [0:0] 
:SPECIALPORTS - [0:0] 
:LBADFLAG - [0:0] 
:OUTPUT DROP [0:0] 
:TCPACCEPT - [0:0] 
:LPINGFLOOD - [0:0] 
:ICMPOUTBOUND - [0:0] 
:FORWARD DROP [0:0] 
:LSPECIALPORT - [0:0] 
:LSYNFLOOD - [0:0] 
:CHECKBADFLAG - [0:0] 
:LREJECT - [0:0] 
-A INPUT -m state --state INVALID -j LINVALID 
-A INPUT -p tcp -j CHECKBADFLAG 
-A INPUT -i lo -j ACCEPT 
-A INPUT -d 127.0.0.0/255.0.0.0 -j LREJECT 
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -j ACCEPT 
-A INPUT -s 192.168.0.0/255.255.255.0 -j LREJECT 
-A INPUT -p icmp -i eth0 -j ICMPINBOUND 
-A INPUT -p udp -m udp --dport 33434:33523 -j LDROP 
-A INPUT -i eth0 -j SMB 
-A INPUT -p tcp -m tcp -i eth0 --dport 113 -j REJECT  --reject-with 
tcp-reset 
-A INPUT -p tcp -m tcp -i eth0 --dport 25 -j TCPACCEPT 
-A INPUT -i eth0 -j SPECIALPORTS 
-A INPUT -m state -i eth0 --state ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp -m state -i eth0 --dport 1024:65535 --state 
RELATED -j TCPACCEPT 
-A INPUT -p udp -m udp -m state -i eth0 --dport 1024:65535 --state 
RELATED -j ACCEPT 
-A INPUT -j LDROP 
-A FORWARD -m state --state INVALID -j LINVALID 
-A FORWARD -p tcp -j CHECKBADFLAG 
-A FORWARD -o eth0 -j SMB 
-A FORWARD -p tcp -m tcp -s 192.168.0.1 -o eth0 --sport 80 -j ACCEPT 
-A FORWARD -p tcp -m tcp -s 192.168.0.1 -o eth0 --sport 21 -j ACCEPT 
-A FORWARD -p tcp -m tcp -s 192.168.0.1 -o eth0 --sport 20 -j ACCEPT 
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 -i eth1 -o eth0 
--sport 1024:65535 -j ACCEPT 
-A FORWARD -p udp -m udp -s 192.168.0.0/255.255.255.0 -i eth1 -o eth0 
--sport 1024:65535 -j ACCEPT 
-A FORWARD -p icmp -s 192.168.0.0/255.255.255.0 -i eth1 -o eth0 -j 
ACCEPT 
-A FORWARD -i eth0 -j SMB 
-A FORWARD -m state -i eth0 --state ESTABLISHED -j ACCEPT 
-A FORWARD -p tcp -m tcp -m state -i eth0 --dport 1024:65535 --state 
RELATED -j TCPACCEPT 
-A FORWARD -p udp -m udp -m state -i eth0 --dport 1024:65535 --state 
RELATED -j ACCEPT 
-A FORWARD -p icmp -m state -i eth0 --state RELATED -j ACCEPT 
-A FORWARD -p tcp -m tcp -d 192.168.0.1 -i eth0 --dport 80 -j ACCEPT 
-A FORWARD -p tcp -m tcp -d 192.168.0.1 -i eth0 --dport 21 -j ACCEPT 
-A FORWARD -p tcp -m tcp -d 192.168.0.1 -i eth0 --dport 20 -j ACCEPT 
-A FORWARD -j LDROP 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -d 192.168.0.0/255.255.255.0 -o eth1 -j ACCEPT 
-A OUTPUT -p icmp -o eth0 -j ICMPOUTBOUND 
-A OUTPUT -o eth0 -j SMB 
-A OUTPUT -p tcp -m tcp -o eth0 --sport 113 -j REJECT  --reject-with 
tcp-reset 
-A OUTPUT -p tcp -m tcp -m state -o eth0 --sport 25 --state ESTABLISHED 


-j ACCEPT 
-A OUTPUT -p tcp -m tcp -s 22.8.33.9 -o eth0 --sport 1024:65535 -j 
ACCEPT 
-A OUTPUT -p udp -m udp -s 22.8.33.9 -o eth0 --sport 1024:65535 -j 
ACCEPT 
-A OUTPUT -j LDROP 
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,PSH,URG -j LBADFLAG 
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,RST,ACK,URG -j LBADFLAG 
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,RST,PSH,ACK,URG -j LBADFLAG 
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE 
-j LBADFLAG 
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG 
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LBADFLAG 
-A ICMPINBOUND -p icmp -m icmp -m limit --icmp-type 8 --limit 5/sec 
--limit-burst 10 -j ACCEPT 
-A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -j LPINGFLOOD 
-A ICMPINBOUND -p icmp -m icmp --icmp-type 5 -j LDROP 
-A ICMPINBOUND -p icmp -m icmp --icmp-type 13 -j LDROP 
-A ICMPINBOUND -p icmp -m icmp --icmp-type 14 -j LDROP 
-A ICMPINBOUND -p icmp -m icmp --icmp-type 17 -j LDROP 
-A ICMPINBOUND -p icmp -m icmp --icmp-type 18 -j LDROP 
-A ICMPINBOUND -p icmp -j ACCEPT 
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 5 -j LDROP 
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/0 -j LDROP 
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/1 -j LDROP 
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 12 -j LDROP 
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 13 -j LDROP 
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 14 -j LDROP 
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 17 -j LDROP 
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 18 -j LDROP 
-A ICMPOUTBOUND -p icmp -j ACCEPT 
-A LBADFLAG -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=BADFLAG:1 a=DROP " 
-A LBADFLAG -j DROP 
-A LDROP -p tcp -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=TCP:1 a=DROP " 
-A LDROP -p udp -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=UDP:2 a=DROP " 
-A LDROP -p icmp -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=ICMP:3 a=DROP " 
-A LDROP -m limit -f --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=FRAGMENT:4 a=DROP " 
-A LDROP -j DROP 
-A LINVALID -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=INVALID:1 a=DROP " 
-A LINVALID -j DROP 
-A LPINGFLOOD -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=PINGFLOOD:1 a=DROP " 
-A LPINGFLOOD -j DROP 
-A LREJECT -p tcp -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=TCP:1 a=REJECT " 
-A LREJECT -p udp -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=UDP:2 a=REJECT " 
-A LREJECT -p icmp -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=ICMP:3 a=REJECT " 
-A LREJECT -m limit -f --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=FRAGMENT:4 a=REJECT " 
-A LREJECT -p tcp -j REJECT  --reject-with tcp-reset 
-A LREJECT -p udp -j REJECT  --reject-with icmp-port-unreachable 
-A LREJECT -j REJECT  --reject-with icmp-port-unreachable 
-A LSPECIALPORT -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=SPECIALPORT:1 a=DROP " 
-A LSPECIALPORT -j DROP 
-A LSYNFLOOD -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=SYNFLOOD:1 a=DROP " 
-A LSYNFLOOD -j DROP 
-A SMB -p tcp -m tcp --dport 137 -j DROP 
-A SMB -p tcp -m tcp --dport 138 -j DROP 
-A SMB -p tcp -m tcp --dport 139 -j DROP 
-A SMB -p tcp -m tcp --dport 445 -j DROP 
-A SMB -p udp -m udp --dport 137 -j DROP 
-A SMB -p udp -m udp --dport 138 -j DROP 
-A SMB -p udp -m udp --dport 139 -j DROP 
-A SMB -p udp -m udp --dport 445 -j DROP 
-A SMB -p tcp -m tcp --sport 137 -j DROP 
-A SMB -p tcp -m tcp --sport 138 -j DROP 
-A SMB -p tcp -m tcp --sport 139 -j DROP 
-A SMB -p tcp -m tcp --sport 445 -j DROP 
-A SMB -p udp -m udp --sport 137 -j DROP 
-A SMB -p udp -m udp --sport 138 -j DROP 
-A SMB -p udp -m udp --sport 139 -j DROP 
-A SMB -p udp -m udp --sport 445 -j DROP 
-A SPECIALPORTS -p tcp -m tcp --dport 6670 -j LSPECIALPORT 
-A SPECIALPORTS -p tcp -m tcp --dport 1243 -j LSPECIALPORT 
-A SPECIALPORTS -p udp -m udp --dport 1243 -j LSPECIALPORT 
-A SPECIALPORTS -p tcp -m tcp --dport 27374 -j LSPECIALPORT 
-A SPECIALPORTS -p udp -m udp --dport 27374 -j LSPECIALPORT 
-A SPECIALPORTS -p tcp -m tcp --dport 6711:6713 -j LSPECIALPORT 
-A SPECIALPORTS -p tcp -m tcp --dport 12345:12346 -j LSPECIALPORT 
-A SPECIALPORTS -p tcp -m tcp --dport 20034 -j LSPECIALPORT 
-A SPECIALPORTS -p udp -m udp --dport 31337:31338 -j LSPECIALPORT 
-A SPECIALPORTS -p tcp -m tcp --dport 6000:6063 -j LSPECIALPORT 
-A SPECIALPORTS -p udp -m udp --dport 28431 -j LSPECIALPORT 
-A TCPACCEPT -p tcp -m tcp -m limit --tcp-flags SYN,RST,ACK SYN --limit 


5/sec --limit-burst 10 -j ACCEPT 
-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LSYNFLOOD 
-A TCPACCEPT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
COMMIT 


I want to know how to open pop3 port for outside access and for the 
perticular ip and which port should be open for my vpn to work and how 
to 


Some one please help me on this issue it is very urgent 


Thanks in advance 


Regards 


Vinod

Re: pop3 and vpn

[/dev/rob0]

On Thursday 2005-August-11 05:54, Vinod H wrote:
> want to open pop3(110) port and We have Cisco VPN installed on our UK
> office and from here we are trying to connect to the VPN server
> [snip]
> I don't know if I want to open some port in the firewall so that my
> vpn works fine, following is my iptables

Find out from Cisco what port[s] and protocols are needed. I think 
Cisco's VPN uses GRE, so you'll need to ACCEPT that in FORWARD. GRE is 
protocol 47, "-p 47" or "-p gre" if that's in your /etc/protocols (it 
almost certainly is.)

Since you're asking these questions it is obvious that you didn't write 
that very complicated rule set you posted. I did not have time to look 
at it anyway. Find some other premade iptables script which will 
generate the rules you need, and ask your questions in a forum specific 
to that script. This list is for people who are wanting to learn how 
iptables / netfilter works.

If you are wanting to take the time to learn for yourself, get rid of 
that script. Secure and functional rules do not need to be so complex. 
See the Packet Filtering HOWTO and the NAT HOWTO.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: pop3 and vpn

[Grant Taylor]

Vinod H wrote:
> Hi, 
> 
> 
> I am Vinod, I have Redhat Linux 9 as my firewall and mailserver and I 
> want to open pop3(110) port and We have Cisco VPN installed on our UK 
> office and from here we are trying to connect to the VPN server through 
> 
> 
> Cisco VPN Client installed on one of the windows 2000 pro client 
> machine, if I connect through some internet dialup I am able to connect 
> 
> 
> but if I go through our internet gateway that is our firewall I am not 
> able to connect. 
> 
> 
> I don't know if I want to open some port in the firewall so that my vpn 
> 
> 
> works fine, following is my iptables 

<snip>

> I want to know how to open pop3 port for outside access and for the 
> perticular ip and which port should be open for my vpn to work and how 
> to 
> 
> 
> Some one please help me on this issue it is very urgent 
> 
> 
> Thanks in advance 
> 
> 
> Regards 
> 
> 
> Vinod

I would be willing to bet that you need to allow your firewall to pass ESP and possibly GRE traffic through your FORWARD chain.



Grant. . . .