From: Vinod H <vinwin@gmail.com>
To: "netfilter@lists.netfilter.org" <netfilter@lists.netfilter.org>
Subject: pop3 and vpn
Date: Thu, 11 Aug 2005 16:24:31 +0530 [thread overview]
Message-ID: <9bc7d292050811035453e207c4@mail.gmail.com> (raw)
Hi,
I am Vinod, I have Redhat Linux 9 as my firewall and mailserver and I
want to open pop3(110) port and We have Cisco VPN installed on our UK
office and from here we are trying to connect to the VPN server through
Cisco VPN Client installed on one of the windows 2000 pro client
machine, if I connect through some internet dialup I am able to connect
but if I go through our internet gateway that is our firewall I am not
able to connect.
I don't know if I want to open some port in the firewall so that my vpn
works fine, following is my iptables
# Generated by iptables-save v1.2.9 on Tue Jun 15 15:16:30 2004
*mangle
:PREROUTING ACCEPT [7589140:3899377832]
:INPUT ACCEPT [1296105:906900344]
:FORWARD ACCEPT [6292332:2992176682]
:OUTPUT ACCEPT [836464:135776667]
:POSTROUTING ACCEPT [7126045:3127754859]
COMMIT
# Completed on Tue Jun 15 15:16:30 2004
# Generated by iptables-save v1.2.9 on Tue Jun 15 15:16:30 2004
*nat
:PREROUTING ACCEPT [376941:25700390]
:POSTROUTING ACCEPT [5165:313017]
:OUTPUT ACCEPT [10977:675933]
-A PREROUTING -d 22.8.33.9 -i eth0 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.0.1
-A PREROUTING -d 22.8.33.9 -i eth0 -p tcp -m tcp --dport 21 -j DNAT
--to-destination 192.168.0.1
-A PREROUTING -d 22.8.33.9 -i eth0 -p tcp -m tcp --dport 20 -j DNAT
--to-destination 192.168.0.1
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Jun 15 15:16:30 2004
# Generated by iptables-save v1.2.9 on Tue Jun 15 15:16:30 2004
*filter
:ICMPINBOUND - [0:0]
:LINVALID - [0:0]
:SMB - [0:0]
:INPUT DROP [0:0]
:LDROP - [0:0]
:SPECIALPORTS - [0:0]
:LBADFLAG - [0:0]
:OUTPUT DROP [0:0]
:TCPACCEPT - [0:0]
:LPINGFLOOD - [0:0]
:ICMPOUTBOUND - [0:0]
:FORWARD DROP [0:0]
:LSPECIALPORT - [0:0]
:LSYNFLOOD - [0:0]
:CHECKBADFLAG - [0:0]
:LREJECT - [0:0]
-A INPUT -m state --state INVALID -j LINVALID
-A INPUT -p tcp -j CHECKBADFLAG
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/255.0.0.0 -j LREJECT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -j LREJECT
-A INPUT -p icmp -i eth0 -j ICMPINBOUND
-A INPUT -p udp -m udp --dport 33434:33523 -j LDROP
-A INPUT -i eth0 -j SMB
-A INPUT -p tcp -m tcp -i eth0 --dport 113 -j REJECT --reject-with
tcp-reset
-A INPUT -p tcp -m tcp -i eth0 --dport 25 -j TCPACCEPT
-A INPUT -i eth0 -j SPECIALPORTS
-A INPUT -m state -i eth0 --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -m state -i eth0 --dport 1024:65535 --state
RELATED -j TCPACCEPT
-A INPUT -p udp -m udp -m state -i eth0 --dport 1024:65535 --state
RELATED -j ACCEPT
-A INPUT -j LDROP
-A FORWARD -m state --state INVALID -j LINVALID
-A FORWARD -p tcp -j CHECKBADFLAG
-A FORWARD -o eth0 -j SMB
-A FORWARD -p tcp -m tcp -s 192.168.0.1 -o eth0 --sport 80 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.1 -o eth0 --sport 21 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.1 -o eth0 --sport 20 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 -i eth1 -o eth0
--sport 1024:65535 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.0.0/255.255.255.0 -i eth1 -o eth0
--sport 1024:65535 -j ACCEPT
-A FORWARD -p icmp -s 192.168.0.0/255.255.255.0 -i eth1 -o eth0 -j
ACCEPT
-A FORWARD -i eth0 -j SMB
-A FORWARD -m state -i eth0 --state ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp -m state -i eth0 --dport 1024:65535 --state
RELATED -j TCPACCEPT
-A FORWARD -p udp -m udp -m state -i eth0 --dport 1024:65535 --state
RELATED -j ACCEPT
-A FORWARD -p icmp -m state -i eth0 --state RELATED -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.1 -i eth0 --dport 80 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.1 -i eth0 --dport 21 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.1 -i eth0 --dport 20 -j ACCEPT
-A FORWARD -j LDROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 192.168.0.0/255.255.255.0 -o eth1 -j ACCEPT
-A OUTPUT -p icmp -o eth0 -j ICMPOUTBOUND
-A OUTPUT -o eth0 -j SMB
-A OUTPUT -p tcp -m tcp -o eth0 --sport 113 -j REJECT --reject-with
tcp-reset
-A OUTPUT -p tcp -m tcp -m state -o eth0 --sport 25 --state ESTABLISHED
-j ACCEPT
-A OUTPUT -p tcp -m tcp -s 22.8.33.9 -o eth0 --sport 1024:65535 -j
ACCEPT
-A OUTPUT -p udp -m udp -s 22.8.33.9 -o eth0 --sport 1024:65535 -j
ACCEPT
-A OUTPUT -j LDROP
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j LBADFLAG
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,ACK,URG -j LBADFLAG
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,PSH,ACK,URG -j LBADFLAG
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
-j LBADFLAG
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LBADFLAG
-A ICMPINBOUND -p icmp -m icmp -m limit --icmp-type 8 --limit 5/sec
--limit-burst 10 -j ACCEPT
-A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -j LPINGFLOOD
-A ICMPINBOUND -p icmp -m icmp --icmp-type 5 -j LDROP
-A ICMPINBOUND -p icmp -m icmp --icmp-type 13 -j LDROP
-A ICMPINBOUND -p icmp -m icmp --icmp-type 14 -j LDROP
-A ICMPINBOUND -p icmp -m icmp --icmp-type 17 -j LDROP
-A ICMPINBOUND -p icmp -m icmp --icmp-type 18 -j LDROP
-A ICMPINBOUND -p icmp -j ACCEPT
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 5 -j LDROP
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/0 -j LDROP
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/1 -j LDROP
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 12 -j LDROP
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 13 -j LDROP
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 14 -j LDROP
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 17 -j LDROP
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 18 -j LDROP
-A ICMPOUTBOUND -p icmp -j ACCEPT
-A LBADFLAG -m limit --limit 2/sec --limit-burst 10 -j LOG
--log-prefix "fp=BADFLAG:1 a=DROP "
-A LBADFLAG -j DROP
-A LDROP -p tcp -m limit --limit 2/sec --limit-burst 10 -j LOG
--log-prefix "fp=TCP:1 a=DROP "
-A LDROP -p udp -m limit --limit 2/sec --limit-burst 10 -j LOG
--log-prefix "fp=UDP:2 a=DROP "
-A LDROP -p icmp -m limit --limit 2/sec --limit-burst 10 -j LOG
--log-prefix "fp=ICMP:3 a=DROP "
-A LDROP -m limit -f --limit 2/sec --limit-burst 10 -j LOG
--log-prefix "fp=FRAGMENT:4 a=DROP "
-A LDROP -j DROP
-A LINVALID -m limit --limit 2/sec --limit-burst 10 -j LOG
--log-prefix "fp=INVALID:1 a=DROP "
-A LINVALID -j DROP
-A LPINGFLOOD -m limit --limit 2/sec --limit-burst 10 -j LOG
--log-prefix "fp=PINGFLOOD:1 a=DROP "
-A LPINGFLOOD -j DROP
-A LREJECT -p tcp -m limit --limit 2/sec --limit-burst 10 -j LOG
--log-prefix "fp=TCP:1 a=REJECT "
-A LREJECT -p udp -m limit --limit 2/sec --limit-burst 10 -j LOG
--log-prefix "fp=UDP:2 a=REJECT "
-A LREJECT -p icmp -m limit --limit 2/sec --limit-burst 10 -j LOG
--log-prefix "fp=ICMP:3 a=REJECT "
-A LREJECT -m limit -f --limit 2/sec --limit-burst 10 -j LOG
--log-prefix "fp=FRAGMENT:4 a=REJECT "
-A LREJECT -p tcp -j REJECT --reject-with tcp-reset
-A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
-A LREJECT -j REJECT --reject-with icmp-port-unreachable
-A LSPECIALPORT -m limit --limit 2/sec --limit-burst 10 -j LOG
--log-prefix "fp=SPECIALPORT:1 a=DROP "
-A LSPECIALPORT -j DROP
-A LSYNFLOOD -m limit --limit 2/sec --limit-burst 10 -j LOG
--log-prefix "fp=SYNFLOOD:1 a=DROP "
-A LSYNFLOOD -j DROP
-A SMB -p tcp -m tcp --dport 137 -j DROP
-A SMB -p tcp -m tcp --dport 138 -j DROP
-A SMB -p tcp -m tcp --dport 139 -j DROP
-A SMB -p tcp -m tcp --dport 445 -j DROP
-A SMB -p udp -m udp --dport 137 -j DROP
-A SMB -p udp -m udp --dport 138 -j DROP
-A SMB -p udp -m udp --dport 139 -j DROP
-A SMB -p udp -m udp --dport 445 -j DROP
-A SMB -p tcp -m tcp --sport 137 -j DROP
-A SMB -p tcp -m tcp --sport 138 -j DROP
-A SMB -p tcp -m tcp --sport 139 -j DROP
-A SMB -p tcp -m tcp --sport 445 -j DROP
-A SMB -p udp -m udp --sport 137 -j DROP
-A SMB -p udp -m udp --sport 138 -j DROP
-A SMB -p udp -m udp --sport 139 -j DROP
-A SMB -p udp -m udp --sport 445 -j DROP
-A SPECIALPORTS -p tcp -m tcp --dport 6670 -j LSPECIALPORT
-A SPECIALPORTS -p tcp -m tcp --dport 1243 -j LSPECIALPORT
-A SPECIALPORTS -p udp -m udp --dport 1243 -j LSPECIALPORT
-A SPECIALPORTS -p tcp -m tcp --dport 27374 -j LSPECIALPORT
-A SPECIALPORTS -p udp -m udp --dport 27374 -j LSPECIALPORT
-A SPECIALPORTS -p tcp -m tcp --dport 6711:6713 -j LSPECIALPORT
-A SPECIALPORTS -p tcp -m tcp --dport 12345:12346 -j LSPECIALPORT
-A SPECIALPORTS -p tcp -m tcp --dport 20034 -j LSPECIALPORT
-A SPECIALPORTS -p udp -m udp --dport 31337:31338 -j LSPECIALPORT
-A SPECIALPORTS -p tcp -m tcp --dport 6000:6063 -j LSPECIALPORT
-A SPECIALPORTS -p udp -m udp --dport 28431 -j LSPECIALPORT
-A TCPACCEPT -p tcp -m tcp -m limit --tcp-flags SYN,RST,ACK SYN --limit
5/sec --limit-burst 10 -j ACCEPT
-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LSYNFLOOD
-A TCPACCEPT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
COMMIT
I want to know how to open pop3 port for outside access and for the
perticular ip and which port should be open for my vpn to work and how
to
Some one please help me on this issue it is very urgent
Thanks in advance
Regards
Vinod
next reply other threads:[~2005-08-11 10:54 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-11 10:54 Vinod H [this message]
2005-08-11 17:22 ` pop3 and vpn /dev/rob0
2005-08-12 5:34 ` Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9bc7d292050811035453e207c4@mail.gmail.com \
--to=vinwin@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox