From mboxrd@z Thu Jan 1 00:00:00 1970 From: Vinod H Subject: pop3 and vpn Date: Thu, 11 Aug 2005 16:24:31 +0530 Message-ID: <9bc7d292050811035453e207c4@mail.gmail.com> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" To: "netfilter@lists.netfilter.org" Hi,=20 I am Vinod, I have Redhat Linux 9 as my firewall and mailserver and I=20 want to open pop3(110) port and We have Cisco VPN installed on our UK=20 office and from here we are trying to connect to the VPN server through=20 Cisco VPN Client installed on one of the windows 2000 pro client=20 machine, if I connect through some internet dialup I am able to connect=20 but if I go through our internet gateway that is our firewall I am not=20 able to connect.=20 I don't know if I want to open some port in the firewall so that my vpn=20 works fine, following is my iptables=20 # Generated by iptables-save v1.2.9 on Tue Jun 15 15:16:30 2004=20 *mangle=20 :PREROUTING ACCEPT [7589140:3899377832]=20 :INPUT ACCEPT [1296105:906900344]=20 :FORWARD ACCEPT [6292332:2992176682]=20 :OUTPUT ACCEPT [836464:135776667]=20 :POSTROUTING ACCEPT [7126045:3127754859]=20 COMMIT=20 # Completed on Tue Jun 15 15:16:30 2004=20 # Generated by iptables-save v1.2.9 on Tue Jun 15 15:16:30 2004=20 *nat=20 :PREROUTING ACCEPT [376941:25700390]=20 :POSTROUTING ACCEPT [5165:313017]=20 :OUTPUT ACCEPT [10977:675933]=20 -A PREROUTING -d 22.8.33.9 -i eth0 -p tcp -m tcp --dport 80 -j DNAT=20 --to-destination 192.168.0.1=20 -A PREROUTING -d 22.8.33.9 -i eth0 -p tcp -m tcp --dport 21 -j DNAT=20 --to-destination 192.168.0.1=20 -A PREROUTING -d 22.8.33.9 -i eth0 -p tcp -m tcp --dport 20 -j DNAT=20 --to-destination 192.168.0.1=20 -A POSTROUTING -o eth0 -j MASQUERADE=20 COMMIT=20 # Completed on Tue Jun 15 15:16:30 2004=20 # Generated by iptables-save v1.2.9 on Tue Jun 15 15:16:30 2004=20 *filter=20 :ICMPINBOUND - [0:0]=20 :LINVALID - [0:0]=20 :SMB - [0:0]=20 :INPUT DROP [0:0]=20 :LDROP - [0:0]=20 :SPECIALPORTS - [0:0]=20 :LBADFLAG - [0:0]=20 :OUTPUT DROP [0:0]=20 :TCPACCEPT - [0:0]=20 :LPINGFLOOD - [0:0]=20 :ICMPOUTBOUND - [0:0]=20 :FORWARD DROP [0:0]=20 :LSPECIALPORT - [0:0]=20 :LSYNFLOOD - [0:0]=20 :CHECKBADFLAG - [0:0]=20 :LREJECT - [0:0]=20 -A INPUT -m state --state INVALID -j LINVALID=20 -A INPUT -p tcp -j CHECKBADFLAG=20 -A INPUT -i lo -j ACCEPT=20 -A INPUT -d 127.0.0.0/255.0.0.0 -j LREJECT=20 -A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -j ACCEPT=20 -A INPUT -s 192.168.0.0/255.255.255.0 -j LREJECT=20 -A INPUT -p icmp -i eth0 -j ICMPINBOUND=20 -A INPUT -p udp -m udp --dport 33434:33523 -j LDROP=20 -A INPUT -i eth0 -j SMB=20 -A INPUT -p tcp -m tcp -i eth0 --dport 113 -j REJECT --reject-with=20 tcp-reset=20 -A INPUT -p tcp -m tcp -i eth0 --dport 25 -j TCPACCEPT=20 -A INPUT -i eth0 -j SPECIALPORTS=20 -A INPUT -m state -i eth0 --state ESTABLISHED -j ACCEPT=20 -A INPUT -p tcp -m tcp -m state -i eth0 --dport 1024:65535 --state=20 RELATED -j TCPACCEPT=20 -A INPUT -p udp -m udp -m state -i eth0 --dport 1024:65535 --state=20 RELATED -j ACCEPT=20 -A INPUT -j LDROP=20 -A FORWARD -m state --state INVALID -j LINVALID=20 -A FORWARD -p tcp -j CHECKBADFLAG=20 -A FORWARD -o eth0 -j SMB=20 -A FORWARD -p tcp -m tcp -s 192.168.0.1 -o eth0 --sport 80 -j ACCEPT=20 -A FORWARD -p tcp -m tcp -s 192.168.0.1 -o eth0 --sport 21 -j ACCEPT=20 -A FORWARD -p tcp -m tcp -s 192.168.0.1 -o eth0 --sport 20 -j ACCEPT=20 -A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 -i eth1 -o eth0=20 --sport 1024:65535 -j ACCEPT=20 -A FORWARD -p udp -m udp -s 192.168.0.0/255.255.255.0 -i eth1 -o eth0=20 --sport 1024:65535 -j ACCEPT=20 -A FORWARD -p icmp -s 192.168.0.0/255.255.255.0 -i eth1 -o eth0 -j=20 ACCEPT=20 -A FORWARD -i eth0 -j SMB=20 -A FORWARD -m state -i eth0 --state ESTABLISHED -j ACCEPT=20 -A FORWARD -p tcp -m tcp -m state -i eth0 --dport 1024:65535 --state=20 RELATED -j TCPACCEPT=20 -A FORWARD -p udp -m udp -m state -i eth0 --dport 1024:65535 --state=20 RELATED -j ACCEPT=20 -A FORWARD -p icmp -m state -i eth0 --state RELATED -j ACCEPT=20 -A FORWARD -p tcp -m tcp -d 192.168.0.1 -i eth0 --dport 80 -j ACCEPT=20 -A FORWARD -p tcp -m tcp -d 192.168.0.1 -i eth0 --dport 21 -j ACCEPT=20 -A FORWARD -p tcp -m tcp -d 192.168.0.1 -i eth0 --dport 20 -j ACCEPT=20 -A FORWARD -j LDROP=20 -A OUTPUT -o lo -j ACCEPT=20 -A OUTPUT -d 192.168.0.0/255.255.255.0 -o eth1 -j ACCEPT=20 -A OUTPUT -p icmp -o eth0 -j ICMPOUTBOUND=20 -A OUTPUT -o eth0 -j SMB=20 -A OUTPUT -p tcp -m tcp -o eth0 --sport 113 -j REJECT --reject-with=20 tcp-reset=20 -A OUTPUT -p tcp -m tcp -m state -o eth0 --sport 25 --state ESTABLISHED=20 -j ACCEPT=20 -A OUTPUT -p tcp -m tcp -s 22.8.33.9 -o eth0 --sport 1024:65535 -j=20 ACCEPT=20 -A OUTPUT -p udp -m udp -s 22.8.33.9 -o eth0 --sport 1024:65535 -j=20 ACCEPT=20 -A OUTPUT -j LDROP=20 -A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG=20 FIN,PSH,URG -j LBADFLAG=20 -A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG=20 FIN,SYN,RST,ACK,URG -j LBADFLAG=20 -A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG=20 FIN,SYN,RST,PSH,ACK,URG -j LBADFLAG=20 -A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE=20 -j LBADFLAG=20 -A CHECKBADFLAG -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG=20 -A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LBADFLAG=20 -A ICMPINBOUND -p icmp -m icmp -m limit --icmp-type 8 --limit 5/sec=20 --limit-burst 10 -j ACCEPT=20 -A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -j LPINGFLOOD=20 -A ICMPINBOUND -p icmp -m icmp --icmp-type 5 -j LDROP=20 -A ICMPINBOUND -p icmp -m icmp --icmp-type 13 -j LDROP=20 -A ICMPINBOUND -p icmp -m icmp --icmp-type 14 -j LDROP=20 -A ICMPINBOUND -p icmp -m icmp --icmp-type 17 -j LDROP=20 -A ICMPINBOUND -p icmp -m icmp --icmp-type 18 -j LDROP=20 -A ICMPINBOUND -p icmp -j ACCEPT=20 -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 5 -j LDROP=20 -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/0 -j LDROP=20 -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/1 -j LDROP=20 -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 12 -j LDROP=20 -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 13 -j LDROP=20 -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 14 -j LDROP=20 -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 17 -j LDROP=20 -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 18 -j LDROP=20 -A ICMPOUTBOUND -p icmp -j ACCEPT=20 -A LBADFLAG -m limit --limit 2/sec --limit-burst 10 -j LOG=20 --log-prefix "fp=3DBADFLAG:1 a=3DDROP "=20 -A LBADFLAG -j DROP=20 -A LDROP -p tcp -m limit --limit 2/sec --limit-burst 10 -j LOG=20 --log-prefix "fp=3DTCP:1 a=3DDROP "=20 -A LDROP -p udp -m limit --limit 2/sec --limit-burst 10 -j LOG=20 --log-prefix "fp=3DUDP:2 a=3DDROP "=20 -A LDROP -p icmp -m limit --limit 2/sec --limit-burst 10 -j LOG=20 --log-prefix "fp=3DICMP:3 a=3DDROP "=20 -A LDROP -m limit -f --limit 2/sec --limit-burst 10 -j LOG=20 --log-prefix "fp=3DFRAGMENT:4 a=3DDROP "=20 -A LDROP -j DROP=20 -A LINVALID -m limit --limit 2/sec --limit-burst 10 -j LOG=20 --log-prefix "fp=3DINVALID:1 a=3DDROP "=20 -A LINVALID -j DROP=20 -A LPINGFLOOD -m limit --limit 2/sec --limit-burst 10 -j LOG=20 --log-prefix "fp=3DPINGFLOOD:1 a=3DDROP "=20 -A LPINGFLOOD -j DROP=20 -A LREJECT -p tcp -m limit --limit 2/sec --limit-burst 10 -j LOG=20 --log-prefix "fp=3DTCP:1 a=3DREJECT "=20 -A LREJECT -p udp -m limit --limit 2/sec --limit-burst 10 -j LOG=20 --log-prefix "fp=3DUDP:2 a=3DREJECT "=20 -A LREJECT -p icmp -m limit --limit 2/sec --limit-burst 10 -j LOG=20 --log-prefix "fp=3DICMP:3 a=3DREJECT "=20 -A LREJECT -m limit -f --limit 2/sec --limit-burst 10 -j LOG=20 --log-prefix "fp=3DFRAGMENT:4 a=3DREJECT "=20 -A LREJECT -p tcp -j REJECT --reject-with tcp-reset=20 -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable=20 -A LREJECT -j REJECT --reject-with icmp-port-unreachable=20 -A LSPECIALPORT -m limit --limit 2/sec --limit-burst 10 -j LOG=20 --log-prefix "fp=3DSPECIALPORT:1 a=3DDROP "=20 -A LSPECIALPORT -j DROP=20 -A LSYNFLOOD -m limit --limit 2/sec --limit-burst 10 -j LOG=20 --log-prefix "fp=3DSYNFLOOD:1 a=3DDROP "=20 -A LSYNFLOOD -j DROP=20 -A SMB -p tcp -m tcp --dport 137 -j DROP=20 -A SMB -p tcp -m tcp --dport 138 -j DROP=20 -A SMB -p tcp -m tcp --dport 139 -j DROP=20 -A SMB -p tcp -m tcp --dport 445 -j DROP=20 -A SMB -p udp -m udp --dport 137 -j DROP=20 -A SMB -p udp -m udp --dport 138 -j DROP=20 -A SMB -p udp -m udp --dport 139 -j DROP=20 -A SMB -p udp -m udp --dport 445 -j DROP=20 -A SMB -p tcp -m tcp --sport 137 -j DROP=20 -A SMB -p tcp -m tcp --sport 138 -j DROP=20 -A SMB -p tcp -m tcp --sport 139 -j DROP=20 -A SMB -p tcp -m tcp --sport 445 -j DROP=20 -A SMB -p udp -m udp --sport 137 -j DROP=20 -A SMB -p udp -m udp --sport 138 -j DROP=20 -A SMB -p udp -m udp --sport 139 -j DROP=20 -A SMB -p udp -m udp --sport 445 -j DROP=20 -A SPECIALPORTS -p tcp -m tcp --dport 6670 -j LSPECIALPORT=20 -A SPECIALPORTS -p tcp -m tcp --dport 1243 -j LSPECIALPORT=20 -A SPECIALPORTS -p udp -m udp --dport 1243 -j LSPECIALPORT=20 -A SPECIALPORTS -p tcp -m tcp --dport 27374 -j LSPECIALPORT=20 -A SPECIALPORTS -p udp -m udp --dport 27374 -j LSPECIALPORT=20 -A SPECIALPORTS -p tcp -m tcp --dport 6711:6713 -j LSPECIALPORT=20 -A SPECIALPORTS -p tcp -m tcp --dport 12345:12346 -j LSPECIALPORT=20 -A SPECIALPORTS -p tcp -m tcp --dport 20034 -j LSPECIALPORT=20 -A SPECIALPORTS -p udp -m udp --dport 31337:31338 -j LSPECIALPORT=20 -A SPECIALPORTS -p tcp -m tcp --dport 6000:6063 -j LSPECIALPORT=20 -A SPECIALPORTS -p udp -m udp --dport 28431 -j LSPECIALPORT=20 -A TCPACCEPT -p tcp -m tcp -m limit --tcp-flags SYN,RST,ACK SYN --limit=20 5/sec --limit-burst 10 -j ACCEPT=20 -A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LSYNFLOOD=20 -A TCPACCEPT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT=20 COMMIT=20 I want to know how to open pop3 port for outside access and for the=20 perticular ip and which port should be open for my vpn to work and how=20 to=20 Some one please help me on this issue it is very urgent=20 Thanks in advance=20 Regards=20 Vinod