• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 361
  • Last Modified:

question for jlevie

Hi jlevie,
I'm using your iptables (iptables-gw). My problem is that my users would like to use outlook express to send/receive mail from the outside connection and these ports don't seem to be "open". Could you tell me what I need to change in iptables-gw to have this feature?
Also, I have users connecting over ppp+ IP=192.168.0.80 and I need to cut off all internet access. Only access to the intranet and mail.
Thanks very much.
0
kephillips
Asked:
kephillips
  • 5
  • 5
1 Solution
 
troopernCommented:
Ports that needs to be opened.
smtp = 25
smtps = 465
pop3 = 110
imap = 143
pop3s = 995
imaps = 993

Those that ends on "s" are only nessescary if you use SSL/TLS encryption.
0
 
jlevieCommented:
The IPtables script that I recall setting up would not restrict outbound connections on the POP, IMAP & SMTP ports. But I could be wrong... Please post the iptables-gw script and I'll tell you how to adjust it for outbound mail connections if it is the firewall that's the problem.
0
 
kephillipsAuthor Commented:
Hi jlevie,

Here's what i'm trying to use-this is all my mail stuff here:

iptables -t nat -A POSTROUTING  -p tcp -j MASQUERADE --to-ports 25
iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 110

iptables -t nat -A PREROUTING -p tcp -i $OUTSIDE --dport 25 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $OUTSIDE --dport 110 -j ACCEPT

iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT

iptables -t nat -A POSTROUTING -p tcp --sport 25 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --sport 110 -j ACCEPT



this is for the ppp+ connection:

# MODEM
iptables -A INPUT -i $USERS -d 192.168.0.1 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.0.80 -o $OUTSIDE -j DROP

thanks.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
jlevieCommented:
I think you've changed the rules somewhat over what I set up. I would not have done the masquerade by ports. Please post the entire iptables-gw script so I can see what's going on.
0
 
kephillipsAuthor Commented:
#!/bin/sh
#
# Save this in root's home directory as iptables-gw and make it executable
# with 'chmod +x iptables-gw'. Then to install the rule set simply run it
# with './iptables-gw'.

# For a system to function as a firewall the kernel has to be told to forward
# packets between interfaces, i.e., it needs to be a router. Since you'll save
# the running config with 'iptables save' for RedHat to reinstate at the next
# boot IP fordarding must be enabled by other than this script for production
# use. That's best done by editing /etc/sysctl.conf and setting:
#
# net.ipv4.ip_forward = 1
#
# Since that file will only be read at boot, you can uncomment the following
# line to enable forwarding on the fly for initial testing. Just remember that
# the saved iptables data won't include the command.
#
# echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# service iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When
# /etc/init.d/iptables executes it will see the file and restore the rules.
# I find it easier to modify this file and run it to change the rulesets.,
# rather than modifying the running rules. That way I have a readable record
# of the firewall configuration.
#
# Set an absolute path to IPTABLES and define the interfaces.
#
IPT="/sbin/iptables"
#
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.
#
OUTSIDE=eth1
INSIDE=eth0
USERS=ppp+
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent       - Just dop the packet
# tcpflags     - Log packets with bad flags, most likely an attack
# firewalled   - Log packets that that we refuse, possibly from an attack
#
iptables -N silent
iptables -A silent -j DROP

iptables -N tcpflags
iptables -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
iptables -A tcpflags -j DROP

iptables -N firewalled
iptables -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
iptables -A firewalled -j DROP
#
# Use  NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
iptables -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE

#####################
# Use Source NAT to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
#
# To Statically NAT an outside IP (1.2.3.4) to an inside IP (10.0.0.2) you'd
# do something like:
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -p icmp -j firewalled
#
# We've slipped the surly bonds of windows and are dancing on the
# silvery wings of Linux, so don't allow that windows broadcast trash
# to leak out of the firewall.
#
iptables -A FORWARD -p udp --dport 137 -j silent
iptables -A FORWARD -p udp --dport 138 -j silent
iptables -A FORWARD -p udp --dport 139 -j silent
iptables -A FORWARD -p udp --dport 445 -j silent
iptables -A FORWARD -p udp --dport 9006 -j silent
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.0.0.10
# The second forwards SSH to 10.0.0.10
# The third forwards a block of tcp and udp ports (2300-2400) to 10.0.0.10
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
# iptables -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 192.168.0.1
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 10.0.0.10
iptables -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 192.168.0.1
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 192.168.0.1
#
# Examples of allowing inbound for the port forwarding examples above or for
# allowing access to services running on the firewall
#
# If you want to be able to connect via SSH from the Internet
# uncomment the next line.
#
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
#iptables -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 53 -j ACCEPT                                                                      
iptables -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT

#iptables -A INPUT -p tcp --dport 110 -j ACCEPT
#iptables -A INPUT -p tcp --dport 143 -j ACCEPT
#iptables -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
#iptables -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
#iptables -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 7175:7176 -j ACCEPT

#########################   MAIL         ##################################

#iptables -A OUTPUT -o eth1 -p tcp --dport 25 -j ACCEPT
#iptables -A OUTPUT -o eth1 -p tcp --dport 110 -j ACCEPT

#iptables -A INPUT -o eth1 -p tcp --sport 25 -j ACCEPT
#iptables -A INPUT -o eth1 -p tcp --sport 110 -j ACCEPT

#iptables -A FORWARD -o eth1 -p tcp --dport 25 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -o eth1 -p tcp --dport 110 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#tcp --dport 110 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

iptables -t nat -A POSTROUTING  -p tcp -j MASQUERADE --to-ports 25
iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 110

iptables -t nat -A PREROUTING -p tcp -i $OUTSIDE --dport 25 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $OUTSIDE --dport 110 -j ACCEPT

iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT

iptables -t nat -A POSTROUTING -p tcp --sport 25 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --sport 110 -j ACCEPT

################################################################
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break.
#
iptables -A INPUT -i lo -j ACCEPT
#
# Uncomment the following  if the inside machines are trustworthy and
# there are services on the firewall, like DNS, web, etc., that they need to
# access. And remember to change the  IP to be that of the INSIDE interface
# of the firewall.
#
iptables -A INPUT -i $INSIDE -d 192.168.0.1 -j ACCEPT

# MODEM STUFF
iptables -A INPUT -i $USERS -d 192.168.0.1 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.0.80 -o $OUTSIDE -j DROP

# If you are running a DHCP server on the firewall uncomment the next line
#
#$IPT -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything that hasn't already matched gets logged and then dropped.
#
iptables -A INPUT -j firewalled

                                                                                              222,0-1       Bot
0
 
jlevieCommented:
> Only access to the intranet and mail.

By "intranet" I'm going to assume that you mean they need access to web sites on the Internet. If that's not the case comment out:

$IPT -A FORWARD -i $PPP -p tcp --dport 80 -j ACCEPT
$IPT -A FORWARD -i $PPP -p tcp --dport 443 -j ACCEPT

In the forward rules. Below is a clean rule rule set that should work.

#!/bin/sh
#
# Save this in root's home directory as iptables-gw and make it executable
# with 'chmod +x iptables-gw'. Then to install the rule set simply run it
# with './iptables-gw'.

# For a system to function as a firewall the kernel has to be told to forward
# packets between interfaces, i.e., it needs to be a router. Since you'll save
# the running config with 'iptables save' for RedHat to reinstate at the next
# boot IP fordarding must be enabled by other than this script for production
# use. That's best done by editing /etc/sysctl.conf and setting:
#
# net.ipv4.ip_forward = 1
#
# Since that file will only be read at boot, you can uncomment the following
# line to enable forwarding on the fly for initial testing. Just remember that
# the saved iptables data won't include the command.
#
# echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# service iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When
# /etc/init.d/iptables executes it will see the file and restore the rules.
# I find it easier to modify this file and run it to change the rulesets.,
# rather than modifying the running rules. That way I have a readable record
# of the firewall configuration.
#
# Set an absolute path to IPTABLES and define the interfaces.
#
IPT="/sbin/iptables"
#
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.
#
OUTSIDE=eth1
INSIDE=eth0
INSIDE_IP=192.168.0.1
PPP=ppp+
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent       - Just dop the packet
# tcpflags     - Log packets with bad flags, most likely an attack
# firewalled   - Log packets that that we refuse, possibly from an attack
#
$IPT -N silent
$IPT -A silent -j DROP

$IPT -N tcpflags
$IPT -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPT -A tcpflags -j DROP

$IPT -N firewalled
$IPT -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPT -A firewalled -j DROP
#
# Use  NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
$IPT -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Use Source NAT to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
#$IPT -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 1.2.3.4
#
# To Statically NAT an outside IP (1.2.3.4) to an inside IP (10.0.0.2) you'd
# do something like:
#
#$IPT -t nat -A PREROUTING -i $OUTSIDE -d 1.2.3.4 -j DNAT --to-destination 10.0.0.2
#$IPT -t nat -A POSTROUTING -o $OUTSIDE -s 10.0.0.2 -j SNAT --to-source 1.2.3.4
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewalled
#
# We've slipped the surly bonds of windows and are dancing on the
# silvery wings of Linux, so don't allow that windows broadcast trash
# to leak out of the firewall.
#
$IPT -A FORWARD -p udp --dport 137 -j silent
$IPT -A FORWARD -p udp --dport 138 -j silent
$IPT -A FORWARD -p udp --dport 139 -j silent
$IPT -A FORWARD -p udp --dport 445 -j silent
$IPT -A FORWARD -p udp --dport 9006 -j silent
#
# Allow dialup users access to external mail & web only
#
$IPT -A FORWARD -i $PPP -p tcp --dport 25 -j ACCEPT
$IPT -A FORWARD -i $PPP -p tcp --dport 80 -j ACCEPT
$IPT -A FORWARD -i $PPP -p tcp --dport 110 -j ACCEPT
$IPT -A FORWARD -i $PPP -p tcp --dport 143 -j ACCEPT
$IPT -A FORWARD -i $PPP -p tcp --dport 443 -j ACCEPT
$IPT -A FORWARD -i $PPP -p tcp -j silent
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.0.0.10
# The second forwards SSH to 10.0.0.10
# The third forwards a block of tcp and udp ports (2300-2400) to 10.0.0.10
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 10.0.0.10
#
# Examples of allowing inbound for the port forwarding examples above or for
# allowing access to services running on the firewall
#
# If you want to be able to connect via SSH from the Internet
# uncomment the next line.
#
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
# Allow mail (25/tcp), DNS (53/TCP & UDP), POP (110/TCP), IMAP (143/TCP)
#  and Web (80/TCP) connections inbound.
#
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 25 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 53 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 110 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 143 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break.
#
$IPT -A INPUT -i lo -j ACCEPT
#
# Uncomment the following  if the inside machines are trustworthy and
# there are services on the firewall, like DNS, web, etc., that they need to
# access. And remember to change the  IP to be that of the INSIDE interface
# of the firewall.
#
$IPT -A INPUT -i $INSIDE -d $INSIDE_IP -j ACCEPT

# If you are running a DHCP server on the firewall uncomment the next line
#
#$IPT -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything that hasn't already matched gets logged and then dropped.
#
$IPT -A INPUT -j firewalled
0
 
kephillipsAuthor Commented:
Jim,
It still doesn't want to work.
I need my dialup users to have access to the website on 192.168.0.1 but NOT to the INTERNET

Also,
I have tried accessing my mail server over the internet using outlook express and it still isn't working.
I get errors on ports 25 and 110.

Thanks.
0
 
jlevieCommented:
Is the PPP server on the firewall? Or is it a different box?

When you tried outlook were you at some other location (i.e. from outside of the firewall)?
0
 
kephillipsAuthor Commented:
ok.
the ppp is on the server same as the firewall. ppp users log in using the address 192.168.0.80
Also, when we tried outlook we were trying it outside the firewall, This is what I need to work.
Thanks.
0
 
jlevieCommented:
What is the outside IP of your firewall?
0
 
kephillipsAuthor Commented:
ok. works great!
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now