• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 378
  • Last Modified:

Sendmail & POP via IPTABLES

Pretty basic issue for a noob. Here goes...

I have sendmail setup on a linux FC3 box. When I turn iptables off I can send/receive mail in outlook fine. When I start up IPTABLES on the linux FC3 box, I can send but I cannot receive on this particular account hosted on my sendmail box. I added a line that matches the line for port 25 below for port 110 and TCP via WEBMIN but I am missing something. I have not studied IPTABLES or IPCHAINS yet so I tried to cheat my way through with WEBMIN but I still cannot get her to let loose.  SUGGESTIONS??





Below is my IPTABLES readout:

 /etc/init.d/iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Table: mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Table: filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
           tcp  --  0.0.0.0/0            0.0.0.0/0           tcp

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25 state NEW
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:10000 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110 state NEW
0
gplemos
Asked:
gplemos
1 Solution
 
harbor235Commented:
Are you using POP3 or POP3s? POP3S is port 995, pop2 is 109, pop3 is 110. Find out which
daemon you are running.

Check it out with:

netstat -an


harbor235
0
 
gplemosAuthor Commented:
Below is what I get when I run netstat -an, looks like its listening on 110. I dont know if it matters but this box has 2 nics (pub/private) I have set the config to listen on ALL interfaces.




netstat -an | less
tcp        0      0 0.0.0.0:995                 0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:901                 0.0.0.0:*                   LISTEN
tcp        0      0 10.192.0.200:139            0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:139               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:110                 0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:143                 0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:10000               0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:5335              0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN
tcp        0      0 10.192.0.200:445            0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:445               0.0.0.0:*                   LISTEN
tcp        0      0 :::80                       :::*                        LISTEN
tcp        0      0 :::22                       :::*                        LISTEN
tcp        0      0 :::443                      :::*                        LISTEN
udp        0      0 0.0.0.0:1024            0.0.0.0:*
udp        0      0 0.0.0.0:514             0.0.0.0:*
udp        0      0 10.192.0.200:137        0.0.0.0:*
udp        0      0 0.0.0.0:137             0.0.0.0:*
udp        0      0 10.192.0.200:138        0.0.0.0:*
udp        0      0 0.0.0.0:138             0.0.0.0:*
udp        0      0 0.0.0.0:10000           0.0.0.0:*
udp        0      0 0.0.0.0:819             0.0.0.0:*
udp        0      0 0.0.0.0:5353            0.0.0.0:*
udp        0      0 0.0.0.0:5353            0.0.0.0:*
udp        0      0 0.0.0.0:111             0.0.0.0:*
udp        0      0 0.0.0.0:631             0.0.0.0:*
Active UNIX domain sockets (servers and established)
0
 
pablouruguayCommented:
your system listen un 110. but in 0.0.0.0  is localhost.

you need to modify your daemon to listen un -:::110 all ports

like the port 80
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
gplemosAuthor Commented:
OK, Ill try that and see if I can change it.
I guess I thought that it is supposed to look the line 0 0.0.0.0:25                  
I thought 0.0.0.0 was just default for everything?
Why does SMTP not have it like ::::25?
0
 
pablouruguayCommented:
because sendmail is in sendmail you need to start sendmail to see port 25 LISTEN
0
 
gplemosAuthor Commented:
> your system listen un 110. but in 0.0.0.0  is localhost.
> you need to modify your daemon to listen un -:::110 all ports
> like the port 80

pablouruguay, when I look at webmin and look at the IPTABLES screen the configuration for port 80 and port 110 look exactly the same.

However from the CLI I get the following:

service iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Table: mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Table: filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
           tcp  --  0.0.0.0/0            0.0.0.0/0           tcp

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25 state NEW
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:10000 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110 state NEW



I noticed on the port "80" it displays "state NEW tcp dpt:80"
but...
On port "110" and "25" is displays "tcp dpt:110 state NEW"

Make a difference?


0
 
pablouruguayCommented:
no no make a differende. ...

please paste the script of iptables in here. not the iptables -L the SCRIPT!
0
 
gplemosAuthor Commented:
IN webmin I have it listed as:


for port 110:
Accept If protocol is TCP and destination port is 110 and state of connection is NEW

for port 25:
Accept If protocol is TCP and destination port is 25 and state of connection is NEW

for port 80:
Accept If protocol is TCP and destination port is 80 and state of connection is NEW

yet on a netstat -an

tcp        0      0 0.0.0.0:110                 0.0.0.0:*                   LISTEN

tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN

tcp        0      0 :::80                       :::*                        LISTEN



I AM MISSING something simple here, over looking some piece of information, that may unlock my mind block Im having in this particular issue :-)

0
 
gplemosAuthor Commented:
Please tell me the file you require to see, or the command needed to bring up the data. I apologize for not knowing this as of yet, iptables is a chapter I have not read yet.
0
 
pablouruguayCommented:
the file is

/etc/sysconfig/iptab*
0
 
gplemosAuthor Commented:

I RAN IT TWO WAYS , one as "cat /etc/sysconfig/iptab*" and the other as " cat /etc/sysconfig/iptables" I have listed both below. I do not know (yet) why there is a difference.


> cat /etc/sysconfig/iptab*

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 21 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 25 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 10000 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 110 --state NEW -j ACCEPT
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Load additional iptables modules (nat helpers)
#   Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modules.conf.
IPTABLES_MODULES=""

# Unload modules on restart and stop
#   Value: yes|no,  default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"

# Save current firewall rules on stop.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"

# Save (and restore) rule and chain counter.
#   Value: yes|no,  default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"

# Numeric status output
#   Value: yes|no,  default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"














> cat /etc/sysconfig/iptables


# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 21 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 25 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 10000 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 110 --state NEW -j ACCEPT
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed



0
 
pablouruguayCommented:
i do the same script like you and work ok. but

replace the 110 line



-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 110 --state NEW -j ACCEPT

for

-A RH-Firewall-1-INPUT  --dport 110  -j ACCEPT


and try again

I RAN IT TWO WAYS , one as "cat /etc/sysconfig/iptab*" .......> i told you with this cat any iptables script :)
0
 
Gabriel OrozcoSolution ArchitectCommented:
Let me point something:

This is Wrong because you are rejecting every packet with icmp-host-prohibited, and therefore no packet can go any further:
-------------------
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 10000 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 110 --state NEW -j ACCEPT
-------------------

So please try changing to this order:
-------------------
-A OUTPUT -p tcp -m tcp
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 10000 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 110 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-------------------

and try again.
0
 
Cyclops3590Commented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:
Accept: Redimido

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Cyclops3590
EE Cleanup Volunteer
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now