Solved

Cant establish SMTP or HTTP connection through Linux firewall

Posted on 2008-10-02
5
909 Views
Last Modified: 2013-11-16
Hello,

Ive got an Ubuntu Linux VM setup as our firewall/router for our DSL connection. The DSL modem is currently in transparent bridge mode (Qwest 2wire modem) so PPPoE is done in Linux. Im using the Firestarter GUI to configure iptables. All is well except for the incoming connections, only ports 80 and 25, arent being established to the server that I specified in the firewall policy. Any ideas?
0
Comment
Question by:vizient
  • 3
5 Comments
 
LVL 4

Expert Comment

by:d-it-lx
ID: 22627002
Can you execute:

iptables -L -n
iptables -L -n -t nat
iptables -L -n -t mangle
0
 

Author Comment

by:vizient
ID: 22627063

LinuxRouter ~ # iptables -L -n

Chain INPUT (policy DROP)

target     prot opt source               destination         

ACCEPT     tcp  --  192.168.43.164       0.0.0.0/0           tcp flags:!0x17/0x02 

ACCEPT     udp  --  192.168.43.164       0.0.0.0/0           

ACCEPT     tcp  --  192.168.43.212       0.0.0.0/0           tcp flags:!0x17/0x02 

ACCEPT     udp  --  192.168.43.212       0.0.0.0/0           

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5 

DROP       all  --  0.0.0.0/0            255.255.255.255     

DROP       all  --  224.0.0.0/8          0.0.0.0/0           

DROP       all  --  0.0.0.0/0            224.0.0.0/8         

DROP       all  --  255.255.255.255      0.0.0.0/0           

DROP       all  --  0.0.0.0/0            0.0.0.0             

DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 

LSI        all  -f  0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 

INBOUND    all  --  0.0.0.0/0            0.0.0.0/0           

INBOUND    all  --  0.0.0.0/0            192.168.43.201      

INBOUND    all  --  0.0.0.0/0            65.103.82.18        

INBOUND    all  --  0.0.0.0/0            192.168.43.255      

LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           

LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Input' 
 

Chain FORWARD (policy DROP)

target     prot opt source               destination         

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5 

TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 

OUTBOUND   all  --  0.0.0.0/0            0.0.0.0/0           

ACCEPT     tcp  --  0.0.0.0/0            192.168.43.0/24     state RELATED,ESTABLISHED 

ACCEPT     udp  --  0.0.0.0/0            192.168.43.0/24     state RELATED,ESTABLISHED 

LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           

LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Forward' 
 

Chain OUTPUT (policy DROP)

target     prot opt source               destination         

ACCEPT     tcp  --  65.103.82.18         192.168.43.164      tcp dpt:53 

ACCEPT     udp  --  65.103.82.18         192.168.43.164      udp dpt:53 

ACCEPT     tcp  --  65.103.82.18         192.168.43.212      tcp dpt:53 

ACCEPT     udp  --  65.103.82.18         192.168.43.212      udp dpt:53 

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

DROP       all  --  224.0.0.0/8          0.0.0.0/0           

DROP       all  --  0.0.0.0/0            224.0.0.0/8         

DROP       all  --  255.255.255.255      0.0.0.0/0           

DROP       all  --  0.0.0.0/0            0.0.0.0             

DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 

OUTBOUND   all  --  0.0.0.0/0            0.0.0.0/0           

OUTBOUND   all  --  0.0.0.0/0            0.0.0.0/0           

LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           

LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Output' 
 

Chain INBOUND (4 references)

target     prot opt source               destination         

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

LSI        all  --  0.0.0.0/0            0.0.0.0/0           
 

Chain LOG_FILTER (5 references)

target     prot opt source               destination         
 

Chain LSI (2 references)

target     prot opt source               destination         

LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           

LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 

REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 reject-with icmp-port-unreachable 

LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 

REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 reject-with icmp-port-unreachable 

LOG        icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 

REJECT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 reject-with icmp-port-unreachable 

LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 

REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
 

Chain LSO (1 references)

target     prot opt source               destination         

LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           

LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound ' 

REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
 

Chain OUTBOUND (3 references)

target     prot opt source               destination         

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

ACCEPT     all  --  0.0.0.0/0            64.95.77.32/27      

ACCEPT     all  --  0.0.0.0/0            208.48.138.224/27   

ACCEPT     all  --  0.0.0.0/0            192.168.0.0/24      

ACCEPT     all  --  0.0.0.0/0            65.103.82.0/24      

ACCEPT     all  --  0.0.0.0/0            192.168.43.0/24     

ACCEPT     all  --  192.168.43.220       0.0.0.0/0           

ACCEPT     all  --  192.168.43.200       0.0.0.0/0           

ACCEPT     all  --  192.168.43.191       0.0.0.0/0           

ACCEPT     all  --  192.168.43.109       0.0.0.0/0           

ACCEPT     all  --  192.168.43.112       0.0.0.0/0           

ACCEPT     all  --  192.168.43.187       0.0.0.0/0           

ACCEPT     all  --  192.168.43.223       0.0.0.0/0           

ACCEPT     all  --  192.168.43.181       0.0.0.0/0           

ACCEPT     all  --  192.168.43.235       0.0.0.0/0           

ACCEPT     all  --  192.168.43.113       0.0.0.0/0           

ACCEPT     all  --  192.168.43.164       0.0.0.0/0           

ACCEPT     all  --  192.168.43.212       0.0.0.0/0           

ACCEPT     all  --  65.103.82.0/24       0.0.0.0/0           

ACCEPT     all  --  192.168.43.222       0.0.0.0/0           

ACCEPT     all  --  192.168.43.120       0.0.0.0/0           

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:20:21 

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:20:21 

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:123 

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:123 

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5500 

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:5500 

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53 

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53 

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5353 

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:5353 

LSO        all  --  0.0.0.0/0            0.0.0.0/0           

LinuxRouter ~ # iptables -L -n -t nat

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination         

gforward   all  --  0.0.0.0/0            0.0.0.0/0           
 

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination         

MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           MARK match 0x1 

fromprivate  all  --  192.168.0.0/16       0.0.0.0/0           

fromprivate  all  --  172.16.0.0/12        0.0.0.0/0           

fromprivate  all  --  10.0.0.0/8           0.0.0.0/0           
 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

gforward   all  --  0.0.0.0/0            0.0.0.0/0           
 

Chain fromprivate (3 references)

target     prot opt source               destination         

ACCEPT     all  --  0.0.0.0/0            192.168.0.0/16      

ACCEPT     all  --  0.0.0.0/0            172.16.0.0/12       

ACCEPT     all  --  0.0.0.0/0            10.0.0.0/8          

MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           
 

Chain ftolocal (4 references)

target     prot opt source               destination         

DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25 to:192.168.43.164:25 
 

Chain gforward (2 references)

target     prot opt source               destination         

ftolocal   all  --  0.0.0.0/0            192.168.43.201      

ftolocal   all  --  0.0.0.0/0            192.168.43.239      

ftolocal   all  --  0.0.0.0/0            127.0.0.1           

ftolocal   all  --  0.0.0.0/0            65.103.82.18        

LinuxRouter ~ # iptables -L -n -t mangle

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination         

gforward   all  --  0.0.0.0/0            0.0.0.0/0           
 

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         
 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         
 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         
 

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination         
 

Chain ftolocal (4 references)

target     prot opt source               destination         

MARK       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25 MARK set 0x1 
 

Chain gforward (1 references)

target     prot opt source               destination         

ftolocal   all  --  0.0.0.0/0            192.168.43.201      

ftolocal   all  --  0.0.0.0/0            192.168.43.239      

ftolocal   all  --  0.0.0.0/0            127.0.0.1           

ftolocal   all  --  0.0.0.0/0            65.103.82.18  

Open in new window

0
 

Author Comment

by:vizient
ID: 22627195
Running a port scan from whatmyip.org with the rules removed from firewall policy gives port closed. With rules in place, port scanner says port timed out... progress?
0
 

Author Comment

by:vizient
ID: 23160410
I ran Wireshark on the SMTP server while trying to connect to port 25 on the DSL interface from an external network. Wireshark shows 4 packets being exchanged then the 5th packet says the previous segment has been lost...

Not sure if it makes any difference, but the SMTP servers gateway is different from the firewall where the packet is coming from. The packets should go back to their source, correct?


0
 
LVL 7

Accepted Solution

by:
aamodt earned 500 total points
ID: 23409420
add port 80 and 25 to the OUTBOUND chain like you have with these ports:

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:20:21
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:20:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:123
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:123
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5500
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:5500
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5353
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:5353
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
dns master and slave in linux 2 68
Checkpoint Endpoint Managment 3 66
FTP output from Wireshak 6 76
route 2 traffic streams on single NIC 6 37
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now