Solved

Cant establish SMTP or HTTP connection through Linux firewall

Posted on 2008-10-02
5
911 Views
Last Modified: 2013-11-16
Hello,

Ive got an Ubuntu Linux VM setup as our firewall/router for our DSL connection. The DSL modem is currently in transparent bridge mode (Qwest 2wire modem) so PPPoE is done in Linux. Im using the Firestarter GUI to configure iptables. All is well except for the incoming connections, only ports 80 and 25, arent being established to the server that I specified in the firewall policy. Any ideas?
0
Comment
Question by:vizient
  • 3
5 Comments
 
LVL 4

Expert Comment

by:d-it-lx
ID: 22627002
Can you execute:

iptables -L -n
iptables -L -n -t nat
iptables -L -n -t mangle
0
 

Author Comment

by:vizient
ID: 22627063

LinuxRouter ~ # iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  192.168.43.164       0.0.0.0/0           tcp flags:!0x17/0x02 
ACCEPT     udp  --  192.168.43.164       0.0.0.0/0           
ACCEPT     tcp  --  192.168.43.212       0.0.0.0/0           tcp flags:!0x17/0x02 
ACCEPT     udp  --  192.168.43.212       0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5 
DROP       all  --  0.0.0.0/0            255.255.255.255     
DROP       all  --  224.0.0.0/8          0.0.0.0/0           
DROP       all  --  0.0.0.0/0            224.0.0.0/8         
DROP       all  --  255.255.255.255      0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0             
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
LSI        all  -f  0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 
INBOUND    all  --  0.0.0.0/0            0.0.0.0/0           
INBOUND    all  --  0.0.0.0/0            192.168.43.201      
INBOUND    all  --  0.0.0.0/0            65.103.82.18        
INBOUND    all  --  0.0.0.0/0            192.168.43.255      
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Input' 
 
Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5 
TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
OUTBOUND   all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            192.168.43.0/24     state RELATED,ESTABLISHED 
ACCEPT     udp  --  0.0.0.0/0            192.168.43.0/24     state RELATED,ESTABLISHED 
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Forward' 
 
Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  65.103.82.18         192.168.43.164      tcp dpt:53 
ACCEPT     udp  --  65.103.82.18         192.168.43.164      udp dpt:53 
ACCEPT     tcp  --  65.103.82.18         192.168.43.212      tcp dpt:53 
ACCEPT     udp  --  65.103.82.18         192.168.43.212      udp dpt:53 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  224.0.0.0/8          0.0.0.0/0           
DROP       all  --  0.0.0.0/0            224.0.0.0/8         
DROP       all  --  255.255.255.255      0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0             
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
OUTBOUND   all  --  0.0.0.0/0            0.0.0.0/0           
OUTBOUND   all  --  0.0.0.0/0            0.0.0.0/0           
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Output' 
 
Chain INBOUND (4 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
LSI        all  --  0.0.0.0/0            0.0.0.0/0           
 
Chain LOG_FILTER (5 references)
target     prot opt source               destination         
 
Chain LSI (2 references)
target     prot opt source               destination         
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 reject-with icmp-port-unreachable 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 reject-with icmp-port-unreachable 
LOG        icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
REJECT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 reject-with icmp-port-unreachable 
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
 
Chain LSO (1 references)
target     prot opt source               destination         
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound ' 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
 
Chain OUTBOUND (3 references)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     all  --  0.0.0.0/0            64.95.77.32/27      
ACCEPT     all  --  0.0.0.0/0            208.48.138.224/27   
ACCEPT     all  --  0.0.0.0/0            192.168.0.0/24      
ACCEPT     all  --  0.0.0.0/0            65.103.82.0/24      
ACCEPT     all  --  0.0.0.0/0            192.168.43.0/24     
ACCEPT     all  --  192.168.43.220       0.0.0.0/0           
ACCEPT     all  --  192.168.43.200       0.0.0.0/0           
ACCEPT     all  --  192.168.43.191       0.0.0.0/0           
ACCEPT     all  --  192.168.43.109       0.0.0.0/0           
ACCEPT     all  --  192.168.43.112       0.0.0.0/0           
ACCEPT     all  --  192.168.43.187       0.0.0.0/0           
ACCEPT     all  --  192.168.43.223       0.0.0.0/0           
ACCEPT     all  --  192.168.43.181       0.0.0.0/0           
ACCEPT     all  --  192.168.43.235       0.0.0.0/0           
ACCEPT     all  --  192.168.43.113       0.0.0.0/0           
ACCEPT     all  --  192.168.43.164       0.0.0.0/0           
ACCEPT     all  --  192.168.43.212       0.0.0.0/0           
ACCEPT     all  --  65.103.82.0/24       0.0.0.0/0           
ACCEPT     all  --  192.168.43.222       0.0.0.0/0           
ACCEPT     all  --  192.168.43.120       0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:20:21 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:20:21 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:123 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:123 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5500 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:5500 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5353 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:5353 
LSO        all  --  0.0.0.0/0            0.0.0.0/0           
LinuxRouter ~ # iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
gforward   all  --  0.0.0.0/0            0.0.0.0/0           
 
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           MARK match 0x1 
fromprivate  all  --  192.168.0.0/16       0.0.0.0/0           
fromprivate  all  --  172.16.0.0/12        0.0.0.0/0           
fromprivate  all  --  10.0.0.0/8           0.0.0.0/0           
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
gforward   all  --  0.0.0.0/0            0.0.0.0/0           
 
Chain fromprivate (3 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            192.168.0.0/16      
ACCEPT     all  --  0.0.0.0/0            172.16.0.0/12       
ACCEPT     all  --  0.0.0.0/0            10.0.0.0/8          
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           
 
Chain ftolocal (4 references)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25 to:192.168.43.164:25 
 
Chain gforward (2 references)
target     prot opt source               destination         
ftolocal   all  --  0.0.0.0/0            192.168.43.201      
ftolocal   all  --  0.0.0.0/0            192.168.43.239      
ftolocal   all  --  0.0.0.0/0            127.0.0.1           
ftolocal   all  --  0.0.0.0/0            65.103.82.18        
LinuxRouter ~ # iptables -L -n -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
gforward   all  --  0.0.0.0/0            0.0.0.0/0           
 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
 
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
 
Chain ftolocal (4 references)
target     prot opt source               destination         
MARK       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25 MARK set 0x1 
 
Chain gforward (1 references)
target     prot opt source               destination         
ftolocal   all  --  0.0.0.0/0            192.168.43.201      
ftolocal   all  --  0.0.0.0/0            192.168.43.239      
ftolocal   all  --  0.0.0.0/0            127.0.0.1           
ftolocal   all  --  0.0.0.0/0            65.103.82.18  

Open in new window

0
 

Author Comment

by:vizient
ID: 22627195
Running a port scan from whatmyip.org with the rules removed from firewall policy gives port closed. With rules in place, port scanner says port timed out... progress?
0
 

Author Comment

by:vizient
ID: 23160410
I ran Wireshark on the SMTP server while trying to connect to port 25 on the DSL interface from an external network. Wireshark shows 4 packets being exchanged then the 5th packet says the previous segment has been lost...

Not sure if it makes any difference, but the SMTP servers gateway is different from the firewall where the packet is coming from. The packets should go back to their source, correct?


0
 
LVL 7

Accepted Solution

by:
aamodt earned 500 total points
ID: 23409420
add port 80 and 25 to the OUTBOUND chain like you have with these ports:

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:20:21
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:20:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:123
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:123
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5500
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:5500
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5353
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:5353
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question