Solved

Cant establish SMTP or HTTP connection through Linux firewall

Posted on 2008-10-02
5
908 Views
Last Modified: 2013-11-16
Hello,

Ive got an Ubuntu Linux VM setup as our firewall/router for our DSL connection. The DSL modem is currently in transparent bridge mode (Qwest 2wire modem) so PPPoE is done in Linux. Im using the Firestarter GUI to configure iptables. All is well except for the incoming connections, only ports 80 and 25, arent being established to the server that I specified in the firewall policy. Any ideas?
0
Comment
Question by:vizient
  • 3
5 Comments
 
LVL 4

Expert Comment

by:d-it-lx
ID: 22627002
Can you execute:

iptables -L -n
iptables -L -n -t nat
iptables -L -n -t mangle
0
 

Author Comment

by:vizient
ID: 22627063

LinuxRouter ~ # iptables -L -n

Chain INPUT (policy DROP)

target     prot opt source               destination         

ACCEPT     tcp  --  192.168.43.164       0.0.0.0/0           tcp flags:!0x17/0x02 

ACCEPT     udp  --  192.168.43.164       0.0.0.0/0           

ACCEPT     tcp  --  192.168.43.212       0.0.0.0/0           tcp flags:!0x17/0x02 

ACCEPT     udp  --  192.168.43.212       0.0.0.0/0           

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5 

DROP       all  --  0.0.0.0/0            255.255.255.255     

DROP       all  --  224.0.0.0/8          0.0.0.0/0           

DROP       all  --  0.0.0.0/0            224.0.0.0/8         

DROP       all  --  255.255.255.255      0.0.0.0/0           

DROP       all  --  0.0.0.0/0            0.0.0.0             

DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 

LSI        all  -f  0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 

INBOUND    all  --  0.0.0.0/0            0.0.0.0/0           

INBOUND    all  --  0.0.0.0/0            192.168.43.201      

INBOUND    all  --  0.0.0.0/0            65.103.82.18        

INBOUND    all  --  0.0.0.0/0            192.168.43.255      

LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           

LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Input' 
 

Chain FORWARD (policy DROP)

target     prot opt source               destination         

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5 

TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 

OUTBOUND   all  --  0.0.0.0/0            0.0.0.0/0           

ACCEPT     tcp  --  0.0.0.0/0            192.168.43.0/24     state RELATED,ESTABLISHED 

ACCEPT     udp  --  0.0.0.0/0            192.168.43.0/24     state RELATED,ESTABLISHED 

LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           

LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Forward' 
 

Chain OUTPUT (policy DROP)

target     prot opt source               destination         

ACCEPT     tcp  --  65.103.82.18         192.168.43.164      tcp dpt:53 

ACCEPT     udp  --  65.103.82.18         192.168.43.164      udp dpt:53 

ACCEPT     tcp  --  65.103.82.18         192.168.43.212      tcp dpt:53 

ACCEPT     udp  --  65.103.82.18         192.168.43.212      udp dpt:53 

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

DROP       all  --  224.0.0.0/8          0.0.0.0/0           

DROP       all  --  0.0.0.0/0            224.0.0.0/8         

DROP       all  --  255.255.255.255      0.0.0.0/0           

DROP       all  --  0.0.0.0/0            0.0.0.0             

DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 

OUTBOUND   all  --  0.0.0.0/0            0.0.0.0/0           

OUTBOUND   all  --  0.0.0.0/0            0.0.0.0/0           

LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           

LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Output' 
 

Chain INBOUND (4 references)

target     prot opt source               destination         

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

LSI        all  --  0.0.0.0/0            0.0.0.0/0           
 

Chain LOG_FILTER (5 references)

target     prot opt source               destination         
 

Chain LSI (2 references)

target     prot opt source               destination         

LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           

LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 

REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 reject-with icmp-port-unreachable 

LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 

REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 reject-with icmp-port-unreachable 

LOG        icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 

REJECT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 reject-with icmp-port-unreachable 

LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 

REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
 

Chain LSO (1 references)

target     prot opt source               destination         

LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           

LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound ' 

REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
 

Chain OUTBOUND (3 references)

target     prot opt source               destination         

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

ACCEPT     all  --  0.0.0.0/0            64.95.77.32/27      

ACCEPT     all  --  0.0.0.0/0            208.48.138.224/27   

ACCEPT     all  --  0.0.0.0/0            192.168.0.0/24      

ACCEPT     all  --  0.0.0.0/0            65.103.82.0/24      

ACCEPT     all  --  0.0.0.0/0            192.168.43.0/24     

ACCEPT     all  --  192.168.43.220       0.0.0.0/0           

ACCEPT     all  --  192.168.43.200       0.0.0.0/0           

ACCEPT     all  --  192.168.43.191       0.0.0.0/0           

ACCEPT     all  --  192.168.43.109       0.0.0.0/0           

ACCEPT     all  --  192.168.43.112       0.0.0.0/0           

ACCEPT     all  --  192.168.43.187       0.0.0.0/0           

ACCEPT     all  --  192.168.43.223       0.0.0.0/0           

ACCEPT     all  --  192.168.43.181       0.0.0.0/0           

ACCEPT     all  --  192.168.43.235       0.0.0.0/0           

ACCEPT     all  --  192.168.43.113       0.0.0.0/0           

ACCEPT     all  --  192.168.43.164       0.0.0.0/0           

ACCEPT     all  --  192.168.43.212       0.0.0.0/0           

ACCEPT     all  --  65.103.82.0/24       0.0.0.0/0           

ACCEPT     all  --  192.168.43.222       0.0.0.0/0           

ACCEPT     all  --  192.168.43.120       0.0.0.0/0           

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:20:21 

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:20:21 

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:123 

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:123 

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5500 

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:5500 

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53 

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53 

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5353 

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:5353 

LSO        all  --  0.0.0.0/0            0.0.0.0/0           

LinuxRouter ~ # iptables -L -n -t nat

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination         

gforward   all  --  0.0.0.0/0            0.0.0.0/0           
 

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination         

MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           MARK match 0x1 

fromprivate  all  --  192.168.0.0/16       0.0.0.0/0           

fromprivate  all  --  172.16.0.0/12        0.0.0.0/0           

fromprivate  all  --  10.0.0.0/8           0.0.0.0/0           
 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

gforward   all  --  0.0.0.0/0            0.0.0.0/0           
 

Chain fromprivate (3 references)

target     prot opt source               destination         

ACCEPT     all  --  0.0.0.0/0            192.168.0.0/16      

ACCEPT     all  --  0.0.0.0/0            172.16.0.0/12       

ACCEPT     all  --  0.0.0.0/0            10.0.0.0/8          

MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           
 

Chain ftolocal (4 references)

target     prot opt source               destination         

DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25 to:192.168.43.164:25 
 

Chain gforward (2 references)

target     prot opt source               destination         

ftolocal   all  --  0.0.0.0/0            192.168.43.201      

ftolocal   all  --  0.0.0.0/0            192.168.43.239      

ftolocal   all  --  0.0.0.0/0            127.0.0.1           

ftolocal   all  --  0.0.0.0/0            65.103.82.18        

LinuxRouter ~ # iptables -L -n -t mangle

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination         

gforward   all  --  0.0.0.0/0            0.0.0.0/0           
 

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         
 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         
 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         
 

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination         
 

Chain ftolocal (4 references)

target     prot opt source               destination         

MARK       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25 MARK set 0x1 
 

Chain gforward (1 references)

target     prot opt source               destination         

ftolocal   all  --  0.0.0.0/0            192.168.43.201      

ftolocal   all  --  0.0.0.0/0            192.168.43.239      

ftolocal   all  --  0.0.0.0/0            127.0.0.1           

ftolocal   all  --  0.0.0.0/0            65.103.82.18  

Open in new window

0
 

Author Comment

by:vizient
ID: 22627195
Running a port scan from whatmyip.org with the rules removed from firewall policy gives port closed. With rules in place, port scanner says port timed out... progress?
0
 

Author Comment

by:vizient
ID: 23160410
I ran Wireshark on the SMTP server while trying to connect to port 25 on the DSL interface from an external network. Wireshark shows 4 packets being exchanged then the 5th packet says the previous segment has been lost...

Not sure if it makes any difference, but the SMTP servers gateway is different from the firewall where the packet is coming from. The packets should go back to their source, correct?


0
 
LVL 7

Accepted Solution

by:
aamodt earned 500 total points
ID: 23409420
add port 80 and 25 to the OUTBOUND chain like you have with these ports:

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:20:21
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:20:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:123
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:123
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5500
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:5500
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5353
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:5353
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now