[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Unblock IMAP port on Linux Firewall

Posted on 2010-01-04
11
Medium Priority
?
1,519 Views
Last Modified: 2013-12-15
Hi,

I don't have a clue about iptables but I've been looking into it and it's just not sinking in.  Basically I have a server which I can telnet to port 25 (SMTP) and 110 (POP)  but not 143 (IMAP).  If I SSH into the server I can telnet to port 143, just not from outside.

When I run iptables -L I get the following:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

There seems to be nothing there.

Has anyone any ideas to find out how I can connect via the open ports (when they don't seem to have an entry in iptables...although there use to be entries until I ran "service iptables restart") and not the closed.  Also, in /etc/sysconfig there is a file called iptables-config but no file just called iptables.

Thanks for any help you can offer.
0
Comment
Question by:lee_murphy
  • 7
  • 4
11 Comments
 

Author Comment

by:lee_murphy
ID: 26174445
I've typed "iptables -L" again and the results are now different, seems it takes a little time after the restart for the rules to show, results are now:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
acctboth   all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
acctboth   all  --  anywhere             anywhere

Chain acctboth (2 references)
target     prot opt source               destination
           tcp  --  hostname  anywhere            tcp dpt:http
           tcp  --  anywhere             hostname tcp spt:http
           tcp  --  hostname  anywhere            tcp dpt:smtp
           tcp  --  anywhere             hostname tcp spt:smtp
           tcp  --  hostname  anywhere            tcp dpt:pop3
           tcp  --  anywhere             hostname tcp spt:pop3
           icmp --  hostname  anywhere
           icmp --  anywhere             hostname
           tcp  --  hostname  anywhere
           tcp  --  anywhere             hostname
           udp  --  hostname  anywhere
           udp  --  anywhere             hostname
           all  --  hostname  anywhere
           all  --  anywhere             hostname
           all  --  anywhere             anywhere
0
 
LVL 4

Expert Comment

by:OliverRahner
ID: 26174768
Did you take a look at the iptables-config file you mentioned?

Open it with your favorite editor and look for two lines containing "--dport 25" and "--sport 25" OR "--dport smtp" and "--sport smtp". Copy these two lines and change 25/smtp to "imap". After rebooting (or restarting iptables), imap connections should work.
0
 

Author Comment

by:lee_murphy
ID: 26174955
Hi Oliver,

Thanks for the response, I had a look in the iptables-config file and the only lines that are commented out are:

IPTABLES_MODULES=""
IPTABLES_MODULES_UNLOAD="yes"
IPTABLES_SAVE_ON_STOP="yes"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="yes"
IPTABLES_STATUS_VERBOSE="no"
IPTABLES_STATUS_LINENUMBERS="yes"

There isn't anything with the lines you suggested.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:lee_murphy
ID: 26174991
If it makes a difference CPanel is installed on the server, I know some files can be located in different directories but I think it's just 3rd Party software that's installed during the installation of CPanel, the Firewall would most likely have been installed during the Linux install so it probably won't effect it.  Just thought I'd mention it.
0
 
LVL 4

Expert Comment

by:OliverRahner
ID: 26177998
Hi Lee,

sorry, I didn't know which system you are using, but now I assume you are on Fedora?

The line "IPTABLES_SAVE_ON_STOP" tells the iptables init script to save all rules to the file /etc/sysconfig/iptables.

So, you have two options.

One: Add the rules via a call to iptables. The new rules will be saved the next time iptables is stopped. To give you detailed instructions I would need the output of "iptables -L -v" OR the contents of the files /etc/sysconfig/iptables.

Two: Shutdown iptables. Modify /etc/sysconfig/iptables in the way I mentioned above. Start iptables. (Shutdown and start are necessary because otherwise, the init script will overwrite the new configuration file once it is stopped).
0
 

Author Comment

by:lee_murphy
ID: 26178467
Thanks Oliver, that...kinda...worked.  I was wondering how to generate the iptables files, when I do iptables-restart it doesnt write it out to a file, I didn't realise that you needed to stop the service...seems obvious now (SAVE_ON_STOP).  Anyway, I stopped it, edited the iptables file and added in imap and started it again.  The entries now show up in iptables -L -v but I still can't connect.  Here is the output

Chain INPUT (policy ACCEPT 2079 packets, 181K bytes)
 pkts bytes target     prot opt in     out     source               destination
 2079  181K acctboth   all  --  any    any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 3144 packets, 3534K bytes)
 pkts bytes target     prot opt in     out     source               destination
 3144 3534K acctboth   all  --  any    any     anywhere             anywhere

Chain acctboth (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0            tcp  --  !lo    any     hostname  anywhere            tcp dpt:http
    0     0            tcp  --  !lo    any     anywhere             hostname tcp spt:http
    0     0            tcp  --  !lo    any     hostname  anywhere            tcp dpt:smtp
    0     0            tcp  --  !lo    any     anywhere             hostname tcp spt:smtp
    0     0            tcp  --  !lo    any     hostname  anywhere            tcp dpt:pop3
    0     0            tcp  --  !lo    any     anywhere             hostname tcp spt:pop3
    0     0            tcp  --  !lo    any     hostname  anywhere            tcp dpt:imap
    0     0            tcp  --  !lo    any     anywhere             hostname tcp spt:imap
    0     0            icmp --  !lo    any     hostname  anywhere
    0     0            icmp --  !lo    any     anywhere             hostname
 2754 3463K            tcp  --  !lo    any     hostname  anywhere
 1689  109K            tcp  --  !lo    any     anywhere             hostname
   26  1825            udp  --  !lo    any     hostname  anywhere
   26  2262            udp  --  !lo    any     anywhere             hostname
 2780 3465K            all  --  !lo    any     hostname  anywhere
 1715  111K            all  --  !lo    any     anywhere             hostname
 4859 3646K            all  --  !lo    any     anywhere             anywhere

Now I'm wondering if I've gone down the wrong path altogether.
0
 
LVL 4

Expert Comment

by:OliverRahner
ID: 26178749
OK, I just noticed something...

Your firewall rules DO NOT modify or drop packages in any way. The firewall ACCEPTS ALL PACKETS. The only thing those rules seem to do is accounting. That seems to be what the abbreviation "acct" in "acctboth" is for.

So your problem seems to be somewhere else.

When you locally telnet to imap, do you use

# telnet localhost 143

or

# telnet hostname 143

If the former works and the latter does not, it could be that your imap server only listens on 127.0.0.1, but not on your external ip.

Which imap daemon do you use?

Try looking at the output of

# netstat -anpt | grep :143

to see whether this could be the problem.
0
 

Author Comment

by:lee_murphy
ID: 26179982
Firstly Oliver, thanks for all your help with this!  Secondly, here's the output from everything :)

telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc.  See COPYING for distribution information.

telnet hostname 143
Trying 212.126.36.64...
Connected to www.starschool.ie.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc.  See COPYING for distribution information.

netstat -anpt | grep :143
tcp        0      0 :::143                      :::*                        LISTEN      3719/couriertcpd

Hope this helps
0
 
LVL 4

Accepted Solution

by:
OliverRahner earned 2000 total points
ID: 26180330
Your host does indeed behave as if there was a firewall which, obviously, does not run on your host.

This is part of a trace route from my server to yours:

10  ae2-39.tcr2.eun.dub.as8218.eu (217.112.152.162)  31.975 ms  32.065 ms  31.854 ms
11  ip-36-40.dnsireland.com (212.126.36.40)  31.968 ms  31.982 ms  31.965 ms
12  ip-36-64.dnsireland.com (212.126.36.64)  32.217 ms  32.070 ms  32.173 ms

Could it be that host 11 is running a packet filter which blocks some of your packets? Do you have access to that host or is it run by your provider?
0
 

Author Comment

by:lee_murphy
ID: 26180454
Hi Oliver,
Thanks for your help, I'll get onto our provider.  I had got onto them originally and they said to check my firewall but that's obviously not the issue now.  I'll go back to them with this information and let you know how I get on.

Thanks again
Lee
0
 

Author Closing Comment

by:lee_murphy
ID: 31672579
Hi Oliver, turns out with was the providers Firewall, their explaination was:

"It was actually that IMAP3 was enabled on our network firewalls for your VPS and not IMAP4 which works on that port."

So after all that there was nothing wrong, but you well deserve the points for helping me prove that. Thanks for your help!
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month20 days, left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question