Link to home
Start Free TrialLog in
Avatar of itmanager223
itmanager223Flag for Canada

asked on

issues with iptables on ubuntu 12.04LTS and smtp.gmail.com

Hey guys i am having issues with my iptables configuration. When i allow all packets my mailer in ruby works. When i deny all and have my rules setup i have issues sending mail.

The output from the syslog

Jun 21 20:00:41 JJD-PRODUCTION-WEBSITE kernel: [ 1450.576269] IPTables Packet Dropped: IN=eth0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=40128 PROTO=TCP SPT=587 DPT=37296 WINDOW=14180 RES=0x00 ACK SYN URGP=0 
Jun 21 20:00:41 JJD-PRODUCTION-WEBSITE kernel: [ 1450.979805] IPTables Packet Dropped: IN=eth0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=40129 PROTO=TCP SPT=587 DPT=37296 WINDOW=14180 RES=0x00 ACK SYN URGP=0 
Jun 21 20:00:42 JJD-PRODUCTION-WEBSITE kernel: [ 1451.574917] IPTables Packet Dropped: IN=eth0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=40130 PROTO=TCP SPT=587 DPT=37296 WINDOW=14180 RES=0x00 ACK SYN URGP=0 
Jun 21 20:00:42 JJD-PRODUCTION-WEBSITE kernel: [ 1451.579830] IPTables Packet Dropped: IN=eth0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=40131 PROTO=TCP SPT=587 DPT=37296 WINDOW=14180 RES=0x00 ACK SYN URGP=0 
Jun 21 20:00:43 JJD-PRODUCTION-WEBSITE kernel: [ 1452.779869] IPTables Packet Dropped: IN=eth0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=40132 PROTO=TCP SPT=587 DPT=37296 WINDOW=14180 RES=0x00 ACK SYN URGP=0 

Open in new window


I have removed the source port, destination port and mac addresses/

Also here is my iptables -L output.

root@JJD-PRODUCTION-WEBSITE:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ssh state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:https state ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http limit: avg 25/min burst 100
LOGGING    all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssmtp state NEW,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ssh state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:http state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:https state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https state NEW,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:submission state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ssmtp state ESTABLISHED

Chain LOGGING (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 2/min burst 5 LOG level debug prefix "IPTables Packet Dropped: "
DROP       all  --  anywhere             anywhere            
root@JJD-PRODUCTION-WEBSITE:~# 

Open in new window


anyone have any ideas why this isn't working?

I made rules to allow both 587 and 465 both in and out
Avatar of Eikroman
Eikroman
Flag of Canada image

Could you please post the output of  "iptables -L -n -v"

From the first look, the rule on the line 16 will never be in use as the rule on line 15 will block EVERYTHING that didn't match the previous lines. So change the rules order.
Avatar of itmanager223

ASKER

Here is the output you requested.


root@JJD-PRODUCTION-WEBSITE:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2410  184K ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW,ESTABLISHED
 6792  631K ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW,ESTABLISHED
    7   444 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 state NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp spt:22 state ESTABLISHED
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp spt:443 state ESTABLISHED
    1    28 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0
22164   16M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   36  9229 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp spt:53
    2   124 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 state NEW,ESTABLISHED
    6   300 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 limit: avg 25/min burst 100
 2282  144K LOGGING    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 state NEW,ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 105 packets, 6180 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2006  719K ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            tcp spt:22 state ESTABLISHED
 3856   11M ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            tcp spt:80 state ESTABLISHED
    7   280 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            tcp spt:443 state ESTABLISHED
    0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:443 state NEW,ESTABLISHED
    1    28 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
22164   16M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
   36  2751 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            udp dpt:53
    2    80 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            tcp spt:587 state ESTABLISHED
    0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            tcp spt:465 state ESTABLISHED

Chain LOGGING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  130  7325 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 2/min burst 5 LOG flags 0 level 7 prefix "IPTables Packet Dropped: "
 2282  144K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
root@JJD-PRODUCTION-WEBSITE:~# 

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Eikroman
Eikroman
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
i am going to recreate the rules tomorrow and i will update this post then. Thanks a lot for the help!