itmanager223
asked on
issues with iptables on ubuntu 12.04LTS and smtp.gmail.com
Hey guys i am having issues with my iptables configuration. When i allow all packets my mailer in ruby works. When i deny all and have my rules setup i have issues sending mail.
The output from the syslog
I have removed the source port, destination port and mac addresses/
Also here is my iptables -L output.
anyone have any ideas why this isn't working?
I made rules to allow both 587 and 465 both in and out
The output from the syslog
Jun 21 20:00:41 JJD-PRODUCTION-WEBSITE kernel: [ 1450.576269] IPTables Packet Dropped: IN=eth0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=40128 PROTO=TCP SPT=587 DPT=37296 WINDOW=14180 RES=0x00 ACK SYN URGP=0
Jun 21 20:00:41 JJD-PRODUCTION-WEBSITE kernel: [ 1450.979805] IPTables Packet Dropped: IN=eth0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=40129 PROTO=TCP SPT=587 DPT=37296 WINDOW=14180 RES=0x00 ACK SYN URGP=0
Jun 21 20:00:42 JJD-PRODUCTION-WEBSITE kernel: [ 1451.574917] IPTables Packet Dropped: IN=eth0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=40130 PROTO=TCP SPT=587 DPT=37296 WINDOW=14180 RES=0x00 ACK SYN URGP=0
Jun 21 20:00:42 JJD-PRODUCTION-WEBSITE kernel: [ 1451.579830] IPTables Packet Dropped: IN=eth0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=40131 PROTO=TCP SPT=587 DPT=37296 WINDOW=14180 RES=0x00 ACK SYN URGP=0
Jun 21 20:00:43 JJD-PRODUCTION-WEBSITE kernel: [ 1452.779869] IPTables Packet Dropped: IN=eth0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=40132 PROTO=TCP SPT=587 DPT=37296 WINDOW=14180 RES=0x00 ACK SYN URGP=0
I have removed the source port, destination port and mac addresses/
Also here is my iptables -L output.
root@JJD-PRODUCTION-WEBSITE:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:submission state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http limit: avg 25/min burst 100
LOGGING all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp state NEW,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:submission state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssmtp state ESTABLISHED
Chain LOGGING (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level debug prefix "IPTables Packet Dropped: "
DROP all -- anywhere anywhere
root@JJD-PRODUCTION-WEBSITE:~#
anyone have any ideas why this isn't working?
I made rules to allow both 587 and 465 both in and out
ASKER
Here is the output you requested.
root@JJD-PRODUCTION-WEBSITE:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2410 184K ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED
6792 631K ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
7 444 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:443 state ESTABLISHED
1 28 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
22164 16M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
36 9229 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:53
2 124 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 state NEW,ESTABLISHED
6 300 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 limit: avg 25/min burst 100
2282 144K LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 state NEW,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 105 packets, 6180 bytes)
pkts bytes target prot opt in out source destination
2006 719K ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED
3856 11M ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED
7 280 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443 state ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED
1 28 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
22164 16M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
36 2751 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:53
2 80 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:587 state ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:465 state ESTABLISHED
Chain LOGGING (1 references)
pkts bytes target prot opt in out source destination
130 7325 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 5 LOG flags 0 level 7 prefix "IPTables Packet Dropped: "
2282 144K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
root@JJD-PRODUCTION-WEBSITE:~#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i am going to recreate the rules tomorrow and i will update this post then. Thanks a lot for the help!
From the first look, the rule on the line 16 will never be in use as the rule on line 15 will block EVERYTHING that didn't match the previous lines. So change the rules order.