Stateful problem when using IMAP. Need a Guru.
When I enable stateful filtering (sh fw-up) on Router1 IMAP connections
to my mail server behind Router2 are painfully slow druing the initial
connection. If I disable sateful filtering (sh fw-dn) on Router1 IMAP
connections have no issues.
I have a feeling the problem is in the way I have stateful filtering
enabled on Router2 but I'm too much of a n00b to figure it out.
Any ideas?
Ryan
Router1 configs:
-----------------------------------------
fw-up
-----------------------------------------
n1:~# cat fw-up
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
## Drop packets
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
## Nat outbound packets
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 216.29.167.226
#stop stealth scans and bad flags.
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
## Allow access to internal interface
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
## Outbound
iptables -A FORWARD -i eth0 -o eth1 -p UDP --sport 1024:65535 --dport 53
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p TCP --sport 1024:65535 --dport 80
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p TCP --sport 1024:65535 --dport
143 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p TCP --sport 1024:65535 --dport
443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p TCP --sport 1024:65535 --dport 22
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
## Inbound
iptables -A FORWARD -o eth0 -i eth1 -p UDP --dport 1024:65535 --sport 53
-m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o eth0 -i eth1 -p TCP --dport 1024:65535 --sport 80
-m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o eth0 -i eth1 -p TCP --dport 1024:65535 --sport
143 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o eth0 -i eth1 -p TCP --dport 1024:65535 --sport
443 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o eth0 -i eth1 -p TCP --dport 1024:65535 --sport 22
-m state --state ESTABLISHED,RELATED -j ACCEPT
-------------------------------------------------
fw-dn
-------------------------------------------------
n1:~# cat fw-dn
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
## Drop packets
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
## Nat outbound packets
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 216.29.167.226
## Allow access to internal interface
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
------------------------------------------------
Router2 config:
-------------------------------------------------
/etc/init.d/fw-up
-------------------------------------------------
fw77:~# cat /etc/init.d/fw-up
## Clean up
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
## Drop packets
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
## Nat outbound packets
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 216.29.167.225
#stop stealth scans and bad flags.
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
## Stateful
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
## Allow outbound forwarding
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
## Allow access to internal interface
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
## HTTP
##thesommergroup.com
iptables -t nat -A PREROUTING -d 216.29.167.222 -p TCP --dport 80 -j
DNAT --to 192.168.1.11:80
##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 80 -j
DNAT --to 192.168.1.10:80
iptables -A FORWARD -p TCP --dport 80 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
## HTTPS
##thesommergroup.com
iptables -t nat -A PREROUTING -d 216.29.167.222 -p TCP --dport 443 -j
DNAT --to 192.168.1.11:443
##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 443 -j
DNAT --to 192.168.1.10:443
iptables -A FORWARD -p TCP --dport 443 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
## SMTP
##thesommergroup.com
iptables -t nat -A PREROUTING -d 216.29.167.222 -p TCP --dport 25 -j
DNAT --to 192.168.1.11:25
##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 25 -j
DNAT --to 192.168.1.10:25
iptables -A FORWARD -p TCP --dport 25 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
## IMAP
##thesommergroup.com
iptables -t nat -A PREROUTING -d 216.29.167.222 -p TCP --dport 143 -j
DNAT --to 192.168.1.11:143
##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 143 -j
DNAT --to 192.168.1.10:143
iptables -A FORWARD -p TCP --dport 143 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
## IMAPS
##thesommergroup.com
iptables -t nat -A PREROUTING -d 216.29.167.222 -p TCP --dport 993 -j
DNAT --to 192.168.1.11:993
##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 993 -j
DNAT --to 192.168.1.10:993
iptables -A FORWARD -p TCP --dport 993 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
## DNS-TCP
##thesommergroup.com
iptables -t nat -A PREROUTING -d 216.29.167.222 -p TCP --dport 53 -j
DNAT --to 192.168.1.11:53
##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 53 -j
DNAT --to 192.168.1.10:53
iptables -A FORWARD -p TCP --dport 53 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
##DNS-UDP
##thesommergroup.com
iptables -t nat -A PREROUTING -d 216.29.167.222 -p UDP --dport 53 -j
DNAT --to 192.168.1.11:53
##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p UDP --dport 53 -j
DNAT --to 192.168.1.10:53
iptables -A FORWARD -p UDP --dport 53 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
## SSH
##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 22 -j
DNAT --to 192.168.1.10:22
iptables -A FORWARD -p TCP --dport 22 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
## FTP
##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 21 -j
DNAT --to 192.168.1.10:21
iptables -A FORWARD -p TCP --dport 21 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
Reply to: