[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Stateful problem when using IMAP. Need a Guru.

Maybe this will help explain it a little better:

http://www.mcalister.cc/net/net.jpg

Ryan

system_lists@nullzone.org wrote:



Have u check is that is a general problem on all external conections?
That just sound as a DNS resolution problem (u will not get to log on any service becouse the system need to wait for a timeout on the dns_resolition_ask that it does asking about your external ip_address). 

For looking is its just the problem do a simply check:
1- change the resolv.conf for getting de system asking to 127.0.0.1 and shutdown the dns service if u have it up (for getting a quick fail on DNS resolutions). Now just try to connect to the IMAP again. If it goes so quick then its the problem, just the dns-resolutions that system is trayng to do. 

Seeya

At 12:39 31/12/2002 -0500, Ryan wrote:
When I enable stateful filtering (sh fw-up) on Router1 IMAP connections to my mail server behind Router2 are painfully slow druing the initial connection. If I disable sateful filtering (sh fw-dn) on Router1 IMAP connections have no issues.
I have a feeling the problem is in the way I have stateful filtering enabled on Router2 but I'm too much of a n00b to figure it out. 

Any ideas?

Ryan


Router1 configs:
-----------------------------------------
fw-up
-----------------------------------------
n1:~# cat fw-up
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z

## Drop packets
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

## Nat outbound packets
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 216.29.167.226

#stop stealth scans and bad flags.
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP


## Allow access to internal interface
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT


## Outbound
iptables -A FORWARD -i eth0 -o eth1 -p UDP --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -p TCP --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -p TCP --sport 1024:65535 --dport 143 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -p TCP --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -p TCP --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 


## Inbound
iptables -A FORWARD -o eth0 -i eth1 -p UDP --dport 1024:65535 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -o eth0 -i eth1 -p TCP --dport 1024:65535 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -o eth0 -i eth1 -p TCP --dport 1024:65535 --sport 143 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -o eth0 -i eth1 -p TCP --dport 1024:65535 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -o eth0 -i eth1 -p TCP --dport 1024:65535 --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT 

-------------------------------------------------
fw-dn
-------------------------------------------------
n1:~# cat fw-dn
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z

## Drop packets
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

## Nat outbound packets
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 216.29.167.226

## Allow access to internal interface
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
------------------------------------------------




Router2 config:
-------------------------------------------------
/etc/init.d/fw-up
-------------------------------------------------
fw77:~# cat /etc/init.d/fw-up
## Clean up
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z

## Drop packets
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

## Nat outbound packets
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 216.29.167.225 

#stop stealth scans and bad flags.
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP



## Stateful
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



## Allow outbound forwarding
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

## Allow access to internal interface
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT



## HTTP
##thesommergroup.com
iptables -t nat -A PREROUTING -d 216.29.167.222 -p TCP --dport 80 -j DNAT --to 192.168.1.11:80 

##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 80 -j DNAT --to 192.168.1.10:80
iptables -A FORWARD -p TCP --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 


## HTTPS
##thesommergroup.com
iptables -t nat -A PREROUTING -d 216.29.167.222 -p TCP --dport 443 -j DNAT --to 192.168.1.11:443 

##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 443 -j DNAT --to 192.168.1.10:443
iptables -A FORWARD -p TCP --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 


## SMTP
##thesommergroup.com
iptables -t nat -A PREROUTING -d 216.29.167.222 -p TCP --dport 25 -j DNAT --to 192.168.1.11:25 

##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 25 -j DNAT --to 192.168.1.10:25
iptables -A FORWARD -p TCP --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 


## IMAP
##thesommergroup.com
iptables -t nat -A PREROUTING -d 216.29.167.222 -p TCP --dport 143 -j DNAT --to 192.168.1.11:143 

##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 143 -j DNAT --to 192.168.1.10:143
iptables -A FORWARD -p TCP --dport 143 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 


## IMAPS
##thesommergroup.com
iptables -t nat -A PREROUTING -d 216.29.167.222 -p TCP --dport 993 -j DNAT --to 192.168.1.11:993 

##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 993 -j DNAT --to 192.168.1.10:993
iptables -A FORWARD -p TCP --dport 993 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 


## DNS-TCP
##thesommergroup.com
iptables -t nat -A PREROUTING -d 216.29.167.222 -p TCP --dport 53 -j DNAT --to 192.168.1.11:53 

##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 53 -j DNAT --to 192.168.1.10:53
iptables -A FORWARD -p TCP --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 


##DNS-UDP
##thesommergroup.com
iptables -t nat -A PREROUTING -d 216.29.167.222 -p UDP --dport 53 -j DNAT --to 192.168.1.11:53 

##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p UDP --dport 53 -j DNAT --to 192.168.1.10:53
iptables -A FORWARD -p UDP --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 

## SSH
##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 22 -j DNAT --to 192.168.1.10:22
iptables -A FORWARD -p TCP --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 


## FTP
##mcalister.cc
iptables -t nat -A PREROUTING -d 216.29.167.220 -p TCP --dport 21 -j DNAT --to 192.168.1.10:21
iptables -A FORWARD -p TCP --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 








--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: