Re: Iptables config - new
On Sun, Apr 14, 2002 at 12:28:16PM +0200, Lars Roland Kristiansen wrote:
> When using the folowing rules
>
> -----------------------------------------------------------------------------
> iptables -P INPUT ACCEPT
>
> iptables -A INPUT -p tcp -m multiport -s 0/0 --dport 25,110,22 -i eth0 -j
> ACCEPT
> -----------------------------------------------------------------------------
>
>
>
> i get this output from iptables -vL.
Looks like you've appended the same rules multiple times. Use
iptables -F
to flush all the rules from all chains, then run your "firewall script" or
whatever you've cooked up :)
Also, this is only the filter table. If you have any rules in the NAT
table (contains PRE and POSTROUTING, and OUTPUT chains) , they could be
having an effect.
> -----------------------------------------------------------------------------
> Chain INPUT (policy ACCEPT 1 packets, 102 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 REJECT tcp -- eth0 any anywhere
> anywhere tcp dpt:auth reject-with icmp-port-unreachable
> 0 0 REJECT tcp -- eth0 any anywhere
> anywhere tcp dpt:auth reject-with icmp-port-unreachable
> 0 0 REJECT tcp -- eth0 any anywhere
> anywhere tcp dpt:auth reject-with icmp-port-unreachable
> 12 488 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:pop3
> 1027 85784 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:ssh
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:smtp
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:pop3
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:ssh
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:smtp
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:pop3
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:ssh
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:smtp
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:pop3
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:ssh
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:smtp
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:pop3
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:ssh
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:smtp
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:pop3
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:ssh
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:smtp
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:pop3
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:ssh
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:smtp
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:pop3
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:ssh
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:smtp
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:pop3
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:ssh
> 0 0 ACCEPT tcp -- eth0 any anywhere
> anywhere tcp dpt:smtp
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 10804 packets, 584K bytes)
> pkts bytes target prot opt in out source
> destination
> -----------------------------------------------------------------------------
>
>
> And now i cant telnet to port 25 from antoher machine but i can from the
> local one. Like this
>
> ---------------------------------------------------
> localmachine$ telnet 192.168.2.2 25
> Trying 192.168.2.2...
> Connected to 192.168.2.2.
> Escape character is '^]'.
> 220 xxx.yyy.zzz.com ESMTP Postfix (Debian/GNU)
> ---------------------------------------------------
>
> ---------------------------------------------------
> remotemachine$ telnet xxx.yyy.zzz.com 25
> 421 xxx.yyy.zzz.com Sorry, unable to contact destination SMTP daemon.
> ---------------------------------------------------
Have you used tcpdump while you tried this? I bet it's waiting for an
ident (aka auth) request, since you reject the auth port with ICMP
port-unreachable, not TCP reset. As Laurent mentioned, this web site
<http://logi.cc/linux/reject_or_deny.php3> explains this issue.
(note that your firewall is blocking the establishment of your outgoing
connections because you haven't used
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
or similar.)
Also note that all your policies were ACCEPT, so in fact the _only_ thing
your firewall is doing is preventing your mail server from working.
>
> if i issue the comand "/etc/init.d/iptables clear" witch set all policies
> to ACCEPT i get the folowing out put from iptables -vL.
>
>
> ---------------------------------------------------------
> Chain INPUT (policy ACCEPT 6 packets, 384 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 3 packets, 360 bytes)
> pkts bytes target prot opt in out source
> destination
> ----------------------------------------------------------
>
> And know i can telnet to port 25 from another machine. An important note
> is that this problem is only with port 25, i can telnet to port 110 and 22
> all the time.
>
> Can anyone please enligthen me on this problem as it is a bit wired.
>
> thanks for all the input and the help
Hope this helps, and I hope I didn't make any mistakes, because I'm just
getting my feet wet with iptables. Someone please correct any mistakes :)
--
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@llama.nslug. , ns.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BCE
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: