pop3 and vpn

Vinod H vinwin at gmail.com
Thu Aug 11 12:54:31 CEST 2005


Hi, 


I am Vinod, I have Redhat Linux 9 as my firewall and mailserver and I 
want to open pop3(110) port and We have Cisco VPN installed on our UK 
office and from here we are trying to connect to the VPN server through 


Cisco VPN Client installed on one of the windows 2000 pro client 
machine, if I connect through some internet dialup I am able to connect 


but if I go through our internet gateway that is our firewall I am not 
able to connect. 


I don't know if I want to open some port in the firewall so that my vpn 


works fine, following is my iptables 


# Generated by iptables-save v1.2.9 on Tue Jun 15 15:16:30 2004 
*mangle 
:PREROUTING ACCEPT [7589140:3899377832] 
:INPUT ACCEPT [1296105:906900344] 
:FORWARD ACCEPT [6292332:2992176682] 
:OUTPUT ACCEPT [836464:135776667] 
:POSTROUTING ACCEPT [7126045:3127754859] 
COMMIT 
# Completed on Tue Jun 15 15:16:30 2004 
# Generated by iptables-save v1.2.9 on Tue Jun 15 15:16:30 2004 
*nat 
:PREROUTING ACCEPT [376941:25700390] 
:POSTROUTING ACCEPT [5165:313017] 
:OUTPUT ACCEPT [10977:675933] 
-A PREROUTING -d 22.8.33.9 -i eth0 -p tcp -m tcp --dport 80 -j DNAT 
--to-destination 192.168.0.1 
-A PREROUTING -d 22.8.33.9 -i eth0 -p tcp -m tcp --dport 21 -j DNAT 
--to-destination 192.168.0.1 
-A PREROUTING -d 22.8.33.9 -i eth0 -p tcp -m tcp --dport 20 -j DNAT 
--to-destination 192.168.0.1 
-A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT 
# Completed on Tue Jun 15 15:16:30 2004 
# Generated by iptables-save v1.2.9 on Tue Jun 15 15:16:30 2004 
*filter 
:ICMPINBOUND - [0:0] 
:LINVALID - [0:0] 
:SMB - [0:0] 
:INPUT DROP [0:0] 
:LDROP - [0:0] 
:SPECIALPORTS - [0:0] 
:LBADFLAG - [0:0] 
:OUTPUT DROP [0:0] 
:TCPACCEPT - [0:0] 
:LPINGFLOOD - [0:0] 
:ICMPOUTBOUND - [0:0] 
:FORWARD DROP [0:0] 
:LSPECIALPORT - [0:0] 
:LSYNFLOOD - [0:0] 
:CHECKBADFLAG - [0:0] 
:LREJECT - [0:0] 
-A INPUT -m state --state INVALID -j LINVALID 
-A INPUT -p tcp -j CHECKBADFLAG 
-A INPUT -i lo -j ACCEPT 
-A INPUT -d 127.0.0.0/255.0.0.0 -j LREJECT 
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -j ACCEPT 
-A INPUT -s 192.168.0.0/255.255.255.0 -j LREJECT 
-A INPUT -p icmp -i eth0 -j ICMPINBOUND 
-A INPUT -p udp -m udp --dport 33434:33523 -j LDROP 
-A INPUT -i eth0 -j SMB 
-A INPUT -p tcp -m tcp -i eth0 --dport 113 -j REJECT  --reject-with 
tcp-reset 
-A INPUT -p tcp -m tcp -i eth0 --dport 25 -j TCPACCEPT 
-A INPUT -i eth0 -j SPECIALPORTS 
-A INPUT -m state -i eth0 --state ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp -m state -i eth0 --dport 1024:65535 --state 
RELATED -j TCPACCEPT 
-A INPUT -p udp -m udp -m state -i eth0 --dport 1024:65535 --state 
RELATED -j ACCEPT 
-A INPUT -j LDROP 
-A FORWARD -m state --state INVALID -j LINVALID 
-A FORWARD -p tcp -j CHECKBADFLAG 
-A FORWARD -o eth0 -j SMB 
-A FORWARD -p tcp -m tcp -s 192.168.0.1 -o eth0 --sport 80 -j ACCEPT 
-A FORWARD -p tcp -m tcp -s 192.168.0.1 -o eth0 --sport 21 -j ACCEPT 
-A FORWARD -p tcp -m tcp -s 192.168.0.1 -o eth0 --sport 20 -j ACCEPT 
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 -i eth1 -o eth0 
--sport 1024:65535 -j ACCEPT 
-A FORWARD -p udp -m udp -s 192.168.0.0/255.255.255.0 -i eth1 -o eth0 
--sport 1024:65535 -j ACCEPT 
-A FORWARD -p icmp -s 192.168.0.0/255.255.255.0 -i eth1 -o eth0 -j 
ACCEPT 
-A FORWARD -i eth0 -j SMB 
-A FORWARD -m state -i eth0 --state ESTABLISHED -j ACCEPT 
-A FORWARD -p tcp -m tcp -m state -i eth0 --dport 1024:65535 --state 
RELATED -j TCPACCEPT 
-A FORWARD -p udp -m udp -m state -i eth0 --dport 1024:65535 --state 
RELATED -j ACCEPT 
-A FORWARD -p icmp -m state -i eth0 --state RELATED -j ACCEPT 
-A FORWARD -p tcp -m tcp -d 192.168.0.1 -i eth0 --dport 80 -j ACCEPT 
-A FORWARD -p tcp -m tcp -d 192.168.0.1 -i eth0 --dport 21 -j ACCEPT 
-A FORWARD -p tcp -m tcp -d 192.168.0.1 -i eth0 --dport 20 -j ACCEPT 
-A FORWARD -j LDROP 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -d 192.168.0.0/255.255.255.0 -o eth1 -j ACCEPT 
-A OUTPUT -p icmp -o eth0 -j ICMPOUTBOUND 
-A OUTPUT -o eth0 -j SMB 
-A OUTPUT -p tcp -m tcp -o eth0 --sport 113 -j REJECT  --reject-with 
tcp-reset 
-A OUTPUT -p tcp -m tcp -m state -o eth0 --sport 25 --state ESTABLISHED 


-j ACCEPT 
-A OUTPUT -p tcp -m tcp -s 22.8.33.9 -o eth0 --sport 1024:65535 -j 
ACCEPT 
-A OUTPUT -p udp -m udp -s 22.8.33.9 -o eth0 --sport 1024:65535 -j 
ACCEPT 
-A OUTPUT -j LDROP 
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,PSH,URG -j LBADFLAG 
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,RST,ACK,URG -j LBADFLAG 
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,RST,PSH,ACK,URG -j LBADFLAG 
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE 
-j LBADFLAG 
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG 
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LBADFLAG 
-A ICMPINBOUND -p icmp -m icmp -m limit --icmp-type 8 --limit 5/sec 
--limit-burst 10 -j ACCEPT 
-A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -j LPINGFLOOD 
-A ICMPINBOUND -p icmp -m icmp --icmp-type 5 -j LDROP 
-A ICMPINBOUND -p icmp -m icmp --icmp-type 13 -j LDROP 
-A ICMPINBOUND -p icmp -m icmp --icmp-type 14 -j LDROP 
-A ICMPINBOUND -p icmp -m icmp --icmp-type 17 -j LDROP 
-A ICMPINBOUND -p icmp -m icmp --icmp-type 18 -j LDROP 
-A ICMPINBOUND -p icmp -j ACCEPT 
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 5 -j LDROP 
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/0 -j LDROP 
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/1 -j LDROP 
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 12 -j LDROP 
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 13 -j LDROP 
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 14 -j LDROP 
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 17 -j LDROP 
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 18 -j LDROP 
-A ICMPOUTBOUND -p icmp -j ACCEPT 
-A LBADFLAG -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=BADFLAG:1 a=DROP " 
-A LBADFLAG -j DROP 
-A LDROP -p tcp -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=TCP:1 a=DROP " 
-A LDROP -p udp -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=UDP:2 a=DROP " 
-A LDROP -p icmp -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=ICMP:3 a=DROP " 
-A LDROP -m limit -f --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=FRAGMENT:4 a=DROP " 
-A LDROP -j DROP 
-A LINVALID -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=INVALID:1 a=DROP " 
-A LINVALID -j DROP 
-A LPINGFLOOD -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=PINGFLOOD:1 a=DROP " 
-A LPINGFLOOD -j DROP 
-A LREJECT -p tcp -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=TCP:1 a=REJECT " 
-A LREJECT -p udp -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=UDP:2 a=REJECT " 
-A LREJECT -p icmp -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=ICMP:3 a=REJECT " 
-A LREJECT -m limit -f --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=FRAGMENT:4 a=REJECT " 
-A LREJECT -p tcp -j REJECT  --reject-with tcp-reset 
-A LREJECT -p udp -j REJECT  --reject-with icmp-port-unreachable 
-A LREJECT -j REJECT  --reject-with icmp-port-unreachable 
-A LSPECIALPORT -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=SPECIALPORT:1 a=DROP " 
-A LSPECIALPORT -j DROP 
-A LSYNFLOOD -m limit --limit 2/sec --limit-burst 10 -j LOG 
--log-prefix "fp=SYNFLOOD:1 a=DROP " 
-A LSYNFLOOD -j DROP 
-A SMB -p tcp -m tcp --dport 137 -j DROP 
-A SMB -p tcp -m tcp --dport 138 -j DROP 
-A SMB -p tcp -m tcp --dport 139 -j DROP 
-A SMB -p tcp -m tcp --dport 445 -j DROP 
-A SMB -p udp -m udp --dport 137 -j DROP 
-A SMB -p udp -m udp --dport 138 -j DROP 
-A SMB -p udp -m udp --dport 139 -j DROP 
-A SMB -p udp -m udp --dport 445 -j DROP 
-A SMB -p tcp -m tcp --sport 137 -j DROP 
-A SMB -p tcp -m tcp --sport 138 -j DROP 
-A SMB -p tcp -m tcp --sport 139 -j DROP 
-A SMB -p tcp -m tcp --sport 445 -j DROP 
-A SMB -p udp -m udp --sport 137 -j DROP 
-A SMB -p udp -m udp --sport 138 -j DROP 
-A SMB -p udp -m udp --sport 139 -j DROP 
-A SMB -p udp -m udp --sport 445 -j DROP 
-A SPECIALPORTS -p tcp -m tcp --dport 6670 -j LSPECIALPORT 
-A SPECIALPORTS -p tcp -m tcp --dport 1243 -j LSPECIALPORT 
-A SPECIALPORTS -p udp -m udp --dport 1243 -j LSPECIALPORT 
-A SPECIALPORTS -p tcp -m tcp --dport 27374 -j LSPECIALPORT 
-A SPECIALPORTS -p udp -m udp --dport 27374 -j LSPECIALPORT 
-A SPECIALPORTS -p tcp -m tcp --dport 6711:6713 -j LSPECIALPORT 
-A SPECIALPORTS -p tcp -m tcp --dport 12345:12346 -j LSPECIALPORT 
-A SPECIALPORTS -p tcp -m tcp --dport 20034 -j LSPECIALPORT 
-A SPECIALPORTS -p udp -m udp --dport 31337:31338 -j LSPECIALPORT 
-A SPECIALPORTS -p tcp -m tcp --dport 6000:6063 -j LSPECIALPORT 
-A SPECIALPORTS -p udp -m udp --dport 28431 -j LSPECIALPORT 
-A TCPACCEPT -p tcp -m tcp -m limit --tcp-flags SYN,RST,ACK SYN --limit 


5/sec --limit-burst 10 -j ACCEPT 
-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LSYNFLOOD 
-A TCPACCEPT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
COMMIT 


I want to know how to open pop3 port for outside access and for the 
perticular ip and which port should be open for my vpn to work and how 
to 


Some one please help me on this issue it is very urgent 


Thanks in advance 


Regards 


Vinod



More information about the netfilter mailing list