opie at 817west.com
Sun Feb 6 20:29:11 CET 2005
On Sun, 2005-02-06 at 13:51, Ted Gervais wrote:
> I have a problem getting mail packets to go out with my present firewall
is the mail server on a machine behind the firewall, or running on the
> What I have is a firewall that blocks/drops everything at the start and
> then it goes on to allow access through specific ports. For Port 25 or
> smtp to work, I have the following line which I was hoping to have mail
> coming and going with this statement. However, outgoing mail can go, but
> incoming has a problem:
> /usr/sbin/iptables -A INPUT -p tcp --destination-port 25 -j ACCEPT
this allows TCP port 25 connections to the firewall itself.
> I also tried the following two lines to see if things would work but to no
> iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $UNPRIVPORTS \
> --dport 25 -j ACCEPT
that allows the firewall itself to send TCP packets out interface
$INTERNET with if the source IP is $IPADDR, source port is $UNPRIVPORTS
and the destination port is 25.
> iptables -A INPUT -i $INTERNET -p tcp ! --syn --sport 25 -d $IPADDR \
> --dport $UNPRIVPORTS -j ACCEPT
allows TCP packets destined for the firewall itself inbound on interface
$INTERNET with flag SYN unset out of SYN, ACK, and RST, a source port of
25, destination IP $IPADDR and a destination port of $UNPRIVPORTS
> So, if I take the firewall down, mail comes and goes just great..
> What am I not seeing here??
first off--let me introduce you to a rule that (IMHO) should be at the
top of all your built-in filter chains (INPUT, OUTPUT, FORWARD):
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
which will eliminate things like mr. "iptables -A INPUT -i $INTERNET -p
tcp ! --syn --sport 25 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT"
second--if the mail server is running on a machine other than the
firewall itself--you need to be added rules to the FORWARD chain of the
filter table, not INPUT/OUTPUT.
all this (and much more) knowledge can dropped on a brother at:
"I bent my wookie."
More information about the netfilter