Problem with iptables (cant open port 25 out)

Support for security such as Firewalls and securing linux
Post Reply
altariq
Posts: 6
Joined: 2007/10/12 22:41:22

Problem with iptables (cant open port 25 out)

Post by altariq » 2007/10/12 22:52:38

Hi there,

im writing what i know cause the server is in the company and im at home. (normal at this time :-) )

Its a centos 4.4 server with running openxchange, cyrus imap, postfix, clamwin and so on. Incomming messages comes directly to this relay and recieving works fine but outgoing is a problem.

I had made a firewall script for the server.
It looks like this:

[code]
iptables -F
#
# First deny all
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
# Localhost Acces
#
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -s 192.1.1.0/24 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 80 -j ACCEPT
#
# Save settings
#
/sbin/service iptables save
#
# List rules
#
iptables -L -v
[/code]

A telnet external_ip 25 from an computer outside of our network brings nothing. Without the firewall it works. But i dont know where my fault is.

PS: Sorry for my english, come from germany :-o

altariq
Posts: 6
Joined: 2007/10/12 22:41:22

Re: Problem with iptables (cant open port 25 out)

Post by altariq » 2007/10/15 18:10:41

Is there nobody who can help me?
I am building a server and need the information for tomorrow so it would be very nice if someone can help

michaelnel
Posts: 1478
Joined: 2006/05/29 16:50:11
Location: San Francisco, CA

Problem with iptables (cant open port 25 out)

Post by michaelnel » 2007/10/15 19:13:35

Your firewall script is hosed.

Look in /etc/sysconfig, there should be a file called iptables. Edit that to open port 25, then save it and do "service iptables restart".

altariq
Posts: 6
Joined: 2007/10/12 22:41:22

Re: Problem with iptables (cant open port 25 out)

Post by altariq » 2007/10/15 21:02:02

Im confused. When i start this script it will write the content to /sysconfig/iptables.
I do:

[code]
[root@grpware ox]# /etc/init.d/iptables stop
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
[root@grpware ox]# telnet smtp.1und1.com 25
Trying 212.227.15.145...
Connected to smtp.1und1.com (212.227.15.145).
Escape character is '^]'.
220 smtp.1und1.com (mrelayeu2) Welcome to Nemesis ESMTP server
quit
221 smtp.1und1.com Bye
Connection closed by foreign host.
[root@grpware ox]#

[root@grpware ox]# cd /home/ox/
[root@grpware ox]# ./myfirewall
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
4 208 ACCEPT all -- eth0 any 192.168.2.0/24 anywhere
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:smtp
0 0 ACCEPT tcp -- eth1 any anywhere anywhere tcp dpt:smtp
0 0 ACCEPT tcp -- eth1 any anywhere anywhere tcp dpt:http
0 0 ACCEPT udp -- eth1 any anywhere anywhere udp dpt:http

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 7 packets, 748 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any lo anywhere anywhere
0 0 ACCEPT tcp -- any eth0 anywhere anywhere tcp dpt:smtp
0 0 ACCEPT tcp -- any eth1 anywhere anywhere tcp dpt:smtp

[root@grpware ox]# telnet smtp.1und1.com 25
Trying 212.227.15.145...

[/code]

Than there comes nothing...

freeloadr
Posts: 2
Joined: 2007/07/18 17:55:37

Re: Problem with iptables (cant open port 25 out)

Post by freeloadr » 2007/10/15 21:11:39

Looks like your not letting the return traffic back in. Try adding some related,established rules.

altariq
Posts: 6
Joined: 2007/10/12 22:41:22

Re: Problem with iptables (cant open port 25 out)

Post by altariq » 2007/10/15 21:22:08

Okay now it works with:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

but is that secure? I hope so :)

Thank you for your help

User avatar
toracat
Forum Moderator
Posts: 7386
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: Problem with iptables (cant open port 25 out)

Post by toracat » 2007/10/15 21:41:06

For anyone intrested, there is a fine CentOS wiki article on iptables authored by NedSlider:

http://wiki.centos.org/HowTos/Network/IPTables

hi_vkkadam
Posts: 74
Joined: 2007/11/05 16:08:34
Location: Pune

Re: Problem with iptables (cant open port 25 out)

Post by hi_vkkadam » 2007/11/23 18:57:00

you specify source and destination along with port in your script

Post Reply

Return to “CentOS 4 - Security Support”