RE: Setting up mail server behind iptables firewall

Daniel L. Miller Thu, 14 Aug 2003 11:09:18 -0700

This is really getting frustrating - mainly because I don't really
understand what I'm doing.  Using a port scanner from an external
webserver, it shows that ports 25, 80, and 10025 are all closed.


What am I missing?

Here's the iptables dump from both my firewall and my internal server.

*** FIREWALL IPTABLES ***

> iptables -n -v -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0          
  903 84552 ACCEPT     all  --  eth0   *       192.168.69.0/24
0.0.0.0/0          
    0     0 drop-and-log-it  all  --  eth1   *       192.168.69.0/24
0.0.0.0/0          
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0
67.106.235.126     state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:25 
    6   644 drop-and-log-it  all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination         
  619  290K ACCEPT     all  --  eth1   eth0    0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
  709 49179 ACCEPT     all  --  eth0   eth1    0.0.0.0/0
0.0.0.0/0          
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
67.106.235.126     tcp dpt:25 
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
67.106.235.126     tcp dpt:80 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
192.168.69.2       tcp dpt:25 
    4   240 drop-and-log-it  all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0
0.0.0.0/0          
    0     0 ACCEPT     all  --  *      eth0    67.106.235.126
192.168.69.0/24    
  900  154K ACCEPT     all  --  *      eth0    192.168.69.0/24
192.168.69.0/24    
    0     0 drop-and-log-it  all  --  *      eth1    0.0.0.0/0
192.168.69.0/24    
    6   504 ACCEPT     all  --  *      eth1    67.106.235.126
0.0.0.0/0          
    0     0 drop-and-log-it  all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain drop-and-log-it (5 references)
 pkts bytes target     prot opt in     out     source
destination         
   10   884 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-port-unreachable 

> iptables -n -v -t nat -L
Chain PREROUTING (policy ACCEPT 68 packets, 4258 bytes)
 pkts bytes target     prot opt in     out     source
destination         
    2   120 DNAT       tcp  --  eth1   *       0.0.0.0/0
67.106.235.126     tcp dpt:25 to:192.168.0.2:25 
    1    60 DNAT       tcp  --  eth1   *       0.0.0.0/0
67.106.235.126     tcp dpt:80 to:192.168.0.2:80 
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0
67.106.235.126     tcp dpt:10025 to:192.168.0.2:25 

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination         
   49  2666 SNAT       all  --  *      eth1    0.0.0.0/0
0.0.0.0/0          to:67.106.235.126 

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination 

*** INTERNAL SERVER IPTABLE ***

> iptables -n -v -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination         
13961 2377K ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0          
 1998  255K ACCEPT     all  --  eth0   *       192.168.0.0/24
0.0.0.0/0          
    0     0 drop-and-log-it  all  --  eth1   *       192.168.0.0/24
0.0.0.0/0          
 7474 2121K ACCEPT     all  --  eth1   *       0.0.0.0/0
192.168.69.2       state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:25 
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:80 
 2333  196K drop-and-log-it  all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0
0.0.0.0/0          
    0     0 drop-and-log-it  all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination         
13961 2377K ACCEPT     all  --  *      lo      0.0.0.0/0
0.0.0.0/0          
  116 11809 ACCEPT     all  --  *      eth0    192.168.69.2
192.168.0.0/24     
 2318  709K ACCEPT     all  --  *      eth0    192.168.0.0/24
192.168.0.0/24     
    0     0 drop-and-log-it  all  --  *      eth1    0.0.0.0/0
192.168.0.0/24     
10229  840K ACCEPT     all  --  *      eth1    192.168.69.2
0.0.0.0/0          
    0     0 drop-and-log-it  all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain drop-and-log-it (5 references)
 pkts bytes target     prot opt in     out     source
destination         
 2333  196K REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-port-unreachable

> iptables -n -v -t nat -L
Chain PREROUTING (policy ACCEPT 2672 packets, 228K bytes)
 pkts bytes target     prot opt in     out     source
destination         

Chain POSTROUTING (policy ACCEPT 539 packets, 29015 bytes)
 pkts bytes target     prot opt in     out     source
destination         
  272 15327 SNAT       all  --  *      eth1    0.0.0.0/0
0.0.0.0/0          to:192.168.69.2 

Chain OUTPUT (policy ACCEPT 811 packets, 44342 bytes)
 pkts bytes target     prot opt in     out     source
destination         

Thanx for your help,
Daniel


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Setting up mail server behind iptables firewall

Reply via email to