Iptables, tcpdump and smtp... Hmmm

Iptables, tcpdump and smtp... Hmmm

Post by Edoardo Cos » Sat, 22 Dec 2001 07:43:45



Hi all,
I got a little problem with my fw and I can't figure out what's wrong.

I opened it up (smtp) to make sure I could send my mail:

$ipt -A INPUT  -v -p TCP --dport 25 -j ACCEPT
$ipt -A OUTPUT  -v -p TCP --dport 25 -j ACCEPT

(short term sollution ;)

My mail still doesn't go out!
I ran a tcp dump with the firewall activated and one without.  The
mail only goes out *without* the firewall and the only difference I
can find in the tcpdump log is that the mal isn't pushed (P flag).

Can anyone tell me what I'm restricting?

A sample of the tcp dumps and a cut of my fw script.

Many thanks
Ed.

TCPDUMP with firewall:
----------------------
23:19:52.859180 < mta-v12.level3.mail.yahoo.com.smtp >
213-193-176-112.adsl.easynet.be.1052: . 1:1(0) ack 1 win 16944 (DF)
23:19:52.859180 < mta-v12.level3.mail.yahoo.com.smtp >
213-193-176-112.adsl.easynet.be.1052: S 665258338:665258338(0) ack
1313812476 win 16944 <mss 1412> (DF)
23:19:58.879180 < mta-v11.level3.mail.yahoo.com.smtp >
213-193-176-112.adsl.easynet.be.1051: R 1:1(0) ack 1 win 65535 (DF)
23:20:04.689180 > 213-193-176-112.adsl.easynet.be.1052 >
mta-v12.level3.mail.yahoo.com.smtp: S 1313812475:1313812475(0) win
5808 <mss 1452,sackOK,timestamp 196576 0,nop,wscale 0> (DF)

TCPDUMP without firewall:
-------------------------
23:21:53.359180 > 213-193-176-112.adsl.easynet.be.1054 >
mta-v18.level3.mail.yahoo.com.smtp: . 1:1(0) ack 1 win 5808 (DF)
23:21:53.719180 < mta-v18.level3.mail.yahoo.com.smtp >
213-193-176-112.adsl.easynet.be.1054: P 1:54(53) ack 1 win 16944 (DF)
23:21:53.719180 > 213-193-176-112.adsl.easynet.be.1054 >
mta-v18.level3.mail.yahoo.com.smtp: . 1:1(0) ack 54 win 5808 (DF)
23:21:53.729180 > 213-193-176-112.adsl.easynet.be.1054 >
mta-v18.level3.mail.yahoo.com.smtp: P 1:26(25)

firewall (temp and unsecure I insist :)
# Enable DNS
$ipt -A INPUT   -v -p UDP --sport 53 -i ppp0 -s x.x.x.x -d $WWWIF -j
ACCEPT
$ipt -A OUTPUT  -v -p UDP --dport 53 -o ppp0 -d x.x.x.x -s $WWWIF -j
ACCEPT

# Enable SMTP - Open to the world in OUTPUT -needs securing-
$ipt -A INPUT  -v -p TCP --dport 25 -j ACCEPT
$ipt -A OUTPUT  -v -p TCP --dport 25 -j ACCEPT

# Enable ICMP
$ipt -A INPUT   -v -p ICMP -j ACCEPT
$ipt -A OUTPUT  -v -p ICMP -j ACCEPT

 
 
 

Iptables, tcpdump and smtp... Hmmm

Post by Tim Wooda » Sat, 22 Dec 2001 08:30:04


On 20 Dec 2001 14:43:45 -0800,

Quote:>Hi all,
>I got a little problem with my fw and I can't figure out what's wrong.

>I opened it up (smtp) to make sure I could send my mail:

>$ipt -A INPUT  -v -p TCP --dport 25 -j ACCEPT
>$ipt -A OUTPUT  -v -p TCP --dport 25 -j ACCEPT

>(short term sollution ;)

>My mail still doesn't go out!
>I ran a tcp dump with the firewall activated and one without.  The
>mail only goes out *without* the firewall and the only difference I
>can find in the tcpdump log is that the mal isn't pushed (P flag).

>Can anyone tell me what I'm restricting?

You will probably find it easier if you log what packets your
firewall is dropping, rather than trying to log the packets over
the network.

However, If you are allowing OUTPUT packets to dport 25 then you
need to somehow allow INPUT packets from sport 25.

However your rules are _VERY_ insecure as
$ipt -A input -v -p TCP --sport 25 -j ACCEPT is almost as good as
no firewall at all (not quite as good because you might think you
are safe with a firewall like this, with none at all you know you aren't)

Investigate ESTABLISHED connections (and possibly RELATED as well for
the future)

It would also be worth learning about the LOG chain. Look for any of the
firewalls on the web and strip then down to their absolute minimum and then
rebuild them, learning what each line does and why you want it (or not)

If you don't understand a line and you have a default of DROP then you are
(usually) safe if you leave it out.

Tim.

--

and there was light.

   http://locofungus.2y.net/   http://www.locofungus.btinternet.co.uk/

 
 
 

Iptables, tcpdump and smtp... Hmmm

Post by Karl Heye » Sat, 22 Dec 2001 09:13:19



> Hi all,
> I got a little problem with my fw and I can't figure out what's wrong.

> I opened it up (smtp) to make sure I could send my mail:

> $ipt -A INPUT  -v -p TCP --dport 25 -j ACCEPT
> $ipt -A OUTPUT  -v -p TCP --dport 25 -j ACCEPT

> (short term sollution ;)

> My mail still doesn't go out!
> I ran a tcp dump with the firewall activated and one without.  The
> mail only goes out *without* the firewall and the only difference I
> can find in the tcpdump log is that the mal isn't pushed (P flag).

> Can anyone tell me what I'm restricting?

The SMTP server is trying to talk to your machine on port some high
number port eg 1052 in the snapshot, and the firewall is disallowing
it.

$ipt -A INPUT -p tcp --sport smtp -i ppp0 -j ACCEPT

That will allow the remote box to connect in. You want to state the
source IP but yahoo use various servers.

karl.

 
 
 

Iptables, tcpdump and smtp... Hmmm

Post by Sangwon S » Sat, 22 Dec 2001 09:35:45


you must open 53 port (UDP and TCP)


Quote:> Hi all,
> I got a little problem with my fw and I can't figure out what's wrong.

> I opened it up (smtp) to make sure I could send my mail:

> $ipt -A INPUT  -v -p TCP --dport 25 -j ACCEPT
> $ipt -A OUTPUT  -v -p TCP --dport 25 -j ACCEPT

> (short term sollution ;)

> My mail still doesn't go out!
> I ran a tcp dump with the firewall activated and one without.  The
> mail only goes out *without* the firewall and the only difference I
> can find in the tcpdump log is that the mal isn't pushed (P flag).

> Can anyone tell me what I'm restricting?

> A sample of the tcp dumps and a cut of my fw script.

> Many thanks
> Ed.

> TCPDUMP with firewall:
> ----------------------
> 23:19:52.859180 < mta-v12.level3.mail.yahoo.com.smtp >
> 213-193-176-112.adsl.easynet.be.1052: . 1:1(0) ack 1 win 16944 (DF)
> 23:19:52.859180 < mta-v12.level3.mail.yahoo.com.smtp >
> 213-193-176-112.adsl.easynet.be.1052: S 665258338:665258338(0) ack
> 1313812476 win 16944 <mss 1412> (DF)
> 23:19:58.879180 < mta-v11.level3.mail.yahoo.com.smtp >
> 213-193-176-112.adsl.easynet.be.1051: R 1:1(0) ack 1 win 65535 (DF)
> 23:20:04.689180 > 213-193-176-112.adsl.easynet.be.1052 >
> mta-v12.level3.mail.yahoo.com.smtp: S 1313812475:1313812475(0) win
> 5808 <mss 1452,sackOK,timestamp 196576 0,nop,wscale 0> (DF)

> TCPDUMP without firewall:
> -------------------------
> 23:21:53.359180 > 213-193-176-112.adsl.easynet.be.1054 >
> mta-v18.level3.mail.yahoo.com.smtp: . 1:1(0) ack 1 win 5808 (DF)
> 23:21:53.719180 < mta-v18.level3.mail.yahoo.com.smtp >
> 213-193-176-112.adsl.easynet.be.1054: P 1:54(53) ack 1 win 16944 (DF)
> 23:21:53.719180 > 213-193-176-112.adsl.easynet.be.1054 >
> mta-v18.level3.mail.yahoo.com.smtp: . 1:1(0) ack 54 win 5808 (DF)
> 23:21:53.729180 > 213-193-176-112.adsl.easynet.be.1054 >
> mta-v18.level3.mail.yahoo.com.smtp: P 1:26(25)

> firewall (temp and unsecure I insist :)
> # Enable DNS
> $ipt -A INPUT   -v -p UDP --sport 53 -i ppp0 -s x.x.x.x -d $WWWIF -j
> ACCEPT
> $ipt -A OUTPUT  -v -p UDP --dport 53 -o ppp0 -d x.x.x.x -s $WWWIF -j
> ACCEPT

> # Enable SMTP - Open to the world in OUTPUT -needs securing-
> $ipt -A INPUT  -v -p TCP --dport 25 -j ACCEPT
> $ipt -A OUTPUT  -v -p TCP --dport 25 -j ACCEPT

> # Enable ICMP
> $ipt -A INPUT   -v -p ICMP -j ACCEPT
> $ipt -A OUTPUT  -v -p ICMP -j ACCEPT

 
 
 

Iptables, tcpdump and smtp... Hmmm

Post by Edoardo Cos » Sat, 22 Dec 2001 22:09:33


Hi Tim (and the others that helped!),
I found some of the errors.  First was that the rule for smtp was
wrong the destination port was set as a source port... Doh!

As for the fw being insecure, I know... it was just to see what the
packets where doing but you're right, a -j LOG would have been
smarter.  I'll also have a llok on ESTABLISHED and RELATED and --syn,
... ;)

I was told to also enable DNS with the TCP protocol... I thought it
only used UDP, some reading to do.

thx for all your help.
Ed.

 
 
 

1. SMTP only listens on host.domain.com:smtp want *:smtp

Hello,

I have installed RedHat7.1 and have read the release notes and recent
postings. When I do a netstat -a I get:

tcp        0      0   host.domain.com:smtp                  *:*    LISTEN

I have uncommented the DAEMON OPTIONS in the sendmail.mc and rebuilt the
sendmail.cf. I have also left the line in with the following and received
the same netstat result:

DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA') "
and
DAEMON_OPTIONS(`Port=smtp,Addr=*, Name=MTA') "

There is nothing in the host.deny file. I added SENDMAIL:ALL to the
host.allow file as suggested by release notes. I have tried stopping
IPCHAINS services(even though the rules look good).

What do I have to do to get the following from netstat -a:

 tcp        0      0        *:smtp                  *:*    LISTEN

Thanks in advance...David

2. Problem with connct() routine

3. IPTABLES, TCPDUMP LOGGING

4. Newbie: Configuring Nic and Running @Home Cable Modem

5. Matrox Mystique ands X.

6. Mounting USB Zip and USB floppy on LinuxPPC 2000

7. iptables and tcpdump

8. How to calculate the MTBF of RAID-5 or mirrored disk system

9. tcpdump and packets filtered by iptables

10. IPsec tunneling problem: tcpdump and iptables see unencrypted traffic

11. iptables problem - trying to DNAT smtp

12. iptables smtp port forwarding problem

13. Iptables smtp forwarding