Remote SMTP servers no longer accessible - help please!

Hello everyone,

I have a common network configuration: NAT'd Windows/Linux clients
that access the Internet through an iptables firewall/gateway.

My situation is this: I was using a self-modified version of the
firewall script below for several months, and I modified it perhaps
too much trying to get a P2P client to work, and broke my ability to
access remote SMTP servers. I can access the POP3 daemons on those
same servers, but no SMTP access whatsoever.

Theorizing that my modifications were to blame, I resorted to the
original firewall script I was using before modifications. However, I
still can't access any SMTP servers. The SMTP servers are with
different companies in different parts of North America, my IP is
*not* listed with any DNSBL services, and web browsing and FTP access
have been unaffected by this unfortunate change.

I would appreciate some insight as to why I am experiencing this most
perplexing dilemma. Or at least some other avenues to pursue to try
and resolve this issue. And if you need more details or clarification
on something I've said, don't hesitate to ask. I'm more than willing
to help you help me. =)

Thank you in advance,
Isaac

#!/bin/bash
# omato-firewall.sh v2.0
# Author: jordan_harkness @ hotmail.com
#
echo 1 > /proc/sys/net/ipv4/ip_forward
# location of iptables command
ipt=/sbin/iptables
#
# Interfaces
# Be sure to be accurate when defining these interfaces.
# ext is your external card, likely ppp0 for DSL or eth1 for cable
lo=lo
ext=ppp0
int=eth0
#
# Spoofing protection. List all networks and IP addresses that should
NOT exist
# in the real world.
#
spoofed="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12
192.168.0.0/16 255.255.255.255"
#
# List all ports to open ON your firewall
#
tcp_ports="22"
udp_ports=""
#
# These logging options will be used for all logged packets
#
logops="--log-level=3 -m limit --limit 1/second --limit-burst=3"
############################################################ ####################
############################################################ ####################
############################################################ ####################
############################################################ ####################
############################################################ ####################
############################################################ ####################

############################################################ ####################
# Set policies and delete, flush and zero chains
############################################################ ####################
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
for table in filter nat mangle
do
$ipt -t $table -F # flush
$ipt -t $table -X # delete
$ipt -t $table -Z # zero
done
############################################################ ####################

############################################################ ####################
# BAD_IP
# Check and log all spoofed IP's from external hosts.
# !! Only call from external interface !!
############################################################ ####################
$ipt -N BAD_IP
$ipt -A BAD_IP -j LOG --log-prefix "IPT: BAD IP: " $logops
$ipt -A BAD_IP -j DROP
$ipt -N SPOOF
for spf in $spoofed
do
$ipt -A SPOOF -s $spf -j BAD_IP
done
############################################################ ####################

############################################################ ####################
############################################################ ####################
############################################################ ####################
############################################################ ####################
############################################################ ####################

############################################################ ####################
# IN_NETWORK
# These packets are entering our network
# 1. Allow related and established connections
# 2. Allow ICMP packets
# 3. Deny everything else.
############################################################ ####################
$ipt -N IN_NETWORK
$ipt -A IN_NETWORK -m state --state INVALID -j DROP
$ipt -A IN_NETWORK -j SPOOF
$ipt -A IN_NETWORK -p tcp -m state --state ESTABLISHED,RELATED -j
ACCEPT
$ipt -A IN_NETWORK -p udp -m state --state ESTABLISHED,RELATED -j
ACCEPT
$ipt -A IN_NETWORK -p icmp -j ACCEPT
$ipt -A IN_NETWORK -j LOG --log-prefix "IPT: IN_NETWORK: " $logops
$ipt -A IN_NETWORK -j DROP
############################################################ ####################

############################################################ ####################
# OUT_NETWORK
# These packets are leaving our network!
# 1. Allow all packets to leave our current network because we trust
our users
############################################################ ####################
$ipt -N OUT_NETWORK
$ipt -A OUT_NETWORK -i $int -j ACCEPT
$ipt -A OUT_NETWORK -j LOG --log-prefix "IPT: OUT_NETWORK: " $logops
$ipt -A OUT_NETWORK -j DROP
############################################################ ####################

############################################################ ####################
# EXT_FIREWALL
# Packets entering firewall machine
# 1. Allow established and related connections
# 2. Allow new connections on specified ports
# 3. Log and Drop everything else
############################################################ ####################
$ipt -N EXT_FIREWALL
$ipt -A EXT_FIREWALL -m state --state INVALID -j DROP
$ipt -A EXT_FIREWALL -j SPOOF
$ipt -A EXT_FIREWALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A EXT_FIREWALL -p icmp -j ACCEPT
#
# Open ports
#
for tcp_p in $tcp_ports
do
$ipt -A EXT_FIREWALL -p tcp --dport $tcp_p -m state --state NEW -j
ACCEPT
done
for udp_p in $udp_ports
do
$ipt -A EXT_FIREWALL -p udp --dport $udp_p -m state --state NEW -j
ACCEPT
done
$ipt -A EXT_FIREWALL -j LOG --log-prefix "IPT: EXT_FIREWALL: " $logops
$ipt -A EXT_FIREWALL -j DROP
############################################################ ####################

############################################################ ####################
# INT_FIREWALL
# Connections from internal LAN
# 1. Allow all connections from the internal machines because they are
trusted
############################################################ ####################
$ipt -N INT_FIREWALL
$ipt -A INT_FIREWALL -m state --state INVALID -j DROP
$ipt -A INT_FIREWALL -j ACCEPT
############################################################ ####################

############################################################ ####################
############################################################ ####################
############################################################ ####################
############################################################ ####################
############################################################ ####################

############################################################ ####################
# Main Rules
# 1. Allow all loopback traffic. This is safe.
# 2. Send internal connections to INT_FIREWALL chain
# 3. Send external connections to EXT_FIREWALL chain
# 4. Send connections entering LAN to IN_NETWORK
# 5. Send connections leaving LAN to OUT_NETWORK
# 6. Do not modify packets leaving computer to improve performance.
It's safe.
############################################################ ####################
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -i $int -j INT_FIREWALL
$ipt -A INPUT -i $ext -j EXT_FIREWALL
$ipt -A FORWARD -i $ext -j IN_NETWORK
$ipt -A FORWARD -i $int -j OUT_NETWORK
# $ipt -A OUTPUT -i lo -j ACCEPT
# $ipt -A OUTPUT -i $int -j ACCEPT
# $ipt -A OUTPUT -i $ext -j ACCEPT
############################################################ ####################

############################################################ ####################
# Masquerading
# Turn on Masquerading and port forwarding
############################################################ ####################
$ipt -t nat -A POSTROUTING -o $ext -j MASQUERADE
############################################################ ####################

---
Do you make $100,000 per year? Do you work from home? Do you want to?
http://www.fhtm.ws/supergrovers/

Re: Remote SMTP servers no longer accessible - help please!

Isaac Grover wrote:
> Hello everyone,
>
> I have a common network configuration: NAT'd Windows/Linux clients
> that access the Internet through an iptables firewall/gateway.
>
> My situation is this: I was using a self-modified version of the
> firewall script below for several months, and I modified it perhaps
> too much trying to get a P2P client to work, and broke my ability to
> access remote SMTP servers. I can access the POP3 daemons on those
> same servers, but no SMTP access whatsoever.
>

Pretty many SMTP servers want to use the IDENT protocol
on the incoming connection, due to the current sad state
of spamming.

Try opening the TCP port 113 (auth, tap, ident) for incoming
connections.

HTH

--

Tauno Voipio
tauno voipio (at) iki fi

Re: Remote SMTP servers no longer accessible - help please!

Many ISPs block access to all SMTP servers but their own..


"Tauno Voipio" wrote in message
news:Lbhod.58$ox5.48@read3.inet.fi...
> Isaac Grover wrote:
>> Hello everyone,
>>
>> I have a common network configuration: NAT'd Windows/Linux clients
>> that access the Internet through an iptables firewall/gateway.
>>
>> My situation is this: I was using a self-modified version of the
>> firewall script below for several months, and I modified it perhaps
>> too much trying to get a P2P client to work, and broke my ability to
>> access remote SMTP servers. I can access the POP3 daemons on those
>> same servers, but no SMTP access whatsoever.
>>
>
> Pretty many SMTP servers want to use the IDENT protocol
> on the incoming connection, due to the current sad state
> of spamming.
>
> Try opening the TCP port 113 (auth, tap, ident) for incoming
> connections.
>
> HTH
>
> --
>
> Tauno Voipio
> tauno voipio (at) iki fi
>

Re: Remote SMTP servers no longer accessible - help please!

On 21 Nov 2004 20:45:00 -0800, Isaac Grover spoketh

>Hello everyone,
>
>I have a common network configuration: NAT'd Windows/Linux clients
>that access the Internet through an iptables firewall/gateway.
>
>My situation is this: I was using a self-modified version of the
>firewall script below for several months, and I modified it perhaps
>too much trying to get a P2P client to work, and broke my ability to
>access remote SMTP servers. I can access the POP3 daemons on those
>same servers, but no SMTP access whatsoever.
>

Check your logs. It's going to be infinitely more useful to see what
your firewall logs says whenever an outbound SMTP connection is made.
Also check what the logs on your mail program says (ie sendmail or
whatever you're running). There would usually be some clue there.


Your configuration says to allow everything outbound, and any return
packets matching an established connections, so it would be better to
actually see the logs...


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

Re: Remote SMTP servers no longer accessible - help please!

Woody wrote:
> Many ISPs block access to all SMTP servers but their own..
> "Tauno Voipio" wrote
>
>>Isaac Grover wrote:
>>
>>>I can access the POP3 daemons on those
>>>same servers, but no SMTP access whatsoever.
>>>
>>Pretty many SMTP servers want to use the IDENT protocol
>>Try opening the TCP port 113 (auth, tap, ident)

When the ident protocol is silently dropped, smtp, ftp, other protocols
may become very slow, rejecting this protocol will avoid timeout related
issues. Accepting this protocol is another solution.

Usually, ISPs only block port 25 (in order to reduce spam/viruses). for
email submission, you may use port 587 (it sometimes requires some
server/firewall config, the protocol on port 587 is similar to smtp on
port 25, authentication is often required, I would suggest to use
authentication and encryption on this service). Here is a link for
references: http://www.faqs.org/rfcs/rfc2476.html

3. Message Submission
3.1. Submission Identification

Port 587 is reserved for email message submission ... The protocol
used is ESMTP [SMTP-MTA, ESMTP], with
additional restrictions as specified here.

While most email clients and servers can be configured to use port
587 instead of 25, ... , by designating some hosts to be MSAs ...