Sendmail and Iptables

Sendmail and Iptables

am 27.10.2007 22:07:32 von DaWiz

I have sendmail working fine - until I turn on iptables. I have the
following lines in the filters section:
-A INPUT -p tcp -m tcp --dport 25 -j LOG
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

iptables -L -v gives:
0 0 LOG tcp -- any any anywhere anywhere
tcp dpt:smtp LOG level warning
0 0 ACCEPT tcp -- any any anywhere anywhere
tcp dpt:smtp

The messages log gives this:
Oct 27 13:37:35 fremont-county kernel: IN=eth0 OUT=
MAC=00:50:da:05:cf:70:00:14:95:85:8c:91:08:00 SRC=192.168.0.68
DST=71.39.150.58 LEN=69 TOS=0x00 PREC=0x00 TTL=127 ID=59834 DF PROTO=TCP
SPT=1732 DPT=25 WINDOW=65383 RES=0x00 ACK PSH URGP=0


As soon as I enable iptables mail is no longer accepted. Turning off the
filtering lets it work again.
All of my other ports work fine - 25 is the only problem.

Is there something else I need?

Re: Sendmail and Iptables

am 27.10.2007 22:17:33 von Mark Hansen

On 10/27/07 13:07, DaWiz wrote:
> I have sendmail working fine - until I turn on iptables. I have the
> following lines in the filters section:
> -A INPUT -p tcp -m tcp --dport 25 -j LOG
> -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
>
> iptables -L -v gives:
> 0 0 LOG tcp -- any any anywhere anywhere
> tcp dpt:smtp LOG level warning
> 0 0 ACCEPT tcp -- any any anywhere anywhere
> tcp dpt:smtp
>
> The messages log gives this:
> Oct 27 13:37:35 fremont-county kernel: IN=eth0 OUT=
> MAC=00:50:da:05:cf:70:00:14:95:85:8c:91:08:00 SRC=192.168.0.68
> DST=71.39.150.58 LEN=69 TOS=0x00 PREC=0x00 TTL=127 ID=59834 DF PROTO=TCP
> SPT=1732 DPT=25 WINDOW=65383 RES=0x00 ACK PSH URGP=0
>
>
> As soon as I enable iptables mail is no longer accepted. Turning off the
> filtering lets it work again.
> All of my other ports work fine - 25 is the only problem.
>
> Is there something else I need?

I'm running CentOS 4.5 (RedHat Enterprise Linux 4.5 clone) and this is all I have
in my iptables script for the sendmail server is:

$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s 0.0.0.0/0 -d $EXTIP --dport smtp -j ACCEPT

where $EXTIF is the external interface (eth0, eth1, etc.) and $EXTIP is the
IP address assigned to the external interface.

Re: Sendmail and Iptables

am 27.10.2007 22:41:20 von DaWiz

"Mark Hansen" wrote in message
news:13i776t4l869ld3@corp.supernews.com...

> I'm running CentOS 4.5 (RedHat Enterprise Linux 4.5 clone) and this is all
> I have
> in my iptables script for the sendmail server is:
>
> $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
> -p tcp -s 0.0.0.0/0 -d $EXTIP --dport smtp -j ACCEPT
>
> where $EXTIF is the external interface (eth0, eth1, etc.) and $EXTIP is
> the
> IP address assigned to the external interface.

Thanks!!! This seems to have fixed it.

Glenn Vaughn

Re: Sendmail and Iptables

am 27.10.2007 23:59:23 von Res

On Sat, 27 Oct 2007, DaWiz wrote:
>>
>> $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
>> -p tcp -s 0.0.0.0/0 -d $EXTIP --dport smtp -j ACCEPT
>>
>> where $EXTIF is the external interface (eth0, eth1, etc.) and $EXTIP is
>> the
>> IP address assigned to the external interface.
>
> Thanks!!! This seems to have fixed it.

You dont need all that interface crud, the bit that stopped you working
was the --state option.

What you should have is a firewall script somthing like...

iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s YOUR.LAN.IP.RANGE/CIDR -j ACCEPT #(eg: 1.2.3.0/24)
iptables -A INPUT -p icmp --icmp-type 13 -j DROP
iptables -A OUTPUT -p icmp --icmp-type 14 -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

....Then whatever ports you want to allow

iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

...and so on..

--
Cheers
Res

Re: Sendmail and Iptables

am 28.10.2007 12:37:15 von oskar.1996

Mark Hansen pisze:
> On 10/27/07 13:07, DaWiz wrote:
>> I have sendmail working fine - until I turn on iptables. I have the
>> following lines in the filters section:
>> -A INPUT -p tcp -m tcp --dport 25 -j LOG
>> -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
>>
>> iptables -L -v gives:
>> 0 0 LOG tcp -- any any anywhere anywhere
>> tcp dpt:smtp LOG level warning
>> 0 0 ACCEPT tcp -- any any anywhere anywhere
>> tcp dpt:smtp
>>
>> The messages log gives this:
>> Oct 27 13:37:35 fremont-county kernel: IN=eth0 OUT=
>> MAC=00:50:da:05:cf:70:00:14:95:85:8c:91:08:00 SRC=192.168.0.68
>> DST=71.39.150.58 LEN=69 TOS=0x00 PREC=0x00 TTL=127 ID=59834 DF PROTO=TCP
>> SPT=1732 DPT=25 WINDOW=65383 RES=0x00 ACK PSH URGP=0
>>
>>
>> As soon as I enable iptables mail is no longer accepted. Turning off the
>> filtering lets it work again.
>> All of my other ports work fine - 25 is the only problem.
>>
>> Is there something else I need?
>
> I'm running CentOS 4.5 (RedHat Enterprise Linux 4.5 clone) and this is all I have
> in my iptables script for the sendmail server is:
>
> $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
> -p tcp -s 0.0.0.0/0 -d $EXTIP --dport smtp -j ACCEPT
>
> where $EXTIF is the external interface (eth0, eth1, etc.) and $EXTIP is the
> IP address assigned to the external interface.