Warning

 

Close
Confirm Action

Are you sure you wish to do this?

Cancel Confirm
11310 Online
bravocompany bravocompany bravocompany
brownells brownells
tnvc tnvc tnvc
AR15.COM
bravocompany
My Account
bravocompany bravocompany bravocompany
brownells brownells
tnvc tnvc tnvc
Holosun
vortex
palmetto
colt
GS
magpul
primaryArms
silencerShop
skd
brownells
geissele
fightlite
aim
RS
cz
JRH
midwest
bravocompany
Guns
springfield
DFC
OSIGHT
11310 Online
DFC
colt
fightlite
aim
geissele
cz
magpul
JRH
springfield
bravocompany
OSIGHT
skd
midwest
RS
Holosun
palmetto
primaryArms
vortex
GS
Guns
brownells
silencerShop
Sponsor News Introducing TNVC's NEW and Exclusive Filmed SuperGain (FSG) and Chimera Panoramic Goggle Giveaway!
Site News The People of Virginia VS Grabigial BanBerger | ARFCOM News
5/8/2010 7:23:47 PM EDT
I'm pulling my hair out here and could really use some help.  I've got a CentOS 5 computer that I'm trying to setup with postfix and dovecot for authenticated relay.



I think I've got it setup, but I'm having problems with IPTables.  Here's what I've got now:



# iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

RH-Firewall-1-INPUT  all  ––  anywhere             anywhere

ACCEPT     tcp  ––  anywhere             anywhere            tcp dpt:https

ACCEPT     tcp  ––  anywhere             anywhere            tcp dpt:http



Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

RH-Firewall-1-INPUT  all  ––  anywhere             anywhere



Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination



Chain RH-Firewall-1-INPUT (2 references)

target     prot opt source               destination

ACCEPT     tcp  ––  anywhere             anywhere            tcp dpt:ftp

ACCEPT     tcp  ––  anywhere             anywhere            tcp dpt:https

ACCEPT     tcp  ––  anywhere             anywhere            tcp dpt:http

ACCEPT     tcp  ––  anywhere             anywhere            tcp dpt:smtp

ACCEPT     all  ––  anywhere             anywhere

ACCEPT     icmp ––  anywhere             anywhere            icmp any

ACCEPT     udp  ––  anywhere             224.0.0.251         udp dpt:mdns

ACCEPT     all  ––  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     tcp  ––  anywhere             anywhere            state NEW tcp dpt:ssh

REJECT     all  ––  anywhere             anywhere            reject-with icmp-host-prohibited





To me, the line "ACCEPT     all  ––  anywhere             anywhere" really seems wrong, but that isn't in /etc/sysconfig/iptables



Also, I'm not able to even telnet 127.0.0.1 25



What am I doing wrong?



Thanks
5/8/2010 7:44:08 PM EDT
[#1]
Turns out I had a postfix config problem that was causing the inability to connect to the SMTP server.  I would still love to know if that allow rule is correct though.



Thanks
5/8/2010 7:45:44 PM EDT
[#2]
Are you running a mail server? cause port 25 is the SMTP server



Edit: Never mind, answered, I was too slow





 
5/8/2010 7:50:25 PM EDT
[#3]



Quoted:


Are you running a mail server? cause port 25 is the SMTP server



Edit: Never mind, answered, I was too slow


 


I'm trying to.  




I'm so much better with Exchange, but this relay needs to be on Linux.



 
5/8/2010 7:51:53 PM EDT
[#4]
They look alright. Its allowing ftp, http, https, ssh, smtp, from anywhere.





-Foxxz
5/8/2010 7:55:12 PM EDT
[#5]
Can you do an iptables -L -n -v?
You are missing some details that may be important.
5/8/2010 7:55:59 PM EDT
[#6]





Quoted:



Can you do an iptables -L -n -v?


You are missing some details that may be important.



~]# iptables -L -n -v


Chain INPUT (policy ACCEPT 0 packets, 0 bytes)


pkts bytes target     prot opt in     out     source               destination


  61  5608 fail2ban-SSH  tcp  ––  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22


  95 10668 RH-Firewall-1-INPUT  all  ––  *      *       0.0.0.0/0            0.0.0.0/0


   0     0 ACCEPT     tcp  ––  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443


   0     0 ACCEPT     tcp  ––  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80





Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)


pkts bytes target     prot opt in     out     source               destination


   0     0 RH-Firewall-1-INPUT  all  ––  *      *       0.0.0.0/0            0.0.0.0/0





Chain OUTPUT (policy ACCEPT 97 packets, 10789 bytes)


pkts bytes target     prot opt in     out     source               destination





Chain RH-Firewall-1-INPUT (2 references)


pkts bytes target     prot opt in     out     source               destination


   0     0 ACCEPT     tcp  ––  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21


   0     0 ACCEPT     tcp  ––  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443


   0     0 ACCEPT     tcp  ––  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80


   3   149 ACCEPT     tcp  ––  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25


   0     0 ACCEPT     all  ––  lo     *       0.0.0.0/0            0.0.0.0/0


   0     0 ACCEPT     icmp ––  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255


   0     0 ACCEPT     udp  ––  *      *       0.0.0.0/0            224.0.0.251         udp dpt:5353


  91 10471 ACCEPT     all  ––  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED


   1    48 ACCEPT     tcp  ––  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22


   0     0 REJECT     all  ––  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited





Chain fail2ban-SSH (1 references)


pkts bytes target     prot opt in     out     source               destination


  61  5608 RETURN     all  ––  *      *       0.0.0.0/0            0.0.0.0/0
Thanks





 
5/8/2010 7:59:35 PM EDT
[#7]
So your allow any/any rule is limited to the loopback interface.
I don't like using the same rulebase for INPUT and FORWARD, but it should work fine.  Some people prefer to DROP rather than reject-with, personal pref IMO.
5/8/2010 8:11:58 PM EDT
[#8]
Thank you for clearing that up for me.  I was worried.



-Mike
cmmg
Pro2A
ar15com
primaryArms
Faxxon
SAS
palmetto
THBRD
ar15com
colt
LAPG
gray
CA
fightlite
LAPG
geissele
bravocompany
blackhills
RS
ar15com
silencerShop
springfield