Ipchains Blocking SMTP Relay to internal Email Server

[millap]

Hi all,

I wonder if anyone can help me. I have a Mandrake SNF 7.2 Firewall with Postfix installed to provide mail relaying services going both ways (internal > external and external > internal). The relay out to the internet works like a dream, however, mail received by the postfix service to forward to our internal Exchange server is being deferred in the postfix queue.

When I check syslog I see the following entry.

Packet log: input DENY eth0 PROTO=6 129.1.1.156:25 129.1.1.100:3693 L=40 S=0x00 I=40321 F=0x4000 T=128 (#32)

129.1.1.100 is the internal NIC of the Firewall
129.1.1.156 is the Exchange box.

From the firewall itself I can telnet out to smtp servers on the internet, but I can't telnet to port 25 on the Exchange box. It just sits there, not even timming out. Internally, I can't telnet to anything from the Firewall which tells me I've denied internal telnet somewhere along the lines.

Can anyone help with the Ipchains commands necessary to solve this?

Thanks

 

[Morsing]

Try ipchains -A input -i eth0 -s 129.1.1.0/8 -d 129.1.1.100 -j ACCEPT

It looks like you can telnet out of the box but the others can't reply back.

Hope it helps...

Cheers Henrik Morsing
IBM Certified AIX 4.3 Systems Administration

 

[millap]

Hi Henrik,

Thanks for the reply.

No it still time's out on telnet to port 25.

I can't even telnet to internal Jetdirect boxes from the Firewall..

Would it help if I sent through the output of ipchains -L

Andy

 

[Morsing]

Yes it would. Thanks Henrik Morsing
IBM Certified AIX 4.3 Systems Administration

 

[millap]

Here it comes

Chain input (policy DENY):
target prot opt source destination ports
ACCEPT icmp ------ anywhere anywhere fragmentation-needed
- tcp -y--l- anywhere anywhere any -> ssh
- tcp -y--l- anywhere anywhere any -> smtp
- tcp -y--l- anywhere anywhere any -> pop3
- tcp -y--l- anywhere anywhere any -> telnet
- tcp -y--l- anywhere anywhere any -> domain
- icmp ----l- anywhere anywhere echo-request
DENY all ----l- BASE-ADDRESS.MCAST.NET/4 anywhere n/a
DENY all ----l- anywhere 129.1.0.0/16 n/a
DENY all ----l- 129.1.0.0/16 anywhere n/a
DENY all ----l- anywhere 129.1.0.0/16 n/a
DENY all ----l- 129.1.0.0/16 anywhere n/a
ACCEPT all ------ anywhere anywhere n/a
ACCEPT tcp ------ anywhere mailgate.heritagebathrooms.com any -> ssh
ACCEPT tcp ------ anywhere mailgate.heritagebathrooms.com any -> pop3
ACCEPT tcp ------ anywhere mailgate.heritagebathrooms.com any -> https
ACCEPT tcp ------ anywhere mailgate.heritagebathrooms.com any -> smtp
ACCEPT tcp ------ anywhere mailgate.heritagebathrooms.com any -> 800
ACCEPT tcp ------ anywhere mailgate.heritagebathrooms.com any -> 8443
ACCEPT icmp ------ anywhere anywhere any -> any
ACCEPT tcp ------ anywhere anywhere any -> https
ACCEPT tcp ------ anywhere anywhere any -> smtp
ACCEPT tcp ------ anywhere anywhere any -> pop3
ACCEPT tcp !y---- anywhere anywhere any -> any
ACCEPT icmp ------ anywhere anywhere destination-unreachable
ACCEPT icmp ------ anywhere anywhere echo-reply
ACCEPT icmp ------ anywhere anywhere time-exceeded
DENY icmp ----l- anywhere anywhere any -> any
DENY udp ----l- anywhere anywhere any -> 2049
ACCEPT udp ------ cache-2.ns.demon.net anywhere domain -> 1024:65535
ACCEPT udp ------ no-dns-yet.demon.co.uk anywhere domain -> 1024:65535
DENY all ----l- anywhere mailgate.heritagebathrooms.com n/a
DENY tcp ------ anywhere mailgate.heritagebathrooms.com any -> any
DENY udp ------ anywhere mailgate.heritagebathrooms.com any -> any
REDIRECT tcp ------ 129.1.0.0/16 anywhere any ->

http://www =>

800
ACCEPT tcp ------ 129.1.0.0/16 anywhere any -> any
ACCEPT tcp ------ 129.1.0.0/16 anywhere any -> domain
ACCEPT udp ------ 129.1.0.0/16 anywhere any -> any
ACCEPT udp ------ 129.1.0.0/16 anywhere any -> domain
DENY all ----l- 129.1.0.0/16 anywhere n/a
DENY all ----l- anywhere anywhere n/a
ACCEPT all ------ 129.0.0.0/8 mailgate.heritagebathrooms.com n/a
Chain forward (policy DENY):
target prot opt source destination ports
DENY tcp ----l- anywhere anywhere netbios-ns:netbios-ssn -> any
DENY udp ----l- anywhere anywhere netbios-ns:netbios-ssn -> any
MASQ all ------ 129.1.0.0/16 anywhere n/a
DENY all ----l- anywhere anywhere n/a
Chain output (policy ACCEPT):
target prot opt source destination ports
ACCEPT icmp ------ anywhere anywhere fragmentation-needed
ACCEPT icmp ------ anywhere anywhere any -> any

 

[Morsing]

OK, my rules wasn't correct for your setup and it went in at the wrong place.

Try

ipchains -I input -i eth0 -s 129.0.0.0/24 -d 129.1.1.100 -j ACCEPT

I assume 129.0.0.0/24 is your internal network address/mask?? Henrik Morsing
IBM Certified AIX 4.3 Systems Administration

 

[millap]

Thanks Henrik, your a guru.

The internal netmask is 129.0.0.0/8 (we have subnets over the WAN (ie, 129.3.0.0, 129.4.0.0, etc, etc). I've entered your command suplanting the /24 for /8 and it works like a dream.

Do you have any recommended sites for dummies who need to configure ipchains. I've managed to setup most of the config using the SNF web management but I'd love to know more. Especially to stop pestering ppl like yourself

Thanks again.
Andy

 

[Morsing]

No worries. That's what I'm here for.

Not sure about tutorials but the Howto should take you some of the way:

http://www.linux.org/docs/ldp/howto/IPCHAINS-HOWTO.html

Cheers Henrik Morsing
IBM Certified AIX 4.3 Systems Administration

 

[millap]

Hiya Henrik,

Sorry to bother you again.

The ipchains command you've provided is still working well, however, it seems to lose the command everytime I reboot the box. Is there a way of making it permanent?

Andy

 

[danielhozac]

Add everything after ipchains to /etc/sysconfig/ipchains //Daniel

 

[millap]

Daniel,

Thanks for the reply.

No such file in that directory....

Andy

 

[Morsing]

Somewhere under your /etc directory there should be a rc.sysconfig or rc.local file. Put the lines in there.

Don't know Mandrake though, so I could be mistaken

Cheers Henrik Morsing
IBM Certified AIX 4.3 Systems Administration

 

[devostyle]

Hey Guys,
I have a Linux box running RH7.3 hosting my own domain. I am trying to configure the server to accept mail from external sources, but the smtp port does not respond. I can telnet to the smtp port(25) locally from a terminal session on the server and get the correct response from sendmail, but when I try it from an external machine I get an error saying the server actively refused the connection. Also when I do a port scan of the server, there is no response from the smtp port(25). I even went as far as to install a newer version of sendmail, but I get the same response. Does anyone have any suggestions?

Thanks in advance

devo

 

[millap]

Hiya Devo

Is this a gateway box, ie running as a firewall with sendmail as a service?

Are you running ipchains on this box?

If yes, have you setup a rule to allow incomming smtp connections?

Andy

 

[beyspleyer]

millap,

You can try the built-in ipchains script in Mandake/RedHat:

# ipchains-save
or
# ipchains-save > [filename], if you want to have different rulesets.

Then just use # ipchains-restore < [filename], if you want to restore a different set.

Hope this helps.

 

[millap]

Thanks beyspleyer, all sorted.

Andy