Hi all, hoping someone here can help me out as I can’t seem to understand what the issue is.
I have a server that runs a mail server on port 25, lets call it XXX. Mail to this server is only allowed on port 25 from the mail scanning server called ZZZ.
When the local server XXX sends the ACK FIN to acknowledge the client sides request to terminate it works fine since I allow anything outbound. The problem is when the remote side sends the ACK FIN it passes all my iptables rules and gets rejected.
Jan 16 12:23:03 pop kernel: GOING OUT: in= OUT=eth0 SRC=XXX DST=ZZZ LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=51011 DF PROTO=TCP SPT=25 DPT=35322 WINDOW=5792 RES=0x00 ACK FIN URGP=0
Jan 16 12:23:07 pop kernel: COMING IN AND REJECTED: IN=eth0 OUT= MAC=00:13:72:f7:d2:13:00:03:a0:0b:04:70:08:00 SRC=ZZZ DST=XXX LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=13994 DF PROTO=TCP SPT=60919 DPT=25 WINDOW=63 RES=0x00 ACK FIN URGP=0
Here are my firewall rules I’m hoping if anyone call tell me how I can fix this or what I’m doing wrong.
/etc/sysconfig/iptables:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -p tcp --dport 3410 -j DROP
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -p tcp --sport 10000 -j DROP
# accept anything established
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# accept anything new on 25
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m limit --limit 15/minute -j LOG --log-level warning --log-prefix " COMING IN AND REJECTED: "
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
Iptables –vL output
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3154K 1566M RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 3357K packets, 2113M bytes)
pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
307K 266M ACCEPT all -- lo any anywhere anywhere
152 9069 ACCEPT icmp -- any any anywhere anywhere icmp any
0 0 ACCEPT ipv6-crypt-- any any anywhere anywhere
0 0 ACCEPT ipv6-auth-- any any anywhere anywhere
0 0 DROP tcp -- any any anywhere anywhere tcp dpt:3410
30 1536 DROP tcp -- any any anywhere anywhere tcp spt:10000
2617K 1289M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
28525 1709K ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:smtp
0 0 REJECT udp -- any any anywhere anywhere udp dpt:netbios-ns reject-with icmp-port-unreachable
0 0 REJECT udp -- any any anywhere anywhere udp dpt:netbios-dgm reject-with icmp-port-unreachable
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ntp
0 0 REJECT udp -- any any anywhere anywhere udp dpt:bootps reject-with icmp-port-unreachable
2800 171K LOG all -- any any anywhere anywhere limit: avg 15/min burst 5 LOG level warning prefix ` COMING IN AND REJECTED: '
5201 317K REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Thanks in advance, P
I have a server that runs a mail server on port 25, lets call it XXX. Mail to this server is only allowed on port 25 from the mail scanning server called ZZZ.
When the local server XXX sends the ACK FIN to acknowledge the client sides request to terminate it works fine since I allow anything outbound. The problem is when the remote side sends the ACK FIN it passes all my iptables rules and gets rejected.
Jan 16 12:23:03 pop kernel: GOING OUT: in= OUT=eth0 SRC=XXX DST=ZZZ LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=51011 DF PROTO=TCP SPT=25 DPT=35322 WINDOW=5792 RES=0x00 ACK FIN URGP=0
Jan 16 12:23:07 pop kernel: COMING IN AND REJECTED: IN=eth0 OUT= MAC=00:13:72:f7:d2:13:00:03:a0:0b:04:70:08:00 SRC=ZZZ DST=XXX LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=13994 DF PROTO=TCP SPT=60919 DPT=25 WINDOW=63 RES=0x00 ACK FIN URGP=0
Here are my firewall rules I’m hoping if anyone call tell me how I can fix this or what I’m doing wrong.
/etc/sysconfig/iptables:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -p tcp --dport 3410 -j DROP
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -p tcp --sport 10000 -j DROP
# accept anything established
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# accept anything new on 25
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m limit --limit 15/minute -j LOG --log-level warning --log-prefix " COMING IN AND REJECTED: "
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
Iptables –vL output
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3154K 1566M RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 3357K packets, 2113M bytes)
pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
307K 266M ACCEPT all -- lo any anywhere anywhere
152 9069 ACCEPT icmp -- any any anywhere anywhere icmp any
0 0 ACCEPT ipv6-crypt-- any any anywhere anywhere
0 0 ACCEPT ipv6-auth-- any any anywhere anywhere
0 0 DROP tcp -- any any anywhere anywhere tcp dpt:3410
30 1536 DROP tcp -- any any anywhere anywhere tcp spt:10000
2617K 1289M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
28525 1709K ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:smtp
0 0 REJECT udp -- any any anywhere anywhere udp dpt:netbios-ns reject-with icmp-port-unreachable
0 0 REJECT udp -- any any anywhere anywhere udp dpt:netbios-dgm reject-with icmp-port-unreachable
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ntp
0 0 REJECT udp -- any any anywhere anywhere udp dpt:bootps reject-with icmp-port-unreachable
2800 171K LOG all -- any any anywhere anywhere limit: avg 15/min burst 5 LOG level warning prefix ` COMING IN AND REJECTED: '
5201 317K REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Thanks in advance, P
ort combination overrides the preceding RELATED,ESTABLISHED rule.