Mailinglist Archive: opensuse-security (670 mails)

[Rolf Klemenz <ubs@xxxxxxxxx>]

Hello
Just a little thing. Don't know if this solves your problem (think not)

Reject port 113 (auth). Don't do deny or something but reject...
The pop3 client won't wait for auth then...

Rolf

Ray Leach wrote:

> Hi
>
> These are the rules I have to get mail to work (or not work) ...
>
> # Masquerade internal networks
> $IPTABLES -t nat -A POSTROUTING -o $IFACE_INT -s $NET_INT -j MASQUERADE
> $IPTABLES -t nat -A POSTROUTING -o $IFACE_DMZ -s $NET_DMZ -j MASQUERADE
>
> #### allow smtp and pop3
> # allow internet pop3 to mail server - reverse masq $IP_INET_MAIL:110 to
> $IP_INT_MAIL:110
> $IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp -d $IP_INET_MAIL --dport 110 -j
> DNAT --to-destination $IP_INT_MAIL
> $IPTABLES -A FORWARD -i $IFACE_INT -p tcp --dport 110 -d $NET_DMZ -j ACCEPT
> $IPTABLES -A FORWARD -i $IFACE_DMZ -p tcp --sport 110 -d $NET_INT -j ACCEPT
> $IPTABLES -A INPUT -i $IFACE_DMZ -p tcp --dport 113 -d $IP_INET -j ACCEPT
> $IPTABLES -A OUTPUT -o $IFACE_DMZ -p tcp --sport 113 -d $IP_INT_MAIL -j ACCEPT
> # allow internet smtp to mail server - reverse masq $IP_INET_MAIL:25 to
> $IP_INT_MAIL:25
> $IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp -d $IP_INET_MAIL --dport 25 -j
> DNAT --to-destination $IP_INT_MAIL
> $IPTABLES -A FORWARD -i $IFACE_INT -p tcp --dport 25 -d $NET_DMZ -j ACCEPT
> $IPTABLES -A FORWARD -i $IFACE_DMZ -p tcp --dport 25 -j ACCEPT
>
> This is the problem :
>
> Mail gets delivered to the mail server from the client. The client is configured to
> send mail to $IP_INET_MAIL. So this means that the reverse masq (DNAT) is working.
>
> The mail server (on $IP_INT_MAIL) tries to contact another mail server
> (mail.knowledgefactory.co.za) and times out with an entry in the mail log file in
> /var/log/mail saying "Timeout contacting mail.knowledgefactory.co.za."
>
> There are no dropped packets on the firewall.
>
> My firewall script also contains these rules to log any packets that reach the end
> of the chain:
>
> # drop MS broadcasts
> $IPTABLES -A INPUT -i $IFACE_INT -p udp --dport 137 -d $BCAST_INT -j DROP
> $IPTABLES -A INPUT -i $IFACE_INT -p udp --dport 138 -d $BCAST_INT -j DROP
> $IPTABLES -A INPUT -p udp -s 0.0.0.0/32 -j DROP
> $IPTABLES -A INPUT -p udp -d 255.255.255.255/32 -j DROP
>
> # log any packets that reach the end
> $IPTABLES -A INPUT -i $IFACE_INT -j LOG --log-prefix "DROP INPUT INTERNAL: "
> $IPTABLES -A FORWARD -i $IFACE_INT -j LOG --log-prefix "DROP FORWARD INTERNAL: "
> $IPTABLES -A OUTPUT -o $IFACE_INT -j LOG --log-prefix "DROP OUTPUT INTERNAL: "
> $IPTABLES -A INPUT -i $IFACE_DMZ -j LOG --log-prefix "DROP INPUT DMZ: "
> $IPTABLES -A FORWARD -i $IFACE_DMZ -j LOG --log-prefix "DROP FORWARD DMZ: "
> $IPTABLES -A OUTPUT -o $IFACE_DMZ -j LOG --log-prefix "DROP OUTPUT DMZ: "
> $IPTABLES -A INPUT -i $IFACE_INET -j LOG --log-prefix "DROP INPUT INET: "
> $IPTABLES -A FORWARD -i $IFACE_INET -j LOG --log-prefix "DROP FORWARD INET: "
> $IPTABLES -A OUTPUT -o $IFACE_INET -j LOG --log-prefix "DROP OUTPUT INET: "
>
>
> Any ideas?
>
> I don't want to setup pop3 and smtp proxies on my firewall ...
>
> Ray
>
> Sven Michels wrote:
>
> > Sven Michels wrote:
> >
> > > Ray Leach wrote:
> > >
> > > > Hi
> > > >
> > > > What would be the reverse of this rule?
> > > >
> > > > Sven Michels wrote:
> > > >
> > > > > Ray Leach wrote:
> > > > >
> > > > > > Hi
> > > > > >
> > > > > > Is it possible to reverse masq just one IP in a subnet?
> > > > > >
> > > > > > I have a mail server on a private subnet and I want to reverse masq just
> > > > > > the IP of the mail server.
> > > > > Like that:
> > > > > iptables -A PREROUTING -t nat -p tcp --dport 25 -i $WORLD_DEV -j DNAT --to
> > > > > $MAILSERVERIP
> > > > iptables -A POSTROUTING -t nat -p tcp --sport 25 -o $DMZ_NET -j SNAT
> > > > --to-source $WORLD_IP
> > > you don't need a reverse rule. The server need to have the default gw set to
> > > the maschine where you used the iptables. it rewrites only the destination
> > > in the packet. source is the same.
> > i was wrong ;) you need a masq rule... normal masquerading like for
> > other connections (if you don't masql all traffic which is leaving your
> > wall thru $WORLD_DEV
> >
> > --
> > intraDAT AG                     http://www.intradat.com
> > Wilhelm-Leuschner-Strasse 7         Tel: +49 69-25629-0
> > D - 60329 Frankfurt am Main       Fax: +49 69-25629-256
> >         Junk mail is war. RFCs do not apply.
> >
> > --
> > To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> > For additional commands, e-mail: suse-security-help@xxxxxxxx
>
> --
> ----------------------------------------------------------------------
> Raymond Leach
> Cell:+27-82-416-1410     Tel:+27-11-444-5006     Fax:+27-11-444-5007
> eMail:raymondl@xxxxxxxxxxxxxxxxxxxxxx
> www:http://www.knowledgefactory.co.za
> "No matter where you go, there you are ..."
> ----------------------------------------------------------------------