Hello, I'm having some trouble with a mailserver outside when I send mail through my firewall. The mailserver wants to connect to port 113 on my box, which is closed, so the connection times out and sending mail seems to last endlessly. That's why I've added these 2 rules to my firewall-script: $IPTABLES -A INPUT -i $EXT -p TCP -s $ms --dport 113 -j REJECT $IPTABLES -A FORWARD -i $EXT -p TCP -s $ms --dport 113 -j REJECT where $EXT is my external device and $ms is the mailserver. But still I get entries like these in my logs: Nov 26 20:26:52 internet kernel: DROP-TCP IN=ppp0 OUT= MAC= SRC=<Mailserver-IP> DST=<my external IP> LEN=44 TOS=0x00 PREC=0x00 TTL=52 ID=38856 PROTO=TCP SPT=3672 DPT=113 WINDOW=16384 RES=0x00 SYN URGP=0 wich means, that the last rule (reject everything) catches those requests. What do the rules have to look like to reject identd? Thanks in advance, Ralf Ronneburger
Ralf Ronneburger wrote:
$IPTABLES -A INPUT -i $EXT -p TCP -s $ms --dport 113 -j REJECT
But still I get entries like these in my logs: (...) wich means, that the last rule (reject everything) catches those requests.
What do the rules have to look like to reject identd?
The syntax is correct. If you execute "iptables -L -v" you'll notice they are placed at the wrong position in the ruleset due your "-A". Try "-I INPUT/FORWARD 1" so they get first rule and are effective. Peter
Peter Wiersig wrote:
The syntax is correct. If you execute "iptables -L -v" you'll notice they are placed at the wrong position in the ruleset due your "-A".
Try "-I INPUT/FORWARD 1" so they get first rule and are effective.
Peter
Hi Peter, iptables -L -v gives the rules in the correct position, the deny-rules appear at the end. Still my reject-rules are not matched... Best regards, Ralf
Hello Ralf, On Tuesday 26 November 2002 20:33, Ralf Ronneburger wrote:
Hello,
I'm having some trouble with a mailserver outside when I send mail through my firewall. The mailserver wants to connect to port 113 on my box, which is closed, so the connection times out and sending mail seems to last endlessly. That's why I've added these 2 rules to my firewall-script:
$IPTABLES -A INPUT -i $EXT -p TCP -s $ms --dport 113 -j REJECT $IPTABLES -A FORWARD -i $EXT -p TCP -s $ms --dport 113 -j REJECT
where $EXT is my external device and $ms is the mailserver.
But still I get entries like these in my logs:
Nov 26 20:26:52 internet kernel: DROP-TCP IN=ppp0 OUT= MAC= SRC=<Mailserver-IP> DST=<my external IP> LEN=44 TOS=0x00 PREC=0x00 TTL=52 ID=38856 PROTO=TCP SPT=3672 DPT=113 WINDOW=16384 RES=0x00 SYN URGP=0
wich means, that the last rule (reject everything) catches those requests.
What do the rules have to look like to reject identd?
You have to add a reason for the reject, otherwise it is treated as a DROP, add a --reject-with tcp-reset (see man iptables). -- GertJan
Hello Gert, GertJan Spoelman wrote:
You have to add a reason for the reject, otherwise it is treated as a DROP, add a --reject-with tcp-reset (see man iptables).
No, this is not the case, REJECT without a --reject-with is treated as a REJECT --reject-with icmp-port-unreachable. That would suit my needs just fine. In any case - if the rule would match then my deny-rule at the end of the script would not match, so I wouldn't have any log entries. Thanks anyway, Ralf
Hello Ralf, On Tuesday 26 November 2002 23:24, Ralf Ronneburger wrote:
Hello Gert,
GertJan Spoelman wrote:
You have to add a reason for the reject, otherwise it is treated as a DROP, add a --reject-with tcp-reset (see man iptables).
No, this is not the case, REJECT without a --reject-with is treated as a REJECT --reject-with icmp-port-unreachable. That would suit my needs
Then you seem to have another manpage then I have (Aug 11, 2000), it says so in there.
just fine. In any case - if the rule would match then my deny-rule at the end of the script would not match, so I wouldn't have any log entries.
You're right, didn't think of that. I do vaguely remember something about that if you put the -j at the end it would sometimes not work, try putting it directy after -A INPUT and see if that helps. -- GertJan
Hi Gert, GertJan Spoelman wrote:
Then you seem to have another manpage then I have (Aug 11, 2000), it says so in there.
No, I didn't read that in the manpage, but my rules result in these entries in the INPUT and FORWARD section with iptables -L -v: 0 0 REJECT tcp -- ppp0 any <my_mailserver> anywhere tcp dpt:ident reject-with icmp-port-unreachable
I do vaguely remember something about that if you put the -j at the end it would sometimes not work, try putting it directy after -A INPUT and see if that helps.
No, that didn't change a thing, packages get still denied and not rejected. Greetings, Ralf
Hello,
I'm having some trouble with a mailserver outside when I send mail through my firewall. The mailserver wants to connect to port 113 on my box, which is closed, so the connection times out and sending mail seems to last endlessly. That's why I've added these 2 rules to my firewall-script:
$IPTABLES -A INPUT -i $EXT -p TCP -s $ms --dport 113 -j REJECT $IPTABLES -A FORWARD -i $EXT -p TCP -s $ms --dport 113 -j REJECT
where $EXT is my external device and $ms is the mailserver.
But still I get entries like these in my logs:
Nov 26 20:26:52 internet kernel: DROP-TCP IN=ppp0 OUT= MAC= SRC=<Mailserver-IP> DST=<my external IP> LEN=44 TOS=0x00 PREC=0x00 TTL=52 ID=38856 PROTO=TCP SPT=3672 DPT=113 WINDOW=16384 RES=0x00 SYN URGP=0
wich means, that the last rule (reject everything) catches those requests.
You could try more general rules like iptables -I INPUT 1 -p TCP --dport 113 -j REJECT iptables -I INPUT 1 -p TCP --dport 113 -j LOG --log-prefix " Input identd" iptables -I FORWARD 1 -p TCP --dport 113 -j REJECT iptables -I FORWARD 1 -p TCP --dport 113 -j LOG --log-prefix " Forward identd" In this case the first 2 rules should be 1. Logging 2. Rejecting anything that goes to port 113 Then you could narrow your selection. Andreas
Hi Andreas, Andreas Baetz wrote:
You could try more general rules like iptables -I INPUT 1 -p TCP --dport 113 -j REJECT iptables -I INPUT 1 -p TCP --dport 113 -j LOG --log-prefix " Input identd" iptables -I FORWARD 1 -p TCP --dport 113 -j REJECT iptables -I FORWARD 1 -p TCP --dport 113 -j LOG --log-prefix " Forward identd"
In this case the first 2 rules should be 1. Logging 2. Rejecting anything that goes to port 113
Thanks for your help. But now it becomes even more strange: First I get two log-entries for droped packages, then I get two log-entries for rejected packages. But they look very much the same to me: Nov 27 18:25:29 internet kernel: DROP-TCP IN=ppp0 OUT= MAC= SRC=<Mailserver-IP> DST=<External-IP> LEN=44 TOS=0x00 PREC=0x00 TTL=52 ID=32011 PROTO=TCP SPT=1953 DPT=113 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 27 18:28:15 internet kernel: Input identd IN=ppp0 OUT= MAC= SRC=<Mailserver-IP> DST=<External-IP> LEN=44 TOS=0x00 PREC=0x00 TTL=52 ID=36212 PROTO=TCP SPT=1991 DPT=113 WINDOW=16384 RES=0x00 SYN URGP=0 So why does the first package not match the REJECT-rule? Best regards, Ralf Ronneburger
On Wednesday 27 November 2002 18:34, Ralf Ronneburger wrote:
Hi Andreas,
Andreas Baetz wrote:
You could try more general rules like iptables -I INPUT 1 -p TCP --dport 113 -j REJECT iptables -I INPUT 1 -p TCP --dport 113 -j LOG --log-prefix " Input identd" iptables -I FORWARD 1 -p TCP --dport 113 -j REJECT iptables -I FORWARD 1 -p TCP --dport 113 -j LOG --log-prefix " Forward identd"
In this case the first 2 rules should be 1. Logging 2. Rejecting anything that goes to port 113
Thanks for your help. But now it becomes even more strange: First I get two log-entries for droped packages, then I get two log-entries for rejected packages. But they look very much the same to me:
Nov 27 18:25:29 internet kernel: DROP-TCP IN=ppp0 OUT= MAC= SRC=<Mailserver-IP> DST=<External-IP> LEN=44 TOS=0x00 PREC=0x00 TTL=52 ID=32011 PROTO=TCP SPT=1953 DPT=113 WINDOW=16384 RES=0x00 SYN URGP=0
Nov 27 18:28:15 internet kernel: Input identd IN=ppp0 OUT= MAC= SRC=<Mailserver-IP> DST=<External-IP> LEN=44 TOS=0x00 PREC=0x00 TTL=52 ID=36212 PROTO=TCP SPT=1991 DPT=113 WINDOW=16384 RES=0x00 SYN URGP=0
You could check the following: What happens if you comment out the actual REJECT Rule, leaving only the LOG Rule in place ? Does one packet get logged twice ? Do you have the netfilter code compiled as modules or into the kernel ? Maybe not all modules are loaded the first time ? Andreas
Hi Why do you not try Shorewall it has good documentation. Take a look at http://www.shorewall.net I find SuSEfirewall confusing at times that is why I now use Shorewall. -- Ian David Laws Linux is for Networking Mac is for Working ian@the-laws-clan.de Windows is for Solitaire
participants (5)
-
Andreas Baetz
-
GertJan Spoelman
-
Ian Laws
-
Peter Wiersig
-
Ralf Ronneburger