Re: Problem with iptables and smtp
From: Mikey (mike_at_xanter.org)
Date: 02/27/04
- Next message: Mikey: "Re: Problem with iptables and smtp"
- Previous message: Rudyink: "Re: Printer Sharing with PC-Cillin Internet Security"
- In reply to: NeoSadist: "Re: Problem with iptables and smtp"
- Next in thread: Mikey: "Re: Problem with iptables and smtp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 27 Feb 2004 15:35:39 +0100
Awesome that u replied to my msg, will try it tonight, cant do it when it is
in busy production ;)
What about that telnet, i`m ussing ssh on a different port, but what i ment
with telnet is that i telnetted to port 25 ( smtp ) and saw that there is a
huge lag before he greets. telnetd is turned off as services and is also
blocked on firewall.
Thank in advance !
"NeoSadist" <neosad1st@charter.net> wrote in message
news:103uiltsh0t4393@corp.supernews.com...
> Mikey wrote:
>
> > Hello,
> >
> > I got an problem, when i activate the firewall that was bit pre
configged
> > and a bit by myself i got problems with my smtp server. When i do a
telnet
> > to it it takes about 30+ seconds untill he response and greet. when i
turn
> > it off he greets imediatly.
>
> Telnet is NOT a very good, secure, way of logging remotely into a box.
Use
> ssh.
>
> >
> > The iptables i used are:
> >
> > for server_ips in $SERVER_IPS; do
> > $IPTABLES -A OUTPUT -o eth0 -p tcp -s $server_ips --sport
> > $UNPRIVPORTS --dport 25 -j LOG --log-prefix " SMTP_LOG "
>
> Why are you bothering to specify 1) what ports yours is generated on
(since
> destination port should be all you need to worry about in OUTGOING) and 2)
> why are you logging it?
>
> > $IPTABLES -A OUTPUT -o eth0 -p tcp -s $server_ips --sport
> > $UNPRIVPORTS --dport 25 -m state --state NEW -j ACCEPT
>
> See the above rule for my comments.
>
> > $IPTABLES -A INPUT -i eth0 -p tcp --sport $UNPRIVPORTS -d
> > $server_ips --dport 25 -m state --state NEW -j ACCEPT
>
> Here's where you messed up. Your server sees INCOMING smtp as SOURCE port
> 25, not destination port.
> Also, about that ruleset, you need to allow states ESTABLISHED,RELATED at
> some point. The connection isn't always going to be in state NEW. State
> NEW is the initial first packet from each machine per connection request.
> That is, state NEW is basically the SYN packet, the rest are state
> ESTABLISHED. RELATED is stuff like RST packets, or ICMP packets, or DNS
> packets, i.e. things associated with the connection and considered part of
> it.
> Lastly, I STRONGLY suggest that you disable telnet and use ssh to log in.
> Ssh is secure (encrypted). Telnet (as far as I know) is not, and still
not
> very secure anyways.
>
> > done
> >
> >
> > anyone any idea what i do wrong ??
> >
> > tnx in advance !
> >
> > Mike from holland
>
> --
> Of course there's no reason for it, it's just our policy.
>
- Next message: Mikey: "Re: Problem with iptables and smtp"
- Previous message: Rudyink: "Re: Printer Sharing with PC-Cillin Internet Security"
- In reply to: NeoSadist: "Re: Problem with iptables and smtp"
- Next in thread: Mikey: "Re: Problem with iptables and smtp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
