iptables : Tux don't want to go out ! - Security

This is a discussion on iptables : Tux don't want to go out ! - Security ; Hello, After 2 days whitout result, i need your help. We have a Mandriva gateway for our LAN (smb, postfix, fetchmail, squid, hylafax ...etc.) I have changed the Iptables. Now, default politic it's to DROP. But now, : - we ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: iptables : Tux don't want to go out !

  1. iptables : Tux don't want to go out !

    Hello,
    After 2 days whitout result, i need your help.
    We have a Mandriva gateway for our LAN (smb, postfix, fetchmail, squid,
    hylafax ...etc.)
    I have changed the Iptables. Now, default politic it's to DROP.
    But now, :
    - we can use samba, receved Fax, use email on LAN (private only), go to Web
    - but we can't receved Email, use SQUID. (When i do : telnet ip.my.provider
    110, it can't connect)
    Thanks for your help.

    # Chargement des modules
    /sbin/modprobe iptable_nat
    /sbin/modprobe ip_tables
    /sbin/modprobe ip_conntrack
    /sbin/modprobe iptable_filter
    /sbin/modprobe iptable_nat
    /sbin/modprobe iptable_mangle
    /sbin/modprobe ipt_state
    /sbin/modprobe ipt_MASQUERADE

    # Effacement des règles des tables
    /sbin/iptables -t nat -F
    /sbin/iptables -F
    /sbin/iptables -X

    # Define default policy to DROP packets
    /sbin/iptables -P INPUT DROP
    /sbin/iptables -P OUTPUT DROP
    /sbin/iptables -P FORWARD DROP

    net=192.168.0.0
    mask=255.255.255.0
    inif=eth1
    outif=eth0

    # Accept all local (loopback) traffic on the lo interface
    /sbin/iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
    /sbin/iptables -A OUTPUT -d 127.0.0.1 -o lo -j ACCEPT

    #/sbin/iptables -A OUTPUT -p tcp --dport 110 -s 192.168.0.0/24 -j ACCEPT

    ## Règles concernant les INPUT/OUTPUT
    # Permit DNS traffic
    /sbin/iptables -A INPUT -p udp --sport 53 -j ACCEPT
    /sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

    # Accept local-network return traffic from private network 192.168.0.0/24:
    /sbin/iptables -A INPUT -m state -p tcp --dport 1024:65535 --state
    ESTABLISHED,RELATED -s 192.168.0.0/24 -j ACCEPT
    /sbin/iptables -A OUTPUT -m state -p tcp --sport 1024:65535 ! --state
    INVALID -d 192.168.0.0/24 -j ACCEPT

    # Accept all HTTP connections
    /sbin/iptables -A INPUT -m state -p tcp --dport 80 ! --state INVALID -j
    ACCEPT
    /sbin/iptables -A OUTPUT -m state -p tcp --sport 80 --state
    ESTABLISHED,RELATED -j ACCEPT

    # Accept local (192.168.0.0/24) POP traffic
    /sbin/iptables -A INPUT -m state -p tcp --dport 110 ! --state INVALID -s
    192.168.0.0/24 -j ACCEPT
    /sbin/iptables -A OUTPUT -m state -p tcp --sport 110 --state
    ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT

    # Accept local (192.168.0.0/24) IMAP traffic
    /sbin/iptables -A INPUT -m state -p tcp --dport 443 ! --state INVALID -s
    192.168.0.0/24 -j ACCEPT
    /sbin/iptables -A OUTPUT -m state -p tcp --sport 443 --state
    ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT

    # Accept local (192.168.0.0/24) SMTP traffic
    /sbin/iptables -A INPUT -m state -p tcp --dport 25 ! --state INVALID -s
    192.168.0.0/24 -j ACCEPT
    /sbin/iptables -A OUTPUT -m state -p tcp --sport 25 --state
    ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT

    # Accept local (192.168.0.0/24) SMB traffic
    /sbin/iptables -A INPUT -m state -p tcp --dport 139 ! --state INVALID -s
    192.168.0.0/24 -j ACCEPT
    /sbin/iptables -A OUTPUT -m state -p tcp --sport 139 --state
    ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    /sbin/iptables -A INPUT -m state -p tcp --dport 445 ! --state INVALID -s
    192.168.0.0/24 -j ACCEPT
    /sbin/iptables -A OUTPUT -m state -p tcp --sport 445 --state
    ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT

    # Accept local (192.168.0.0/24) SQUID traffic
    /sbin/iptables -A INPUT -m state -p tcp --dport 3128 ! --state INVALID -s
    192.168.0.0/24 -j ACCEPT
    /sbin/iptables -A OUTPUT -m state -p tcp --sport 3128 --state
    ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT

    ################################################## ################

    # Accept extern traffic on the public interface for Apache
    /sbin/iptables -A INPUT -i $outif -p tcp --dport 80 -j ACCEPT
    /sbin/iptables -A FORWARD -i $outif -d $net/$mask -p tcp --sport
    80 -mstate --state RELATED,ESTABLISHED -j ACCEPT


    ## Règles concernant le forwarding :
    # Activation du routage NAT: translation d'adresse
    /sbin/iptables -t nat -A POSTROUTING -s $net/$mask -o $outif -j MASQUERADE

    # Acceptation des paquets en entrée sur out uniquement si correspondant à
    des connexions établies ou necessitant une nouvelle connexion.
    /sbin/iptables -A FORWARD -i $outif -d $net/$mask -mstate --state
    RELATED,ESTABLISHED -j ACCEPT

    # on accepte tous les paquets sortants du réseau local
    /sbin/iptables -A FORWARD -s $net/$mask -o $outif -j ACCEPT

    # Log all other traffic
    /sbin/iptables -A INPUT -j LOG
    /sbin/iptables -A OUTPUT -j LOG
    /sbin/iptables -A FORWARD -j LOG

    echo 1 >/proc/sys/net/ipv4/ip_forward



  2. Re: iptables : Tux don't want to go out !

    On Thu, 15 Mar 2007, sittiherve wrote:

    > Hello,
    > After 2 days whitout result, i need your help.
    > We have a Mandriva gateway for our LAN (smb, postfix, fetchmail, squid,
    > hylafax ...etc.)
    > I have changed the Iptables. Now, default politic it's to DROP.
    > But now, :
    > - we can use samba, receved Fax, use email on LAN (private only), go to Web
    > - but we can't receved Email, use SQUID. (When i do : telnet ip.my.provider
    > 110, it can't connect)
    > Thanks for your help.
    >
    > # Chargement des modules
    > /sbin/modprobe iptable_nat
    > /sbin/modprobe ip_tables
    > /sbin/modprobe ip_conntrack
    > /sbin/modprobe iptable_filter
    > /sbin/modprobe iptable_nat
    > /sbin/modprobe iptable_mangle
    > /sbin/modprobe ipt_state
    > /sbin/modprobe ipt_MASQUERADE
    >
    > # Effacement des règles des tables
    > /sbin/iptables -t nat -F
    > /sbin/iptables -F
    > /sbin/iptables -X
    >
    > # Define default policy to DROP packets
    > /sbin/iptables -P INPUT DROP
    > /sbin/iptables -P OUTPUT DROP
    > /sbin/iptables -P FORWARD DROP
    >
    > net=192.168.0.0
    > mask=255.255.255.0
    > inif=eth1
    > outif=eth0
    >
    > # Accept all local (loopback) traffic on the lo interface
    > /sbin/iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
    > /sbin/iptables -A OUTPUT -d 127.0.0.1 -o lo -j ACCEPT
    >
    > #/sbin/iptables -A OUTPUT -p tcp --dport 110 -s 192.168.0.0/24 -j ACCEPT
    >
    > ## Règles concernant les INPUT/OUTPUT
    > # Permit DNS traffic
    > /sbin/iptables -A INPUT -p udp --sport 53 -j ACCEPT
    > /sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
    >
    > # Accept local-network return traffic from private network 192.168.0.0/24:
    > /sbin/iptables -A INPUT -m state -p tcp --dport 1024:65535 --state
    > ESTABLISHED,RELATED -s 192.168.0.0/24 -j ACCEPT
    > /sbin/iptables -A OUTPUT -m state -p tcp --sport 1024:65535 ! --state
    > INVALID -d 192.168.0.0/24 -j ACCEPT
    >
    > # Accept all HTTP connections
    > /sbin/iptables -A INPUT -m state -p tcp --dport 80 ! --state INVALID -j
    > ACCEPT
    > /sbin/iptables -A OUTPUT -m state -p tcp --sport 80 --state
    > ESTABLISHED,RELATED -j ACCEPT
    >
    > # Accept local (192.168.0.0/24) POP traffic
    > /sbin/iptables -A INPUT -m state -p tcp --dport 110 ! --state INVALID -s
    > 192.168.0.0/24 -j ACCEPT
    > /sbin/iptables -A OUTPUT -m state -p tcp --sport 110 --state
    > ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >
    > # Accept local (192.168.0.0/24) IMAP traffic
    > /sbin/iptables -A INPUT -m state -p tcp --dport 443 ! --state INVALID -s
    > 192.168.0.0/24 -j ACCEPT
    > /sbin/iptables -A OUTPUT -m state -p tcp --sport 443 --state
    > ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >
    > # Accept local (192.168.0.0/24) SMTP traffic
    > /sbin/iptables -A INPUT -m state -p tcp --dport 25 ! --state INVALID -s
    > 192.168.0.0/24 -j ACCEPT
    > /sbin/iptables -A OUTPUT -m state -p tcp --sport 25 --state
    > ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >
    > # Accept local (192.168.0.0/24) SMB traffic
    > /sbin/iptables -A INPUT -m state -p tcp --dport 139 ! --state INVALID -s
    > 192.168.0.0/24 -j ACCEPT
    > /sbin/iptables -A OUTPUT -m state -p tcp --sport 139 --state
    > ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    > /sbin/iptables -A INPUT -m state -p tcp --dport 445 ! --state INVALID -s
    > 192.168.0.0/24 -j ACCEPT
    > /sbin/iptables -A OUTPUT -m state -p tcp --sport 445 --state
    > ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >
    > # Accept local (192.168.0.0/24) SQUID traffic
    > /sbin/iptables -A INPUT -m state -p tcp --dport 3128 ! --state INVALID -s
    > 192.168.0.0/24 -j ACCEPT
    > /sbin/iptables -A OUTPUT -m state -p tcp --sport 3128 --state
    > ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >
    > ################################################## ################
    >
    > # Accept extern traffic on the public interface for Apache
    > /sbin/iptables -A INPUT -i $outif -p tcp --dport 80 -j ACCEPT
    > /sbin/iptables -A FORWARD -i $outif -d $net/$mask -p tcp --sport
    > 80 -mstate --state RELATED,ESTABLISHED -j ACCEPT
    >
    >
    > ## Règles concernant le forwarding :
    > # Activation du routage NAT: translation d'adresse
    > /sbin/iptables -t nat -A POSTROUTING -s $net/$mask -o $outif -j MASQUERADE
    >
    > # Acceptation des paquets en entrée sur out uniquement si correspondant à
    > des connexions établies ou necessitant une nouvelle connexion.
    > /sbin/iptables -A FORWARD -i $outif -d $net/$mask -mstate --state
    > RELATED,ESTABLISHED -j ACCEPT
    >
    > # on accepte tous les paquets sortants du réseau local
    > /sbin/iptables -A FORWARD -s $net/$mask -o $outif -j ACCEPT
    >
    > # Log all other traffic
    > /sbin/iptables -A INPUT -j LOG
    > /sbin/iptables -A OUTPUT -j LOG
    > /sbin/iptables -A FORWARD -j LOG
    >
    > echo 1 >/proc/sys/net/ipv4/ip_forward


    Are you trying to access a pop server outside of your network? Your POP
    rules do the following:

    In your INPUT chain (packets coming into the machine) you allow incoming
    connections that are not associated with any known connections to port
    110.

    In your OUTPUT chain you allow outgoing connections coming from port 110
    that are associated to an existing connection.

    I don't think this is what you should be doing. When accessing an external
    POP server you are receiving data through an unprivileged port (>1023
    range). Try a line like this:

    /sbin/iptables -A OUTPUT -p tcp --dport 110 -s 192.168.0.0/24 -j ACCEPT

    If you wish to allow internal traffic to POP do something like this:

    /sbin/iptables -A INPUT -p tcp --dport 110 -d 192.168.0.0/24 -j ACCEPT


    The other half of the POP connections should be covered in your
    unprivileged port rules.

    --Sir Jackery

  3. Re: iptables : Tux don't want to go out !

    Thanks Sir
    I can POP to my external server know. It's better but SQUI don't let me go
    to the Web.
    For the POP, the changes are following :
    # Accept local (192.168.0.0/24) POP traffic
    /sbin/iptables -A INPUT -m state -p tcp --dport 110 ! --state INVALID -s
    192.168.0.0/24 -j ACCEPT
    /sbin/iptables -A OUTPUT -m state -p tcp --sport 110 --state
    ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --sport 110 -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT
    It Works know.
    For SQUID, I have no idee.
    Thanks a lot.

    "Sir Jackery" a écrit dans le message de news:
    Pine.LNX.4.64.0703150832020.4253@pc15.cs.ucdavis.e du...
    > On Thu, 15 Mar 2007, sittiherve wrote:
    >
    >> Hello,
    >> After 2 days whitout result, i need your help.
    >> We have a Mandriva gateway for our LAN (smb, postfix, fetchmail, squid,
    >> hylafax ...etc.)
    >> I have changed the Iptables. Now, default politic it's to DROP.
    >> But now, :
    >> - we can use samba, receved Fax, use email on LAN (private only), go to
    >> Web
    >> - but we can't receved Email, use SQUID. (When i do : telnet
    >> ip.my.provider
    >> 110, it can't connect)
    >> Thanks for your help.
    >>
    >> # Chargement des modules
    >> /sbin/modprobe iptable_nat
    >> /sbin/modprobe ip_tables
    >> /sbin/modprobe ip_conntrack
    >> /sbin/modprobe iptable_filter
    >> /sbin/modprobe iptable_nat
    >> /sbin/modprobe iptable_mangle
    >> /sbin/modprobe ipt_state
    >> /sbin/modprobe ipt_MASQUERADE
    >>
    >> # Effacement des règles des tables
    >> /sbin/iptables -t nat -F
    >> /sbin/iptables -F
    >> /sbin/iptables -X
    >>
    >> # Define default policy to DROP packets
    >> /sbin/iptables -P INPUT DROP
    >> /sbin/iptables -P OUTPUT DROP
    >> /sbin/iptables -P FORWARD DROP
    >>
    >> net=192.168.0.0
    >> mask=255.255.255.0
    >> inif=eth1
    >> outif=eth0
    >>
    >> # Accept all local (loopback) traffic on the lo interface
    >> /sbin/iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
    >> /sbin/iptables -A OUTPUT -d 127.0.0.1 -o lo -j ACCEPT
    >>
    >> #/sbin/iptables -A OUTPUT -p tcp --dport 110 -s 192.168.0.0/24 -j ACCEPT
    >>
    >> ## Règles concernant les INPUT/OUTPUT
    >> # Permit DNS traffic
    >> /sbin/iptables -A INPUT -p udp --sport 53 -j ACCEPT
    >> /sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
    >>
    >> # Accept local-network return traffic from private network
    >> 192.168.0.0/24:
    >> /sbin/iptables -A INPUT -m state -p tcp --dport 1024:65535 --state
    >> ESTABLISHED,RELATED -s 192.168.0.0/24 -j ACCEPT
    >> /sbin/iptables -A OUTPUT -m state -p tcp --sport 1024:65535 ! --state
    >> INVALID -d 192.168.0.0/24 -j ACCEPT
    >>
    >> # Accept all HTTP connections
    >> /sbin/iptables -A INPUT -m state -p tcp --dport 80 ! --state INVALID -j
    >> ACCEPT
    >> /sbin/iptables -A OUTPUT -m state -p tcp --sport 80 --state
    >> ESTABLISHED,RELATED -j ACCEPT
    >>
    >> # Accept local (192.168.0.0/24) POP traffic
    >> /sbin/iptables -A INPUT -m state -p tcp --dport 110 ! --state INVALID -s
    >> 192.168.0.0/24 -j ACCEPT
    >> /sbin/iptables -A OUTPUT -m state -p tcp --sport 110 --state
    >> ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >>
    >> # Accept local (192.168.0.0/24) IMAP traffic
    >> /sbin/iptables -A INPUT -m state -p tcp --dport 443 ! --state INVALID -s
    >> 192.168.0.0/24 -j ACCEPT
    >> /sbin/iptables -A OUTPUT -m state -p tcp --sport 443 --state
    >> ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >>
    >> # Accept local (192.168.0.0/24) SMTP traffic
    >> /sbin/iptables -A INPUT -m state -p tcp --dport 25 ! --state INVALID -s
    >> 192.168.0.0/24 -j ACCEPT
    >> /sbin/iptables -A OUTPUT -m state -p tcp --sport 25 --state
    >> ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >>
    >> # Accept local (192.168.0.0/24) SMB traffic
    >> /sbin/iptables -A INPUT -m state -p tcp --dport 139 ! --state INVALID -s
    >> 192.168.0.0/24 -j ACCEPT
    >> /sbin/iptables -A OUTPUT -m state -p tcp --sport 139 --state
    >> ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >> /sbin/iptables -A INPUT -m state -p tcp --dport 445 ! --state INVALID -s
    >> 192.168.0.0/24 -j ACCEPT
    >> /sbin/iptables -A OUTPUT -m state -p tcp --sport 445 --state
    >> ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >>
    >> # Accept local (192.168.0.0/24) SQUID traffic
    >> /sbin/iptables -A INPUT -m state -p tcp --dport 3128 ! --state INVALID -s
    >> 192.168.0.0/24 -j ACCEPT
    >> /sbin/iptables -A OUTPUT -m state -p tcp --sport 3128 --state
    >> ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >>
    >> ################################################## ################
    >>
    >> # Accept extern traffic on the public interface for Apache
    >> /sbin/iptables -A INPUT -i $outif -p tcp --dport 80 -j ACCEPT
    >> /sbin/iptables -A FORWARD -i $outif -d $net/$mask -p tcp --sport
    >> 80 -mstate --state RELATED,ESTABLISHED -j ACCEPT
    >>
    >>
    >> ## Règles concernant le forwarding :
    >> # Activation du routage NAT: translation d'adresse
    >> /sbin/iptables -t nat -A POSTROUTING -s $net/$mask -o $outif -j
    >> MASQUERADE
    >>
    >> # Acceptation des paquets en entrée sur out uniquement si correspondant à
    >> des connexions établies ou necessitant une nouvelle connexion.
    >> /sbin/iptables -A FORWARD -i $outif -d $net/$mask -mstate --state
    >> RELATED,ESTABLISHED -j ACCEPT
    >>
    >> # on accepte tous les paquets sortants du réseau local
    >> /sbin/iptables -A FORWARD -s $net/$mask -o $outif -j ACCEPT
    >>
    >> # Log all other traffic
    >> /sbin/iptables -A INPUT -j LOG
    >> /sbin/iptables -A OUTPUT -j LOG
    >> /sbin/iptables -A FORWARD -j LOG
    >>
    >> echo 1 >/proc/sys/net/ipv4/ip_forward

    >
    > Are you trying to access a pop server outside of your network? Your POP
    > rules do the following:
    >
    > In your INPUT chain (packets coming into the machine) you allow incoming
    > connections that are not associated with any known connections to port
    > 110.
    >
    > In your OUTPUT chain you allow outgoing connections coming from port 110
    > that are associated to an existing connection.
    >
    > I don't think this is what you should be doing. When accessing an external
    > POP server you are receiving data through an unprivileged port (>1023
    > range). Try a line like this:
    >
    > /sbin/iptables -A OUTPUT -p tcp --dport 110 -s 192.168.0.0/24 -j ACCEPT
    >
    > If you wish to allow internal traffic to POP do something like this:
    >
    > /sbin/iptables -A INPUT -p tcp --dport 110 -d 192.168.0.0/24 -j ACCEPT
    >
    >
    > The other half of the POP connections should be covered in your
    > unprivileged port rules.
    >
    > --Sir Jackery




  4. And SQUID Works know : 'champagne' for every body

    Sir Jackery, i have make the change following :
    # Accept local (192.168.0.0/24) SQUID traffic
    /sbin/iptables -A INPUT -m state -p tcp --dport 3128 ! --state INVALID -s
    192.168.0.0/24 -j ACCEPT
    /sbin/iptables -A OUTPUT -m state -p tcp --sport 3128 --state
    ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --sport 3128 -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT
    /sbin/iptables -A INPUT -m state -p tcp --sport 80 ! --state INVALID -j
    ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

    I'am not sure that my changes are secures ... i ' am going to watch that
    tonight at my home.
    Thanks for your help.
    Hervé LEFEVRE

    "sittiherve" a écrit dans le message de news:
    45f97ba5$0$32300$426a74cc@news.free.fr...
    > Thanks Sir
    > I can POP to my external server know. It's better but SQUI don't let me go
    > to the Web.
    > For the POP, the changes are following :
    > # Accept local (192.168.0.0/24) POP traffic
    > /sbin/iptables -A INPUT -m state -p tcp --dport 110 ! --state INVALID -s
    > 192.168.0.0/24 -j ACCEPT
    > /sbin/iptables -A OUTPUT -m state -p tcp --sport 110 --state
    > ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    > /sbin/iptables -A INPUT -p tcp --sport 110 -j ACCEPT
    > /sbin/iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT
    > It Works know.
    > For SQUID, I have no idee.
    > Thanks a lot.
    >
    > "Sir Jackery" a écrit dans le message de news:
    > Pine.LNX.4.64.0703150832020.4253@pc15.cs.ucdavis.e du...
    >> On Thu, 15 Mar 2007, sittiherve wrote:
    >>
    >>> Hello,
    >>> After 2 days whitout result, i need your help.
    >>> We have a Mandriva gateway for our LAN (smb, postfix, fetchmail, squid,
    >>> hylafax ...etc.)
    >>> I have changed the Iptables. Now, default politic it's to DROP.
    >>> But now, :
    >>> - we can use samba, receved Fax, use email on LAN (private only), go to
    >>> Web
    >>> - but we can't receved Email, use SQUID. (When i do : telnet
    >>> ip.my.provider
    >>> 110, it can't connect)
    >>> Thanks for your help.
    >>>
    >>> # Chargement des modules
    >>> /sbin/modprobe iptable_nat
    >>> /sbin/modprobe ip_tables
    >>> /sbin/modprobe ip_conntrack
    >>> /sbin/modprobe iptable_filter
    >>> /sbin/modprobe iptable_nat
    >>> /sbin/modprobe iptable_mangle
    >>> /sbin/modprobe ipt_state
    >>> /sbin/modprobe ipt_MASQUERADE
    >>>
    >>> # Effacement des règles des tables
    >>> /sbin/iptables -t nat -F
    >>> /sbin/iptables -F
    >>> /sbin/iptables -X
    >>>
    >>> # Define default policy to DROP packets
    >>> /sbin/iptables -P INPUT DROP
    >>> /sbin/iptables -P OUTPUT DROP
    >>> /sbin/iptables -P FORWARD DROP
    >>>
    >>> net=192.168.0.0
    >>> mask=255.255.255.0
    >>> inif=eth1
    >>> outif=eth0
    >>>
    >>> # Accept all local (loopback) traffic on the lo interface
    >>> /sbin/iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
    >>> /sbin/iptables -A OUTPUT -d 127.0.0.1 -o lo -j ACCEPT
    >>>
    >>> #/sbin/iptables -A OUTPUT -p tcp --dport 110 -s 192.168.0.0/24 -j ACCEPT
    >>>
    >>> ## Règles concernant les INPUT/OUTPUT
    >>> # Permit DNS traffic
    >>> /sbin/iptables -A INPUT -p udp --sport 53 -j ACCEPT
    >>> /sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
    >>>
    >>> # Accept local-network return traffic from private network
    >>> 192.168.0.0/24:
    >>> /sbin/iptables -A INPUT -m state -p tcp --dport 1024:65535 --state
    >>> ESTABLISHED,RELATED -s 192.168.0.0/24 -j ACCEPT
    >>> /sbin/iptables -A OUTPUT -m state -p tcp --sport 1024:65535 ! --state
    >>> INVALID -d 192.168.0.0/24 -j ACCEPT
    >>>
    >>> # Accept all HTTP connections
    >>> /sbin/iptables -A INPUT -m state -p tcp --dport 80 ! --state INVALID -j
    >>> ACCEPT
    >>> /sbin/iptables -A OUTPUT -m state -p tcp --sport 80 --state
    >>> ESTABLISHED,RELATED -j ACCEPT
    >>>
    >>> # Accept local (192.168.0.0/24) POP traffic
    >>> /sbin/iptables -A INPUT -m state -p tcp --dport 110 ! --state INVALID -s
    >>> 192.168.0.0/24 -j ACCEPT
    >>> /sbin/iptables -A OUTPUT -m state -p tcp --sport 110 --state
    >>> ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >>>
    >>> # Accept local (192.168.0.0/24) IMAP traffic
    >>> /sbin/iptables -A INPUT -m state -p tcp --dport 443 ! --state INVALID -s
    >>> 192.168.0.0/24 -j ACCEPT
    >>> /sbin/iptables -A OUTPUT -m state -p tcp --sport 443 --state
    >>> ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >>>
    >>> # Accept local (192.168.0.0/24) SMTP traffic
    >>> /sbin/iptables -A INPUT -m state -p tcp --dport 25 ! --state INVALID -s
    >>> 192.168.0.0/24 -j ACCEPT
    >>> /sbin/iptables -A OUTPUT -m state -p tcp --sport 25 --state
    >>> ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >>>
    >>> # Accept local (192.168.0.0/24) SMB traffic
    >>> /sbin/iptables -A INPUT -m state -p tcp --dport 139 ! --state INVALID -s
    >>> 192.168.0.0/24 -j ACCEPT
    >>> /sbin/iptables -A OUTPUT -m state -p tcp --sport 139 --state
    >>> ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >>> /sbin/iptables -A INPUT -m state -p tcp --dport 445 ! --state INVALID -s
    >>> 192.168.0.0/24 -j ACCEPT
    >>> /sbin/iptables -A OUTPUT -m state -p tcp --sport 445 --state
    >>> ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >>>
    >>> # Accept local (192.168.0.0/24) SQUID traffic
    >>> /sbin/iptables -A INPUT -m state -p tcp --dport 3128 ! --state
    >>> INVALID -s
    >>> 192.168.0.0/24 -j ACCEPT
    >>> /sbin/iptables -A OUTPUT -m state -p tcp --sport 3128 --state
    >>> ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >>>
    >>> ################################################## ################
    >>>
    >>> # Accept extern traffic on the public interface for Apache
    >>> /sbin/iptables -A INPUT -i $outif -p tcp --dport 80 -j ACCEPT
    >>> /sbin/iptables -A FORWARD -i $outif -d $net/$mask -p tcp --sport
    >>> 80 -mstate --state RELATED,ESTABLISHED -j ACCEPT
    >>>
    >>>
    >>> ## Règles concernant le forwarding :
    >>> # Activation du routage NAT: translation d'adresse
    >>> /sbin/iptables -t nat -A POSTROUTING -s $net/$mask -o $outif -j
    >>> MASQUERADE
    >>>
    >>> # Acceptation des paquets en entrée sur out uniquement si correspondant
    >>> à
    >>> des connexions établies ou necessitant une nouvelle connexion.
    >>> /sbin/iptables -A FORWARD -i $outif -d $net/$mask -mstate --state
    >>> RELATED,ESTABLISHED -j ACCEPT
    >>>
    >>> # on accepte tous les paquets sortants du réseau local
    >>> /sbin/iptables -A FORWARD -s $net/$mask -o $outif -j ACCEPT
    >>>
    >>> # Log all other traffic
    >>> /sbin/iptables -A INPUT -j LOG
    >>> /sbin/iptables -A OUTPUT -j LOG
    >>> /sbin/iptables -A FORWARD -j LOG
    >>>
    >>> echo 1 >/proc/sys/net/ipv4/ip_forward

    >>
    >> Are you trying to access a pop server outside of your network? Your POP
    >> rules do the following:
    >>
    >> In your INPUT chain (packets coming into the machine) you allow incoming
    >> connections that are not associated with any known connections to port
    >> 110.
    >>
    >> In your OUTPUT chain you allow outgoing connections coming from port 110
    >> that are associated to an existing connection.
    >>
    >> I don't think this is what you should be doing. When accessing an
    >> external
    >> POP server you are receiving data through an unprivileged port (>1023
    >> range). Try a line like this:
    >>
    >> /sbin/iptables -A OUTPUT -p tcp --dport 110 -s 192.168.0.0/24 -j ACCEPT
    >>
    >> If you wish to allow internal traffic to POP do something like this:
    >>
    >> /sbin/iptables -A INPUT -p tcp --dport 110 -d 192.168.0.0/24 -j ACCEPT
    >>
    >>
    >> The other half of the POP connections should be covered in your
    >> unprivileged port rules.
    >>
    >> --Sir Jackery

    >
    >




  5. Re: And SQUID Works know : 'champagne' for every body

    On Thu, 15 Mar 2007, sittiherve wrote:

    > Sir Jackery, i have make the change following :
    > # Accept local (192.168.0.0/24) SQUID traffic
    > /sbin/iptables -A INPUT -m state -p tcp --dport 3128 ! --state INVALID -s
    > 192.168.0.0/24 -j ACCEPT
    > /sbin/iptables -A OUTPUT -m state -p tcp --sport 3128 --state
    > ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    > /sbin/iptables -A INPUT -p tcp --sport 3128 -j ACCEPT
    > /sbin/iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT
    > /sbin/iptables -A INPUT -m state -p tcp --sport 80 ! --state INVALID -j
    > ACCEPT
    > /sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
    >
    > I'am not sure that my changes are secures ... i ' am going to watch that
    > tonight at my home.
    > Thanks for your help.
    > Hervé LEFEVRE
    >
    > "sittiherve" a écrit dans le message de news:
    > 45f97ba5$0$32300$426a74cc@news.free.fr...
    >> Thanks Sir
    >> I can POP to my external server know. It's better but SQUI don't let me go
    >> to the Web.
    >> For the POP, the changes are following :
    >> # Accept local (192.168.0.0/24) POP traffic
    >> /sbin/iptables -A INPUT -m state -p tcp --dport 110 ! --state INVALID -s
    >> 192.168.0.0/24 -j ACCEPT
    >> /sbin/iptables -A OUTPUT -m state -p tcp --sport 110 --state
    >> ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >> /sbin/iptables -A INPUT -p tcp --sport 110 -j ACCEPT
    >> /sbin/iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT
    >> It Works know.
    >> For SQUID, I have no idee.
    >> Thanks a lot.
    >>
    >> "Sir Jackery" a écrit dans le message de news:
    >> Pine.LNX.4.64.0703150832020.4253@pc15.cs.ucdavis.e du...
    >>> On Thu, 15 Mar 2007, sittiherve wrote:
    >>>
    >>>> Hello,
    >>>> After 2 days whitout result, i need your help.
    >>>> We have a Mandriva gateway for our LAN (smb, postfix, fetchmail, squid,
    >>>> hylafax ...etc.)
    >>>> I have changed the Iptables. Now, default politic it's to DROP.
    >>>> But now, :
    >>>> - we can use samba, receved Fax, use email on LAN (private only), go to
    >>>> Web
    >>>> - but we can't receved Email, use SQUID. (When i do : telnet
    >>>> ip.my.provider
    >>>> 110, it can't connect)
    >>>> Thanks for your help.
    >>>>
    >>>> # Chargement des modules
    >>>> /sbin/modprobe iptable_nat
    >>>> /sbin/modprobe ip_tables
    >>>> /sbin/modprobe ip_conntrack
    >>>> /sbin/modprobe iptable_filter
    >>>> /sbin/modprobe iptable_nat
    >>>> /sbin/modprobe iptable_mangle
    >>>> /sbin/modprobe ipt_state
    >>>> /sbin/modprobe ipt_MASQUERADE
    >>>>
    >>>> # Effacement des règles des tables
    >>>> /sbin/iptables -t nat -F
    >>>> /sbin/iptables -F
    >>>> /sbin/iptables -X
    >>>>
    >>>> # Define default policy to DROP packets
    >>>> /sbin/iptables -P INPUT DROP
    >>>> /sbin/iptables -P OUTPUT DROP
    >>>> /sbin/iptables -P FORWARD DROP
    >>>>
    >>>> net=192.168.0.0
    >>>> mask=255.255.255.0
    >>>> inif=eth1
    >>>> outif=eth0
    >>>>
    >>>> # Accept all local (loopback) traffic on the lo interface
    >>>> /sbin/iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
    >>>> /sbin/iptables -A OUTPUT -d 127.0.0.1 -o lo -j ACCEPT
    >>>>
    >>>> #/sbin/iptables -A OUTPUT -p tcp --dport 110 -s 192.168.0.0/24 -j ACCEPT
    >>>>
    >>>> ## Règles concernant les INPUT/OUTPUT
    >>>> # Permit DNS traffic
    >>>> /sbin/iptables -A INPUT -p udp --sport 53 -j ACCEPT
    >>>> /sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
    >>>>
    >>>> # Accept local-network return traffic from private network
    >>>> 192.168.0.0/24:
    >>>> /sbin/iptables -A INPUT -m state -p tcp --dport 1024:65535 --state
    >>>> ESTABLISHED,RELATED -s 192.168.0.0/24 -j ACCEPT
    >>>> /sbin/iptables -A OUTPUT -m state -p tcp --sport 1024:65535 ! --state
    >>>> INVALID -d 192.168.0.0/24 -j ACCEPT
    >>>>
    >>>> # Accept all HTTP connections
    >>>> /sbin/iptables -A INPUT -m state -p tcp --dport 80 ! --state INVALID -j
    >>>> ACCEPT
    >>>> /sbin/iptables -A OUTPUT -m state -p tcp --sport 80 --state
    >>>> ESTABLISHED,RELATED -j ACCEPT
    >>>>
    >>>> # Accept local (192.168.0.0/24) POP traffic
    >>>> /sbin/iptables -A INPUT -m state -p tcp --dport 110 ! --state INVALID -s
    >>>> 192.168.0.0/24 -j ACCEPT
    >>>> /sbin/iptables -A OUTPUT -m state -p tcp --sport 110 --state
    >>>> ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >>>>
    >>>> # Accept local (192.168.0.0/24) IMAP traffic
    >>>> /sbin/iptables -A INPUT -m state -p tcp --dport 443 ! --state INVALID -s
    >>>> 192.168.0.0/24 -j ACCEPT
    >>>> /sbin/iptables -A OUTPUT -m state -p tcp --sport 443 --state
    >>>> ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >>>>
    >>>> # Accept local (192.168.0.0/24) SMTP traffic
    >>>> /sbin/iptables -A INPUT -m state -p tcp --dport 25 ! --state INVALID -s
    >>>> 192.168.0.0/24 -j ACCEPT
    >>>> /sbin/iptables -A OUTPUT -m state -p tcp --sport 25 --state
    >>>> ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >>>>
    >>>> # Accept local (192.168.0.0/24) SMB traffic
    >>>> /sbin/iptables -A INPUT -m state -p tcp --dport 139 ! --state INVALID -s
    >>>> 192.168.0.0/24 -j ACCEPT
    >>>> /sbin/iptables -A OUTPUT -m state -p tcp --sport 139 --state
    >>>> ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >>>> /sbin/iptables -A INPUT -m state -p tcp --dport 445 ! --state INVALID -s
    >>>> 192.168.0.0/24 -j ACCEPT
    >>>> /sbin/iptables -A OUTPUT -m state -p tcp --sport 445 --state
    >>>> ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >>>>
    >>>> # Accept local (192.168.0.0/24) SQUID traffic
    >>>> /sbin/iptables -A INPUT -m state -p tcp --dport 3128 ! --state
    >>>> INVALID -s
    >>>> 192.168.0.0/24 -j ACCEPT
    >>>> /sbin/iptables -A OUTPUT -m state -p tcp --sport 3128 --state
    >>>> ESTABLISHED,RELATED -d 192.168.0.0/24 -j ACCEPT
    >>>>
    >>>> ################################################## ################
    >>>>
    >>>> # Accept extern traffic on the public interface for Apache
    >>>> /sbin/iptables -A INPUT -i $outif -p tcp --dport 80 -j ACCEPT
    >>>> /sbin/iptables -A FORWARD -i $outif -d $net/$mask -p tcp --sport
    >>>> 80 -mstate --state RELATED,ESTABLISHED -j ACCEPT
    >>>>
    >>>>
    >>>> ## Règles concernant le forwarding :
    >>>> # Activation du routage NAT: translation d'adresse
    >>>> /sbin/iptables -t nat -A POSTROUTING -s $net/$mask -o $outif -j
    >>>> MASQUERADE
    >>>>
    >>>> # Acceptation des paquets en entrée sur out uniquement si correspondant
    >>>> à
    >>>> des connexions établies ou necessitant une nouvelle connexion.
    >>>> /sbin/iptables -A FORWARD -i $outif -d $net/$mask -mstate --state
    >>>> RELATED,ESTABLISHED -j ACCEPT
    >>>>
    >>>> # on accepte tous les paquets sortants du réseau local
    >>>> /sbin/iptables -A FORWARD -s $net/$mask -o $outif -j ACCEPT
    >>>>
    >>>> # Log all other traffic
    >>>> /sbin/iptables -A INPUT -j LOG
    >>>> /sbin/iptables -A OUTPUT -j LOG
    >>>> /sbin/iptables -A FORWARD -j LOG
    >>>>
    >>>> echo 1 >/proc/sys/net/ipv4/ip_forward
    >>>
    >>> Are you trying to access a pop server outside of your network? Your POP
    >>> rules do the following:
    >>>
    >>> In your INPUT chain (packets coming into the machine) you allow incoming
    >>> connections that are not associated with any known connections to port
    >>> 110.
    >>>
    >>> In your OUTPUT chain you allow outgoing connections coming from port 110
    >>> that are associated to an existing connection.
    >>>
    >>> I don't think this is what you should be doing. When accessing an
    >>> external
    >>> POP server you are receiving data through an unprivileged port (>1023
    >>> range). Try a line like this:
    >>>
    >>> /sbin/iptables -A OUTPUT -p tcp --dport 110 -s 192.168.0.0/24 -j ACCEPT
    >>>
    >>> If you wish to allow internal traffic to POP do something like this:
    >>>
    >>> /sbin/iptables -A INPUT -p tcp --dport 110 -d 192.168.0.0/24 -j ACCEPT
    >>>
    >>>
    >>> The other half of the POP connections should be covered in your
    >>> unprivileged port rules.
    >>>
    >>> --Sir Jackery


    I'll have a glass! Actually, make that a bottle :-P

    --Sir Jackery

+ Reply to Thread