[ale] SMTP and firewall problems

Ben Coleman oloryn at benshome.net
Fri Feb 9 09:16:06 EST 2001 

On Fri, 9 Feb 2001 07:18:07 -0500, Eric_Brubakken at aoncons.com wrote:

>
>
>I am currently trying to configure my firewall at home and have run into a
>problem with sending mail.  Receiving mail is not a problem just sending - my
>firewall script seems to rejecting everything from SMPT (port 25).
>
>Does anyone see problems in the following code?
>Here is a snipit from my rc.firewall script:

>LOOPBACK_INTERFACE="lo"                 # or your local naming convention
>LOCAL_INTERFACE_1="eth1"                # internal LAN interface
>
>IPADDR="64.81.31.123"                   # your IP address
>LOCALNET_1="192.168.0.0/24"             # whatever private range you use
>
>ANYWHERE="any/0"                        # match any IP address
>
>NAMESERVER_1="216.254.95.2"                     # everyone must have at least
>one
>NAMESERVER_2="216.231.41.2"
>UNPRIVPORTS="1024:65535"

Hmmm.  That looks a lot like the firewall scripts from the book 'Linux
Firewalls'.

>------------------------------------------------------- problem child area -----------------------------------------------
>
>
># SMTP server (25)
># ----------------
>    /sbin/ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
>             -s $ANYWHERE $UNPRIVPORTS \
>             -d $IPADDR 25 -j ACCEPT
>
>    /sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
>             -s $IPADDR $UNPRIVPORTS \
>             -d $ANYWHERE 25  -j ACCEPT
> ------------------------------------------------------- problem child area -----------------------------------------------

That's fine as far as it goes, but it only allows for incoming SMTP
(which is what you've reported).  You also need to allow connections to
external SMTP servers.  Assuming that you're not using your ISP's SMTP
server, you need something like this:

/sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
        -s $IPADDR $UNPRIVPORTS \
        -d $ANYWHERE 25 -j ACCEPT
/sbin/ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
        -s $ANYWHERE 25 \
        -d $IPADDR $UNPRIVPORTS -j ACCEPT


If you're using your ISP's SMTP server for outgoing mail, substitute
the domain name for that server for $ANYWHERE above.

If you *are* using the book 'Linux Firewalls', see pages 92-99, which
cover this pretty well.

Ben
-- 
Ben Coleman oloryn at benshome.net      | The attempt to legislatively
http://oloryn.home.mindspring.com/   | micromanage equality results, at
Amateur Radio NJ8J                   | best, in equal misery for all.


--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list