[Novices] FloppyFW iptables and pop3 ssl woes
Brett Shaske
shaske at yahoo.com
Wed Oct 12 16:31:49 EDT 2005
I am having problems getting a firewall installed that
will allow Outlook or ThunderBird pop3 clients to
connect to and download email from an internet pop3
server. this is the firewall.ini that I am using. What
are the tools / utils that can be used to see what is
stopping the client from logging into the pop3.
Outlook and ThunderBird both have a problem whenever
ssl is enabled.
what am I doing wrong.
Thank You
Brett
firewall.ini
#!/bin/sh
# Firewall setup.
#
# This is a conversion of the ipchains/ipmasqadm based
firewall.ini
# from the 1.x series of floppyfw, it's pretty simple
and the
# corresponding ipchains rules are kept for
references.
#
# Setting up iptables
#
. /etc/config
#
# Do you want to do port forwaring to an internal
server?
# Set the server IP here and sort out the port stuff
later in this file.
#
SERVER_IP=10.0.0.0
#
# Stopping forwarding (this script may be run during
normal uptime because
# for re-lease of HDCP or demand dialing / PPPoE.
#
echo "0" > /proc/sys/net/ipv4/ip_forward
#
# Overriding the /etc/config and adding additional
information.
#
. /etc/outside.info
. /etc/inside.info
#
# Brad suggested this:
# And he suggested to check and maybe change the
formatting.
# We'll do that later.
#
# echo "Starting firewall with the following config:"
# echo
# echo " Inside
Outside"
# echo " Network: ${INSIDE_NETWORK}
${OUTSIDE_NETWORK}"
# echo " Device: ${INSIDE_DEVICE}
${OUTSIDE_DEVICE}"
# echo "IP Address: ${INSIDE_IP} ${OUTSIDE_IP}"
# echo " Netmask: ${INSIDE_NETMASK}
${OUTSIDE_NETMASK}"
# echo " Broadcast: ${INSIDE_BROADCAST}
${OUTSIDE_BROADCAST}"
# echo " Gateway: [None Set] ${OUTSIDE_GATEWAY}"
# echo
#
# Flushing the chains.
#
iptables -F
# iptables -t nat -F
# iptables -t mangle -F
# or:
for i in `cat /proc/net/ip_tables_names`; do iptables
-F -t $i ; done
iptables -X
iptables -Z # zero all counters
#
# Policy for chains DROP everything
#
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#
# Good old masquerading.
#
iptables -t nat -A POSTROUTING -o ${OUTSIDE_DEVICE}
-j MASQUERADE
#
# Forwarding outside ports to an internal server.
# This used to be the ipchains / ipmasqadm portfw
commad.
#
# SSH:
#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP}
--dport 22 -j DNAT --to ${SERVER_IP}:22
#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 22
-o ${INSIDE_DEVICE} -j ACCEPT
# Web:
#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP}
--dport 80 -j DNAT --to ${SERVER_IP}:80
#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 80
-o ${INSIDE_DEVICE} -j ACCEPT
# This rule helps the "I can't reach my web server
from the inside" problem.
#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP}
--dport 80 -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -j
SNAT --to ${OUTSIDE_IP}
# FTP:
#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP}
--dport 21 -j DNAT --to ${SERVER_IP}:21
#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 21
-o ${INSIDE_DEVICE} -j ACCEPT
# SMTP (Internal mail server):
#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP}
--dport 25 -j DNAT --to ${SERVER_IP}:25
#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 25
-o ${INSIDE_DEVICE} -j ACCEPT
# This rule helps the "I can't reach my server from
the inside" problem.
#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP}
--dport 25 -s ${INSIDE_NETWORK} -j SNAT --to
${OUTSIDE_IP}
# SMTP $ POP3 (External POP3 Mail Server)
#iptables -A FORWARD -p tcp -o eth0 --dport 25
#iptables -A FORWARD -p udp -o eth0 --dport 25
#iptables -A FORWARD -p tcp -o eth0 --dport 110
#iptables -A FORWARD -p udp -o eth0 --dport 110
#iptables -A FORWARD -p tcp -o eth0 --dport 995
#iptables -A FORWARD -p udp -o eth0 --dport 995
#
# Keep state.
#
iptables -A FORWARD -m state --state NEW -i
${INSIDE_DEVICE} -j ACCEPT
iptables -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,INVALID -i
${OUTSIDE_DEVICE} -j DROP
#
# This is mainly for PPPoE usage but it won't hurt
anyway so we'll just
# keep it here.
#
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j
TCPMSS --clamp-mss-to-pmtu
#
# We don't like the NetBIOS and Samba leaking..
#
iptables -t nat -A PREROUTING -p TCP -i
${INSIDE_DEVICE} --dport 135:139 -j DROP
iptables -t nat -A PREROUTING -p UDP -i
${INSIDE_DEVICE} --dport 137:139 -j DROP
iptables -t nat -A PREROUTING -p TCP -i
${INSIDE_DEVICE} --dport 445 -j DROP
iptables -t nat -A PREROUTING -p UDP -i
${INSIDE_DEVICE} --dport 445 -j DROP
#
# We would like to ask for names from our floppyfw box
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED
-j ACCEPT
iptables -A OUTPUT -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
# Ping and friends.
iptables -A INPUT -p icmp -i ${OUTSIDE_DEVICE} -j
DROP
iptables -A OUTPUT -p icmp -j ACCEPT # to both sides.
iptables -A INPUT -p icmp -j ACCEPT
# And also, DHCP, but we can basically accept anything
from the inside.
iptables -A INPUT -i ${INSIDE_DEVICE} -j ACCEPT
iptables -A OUTPUT -o ${INSIDE_DEVICE} -j ACCEPT
#
# If the user wants to have the fake identd running,
the identd has to
# be able to answer.
#
iptables -A INPUT -p TCP --dport 113 -i
${OUTSIDE_DEVICE} -j DROP
#
# And, some attempt to get interactive sesions a bit
more interactive
# under load:
#
iptables -A PREROUTING -t mangle -p tcp --sport ssh
-j TOS --set-tos Minimize-Delay
iptables -A PREROUTING -t mangle -p tcp --sport ftp -j
TOS --set-tos Minimize-Delay
iptables -A PREROUTING -t mangle -p tcp --sport
ftp-data -j TOS --set-tos Maximize-Throughput
#
# Finally, list what we have
#
#
iptables -L
# If broken DNS:
#iptables -L -n
#
# This enables dynamic IP address following
#
echo 7 > /proc/sys/net/ipv4/ip_dynaddr
#
# trying to stop some smurf attacks.
#
echo 1 >
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#
# Rules set, we can enable forwarding in the kernel.
#
echo "Enabling IP forwarding."
echo "1" > /proc/sys/net/ipv4/ip_forward
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
More information about the Novices
mailing list