Jim Van Eeckhoutte
2002-May-22 17:00 UTC
[Shorewall-users] Here I am again (smtp outbound blocked)
i cannot telnet out via port 25. Here is my shorewall output if it will help. Please tell what i am doing wrong. Problem: telnet mail.edgucate.com 25 times out (or any other email servers) router setup: bering rc1 ppp0(dialup verizon)----eth0(internal lan) using dnscache(which dont work):( verizon doesnt block port 25 (called on it) P.S. all win2k machines are getting web access fine. Shorewall-1.2.8 Chain at lava - Wed May 22 07:56:27 /etc/localtime 2002 Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 18 504 rfc1918 all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 18 504 net2fw all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 860 49373 loc2fw all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/hour burst 5 LOG flags 0 level 6 prefix `Shorewall:all2all:DROP:'' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 161 103K rfc1918 all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 161 103K net2loc all -- ppp0 eth0 0.0.0.0/0 0.0.0.0/0 188 23576 loc2net all -- eth0 ppp0 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/hour burst 5 LOG flags 0 level 6 prefix `Shorewall:all2all:DROP:'' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 0 0 fw2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0 570 46040 fw2loc all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/hour burst 5 LOG flags 0 level 6 prefix `Shorewall:all2all:DROP:'' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain all2all (3 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 20 5105 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/hour burst 5 LOG flags 0 level 6 prefix `Shorewall:all2all:DROP:'' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain common (5 references) pkts bytes target prot opt in out source destination 0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x10/0x10 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x04/0x04 3 553 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 9 2952 DROP all -- * * 0.0.0.0/0 255.255.255.255 18 504 DROP all -- * * 0.0.0.0/0 224.0.0.0/4 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 state NEW 8 1600 DROP all -- * * 0.0.0.0/0 192.168.20.255 Chain fw2loc (1 references) pkts bytes target prot opt in out source destination 570 46040 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain icmpdef (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12 Chain loc2fw (1 references) pkts bytes target prot opt in out source destination 832 43772 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 8 496 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 8 20 5105 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2net (1 references) pkts bytes target prot opt in out source destination 168 22560 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110 20 1016 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain logdrop (7 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:rfc1918:DROP:'' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2all (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 18 504 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/hour burst 5 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2fw (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:113 0 0 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmp type 8 18 504 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2loc (1 references) pkts bytes target prot opt in out source destination 161 103K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.20.4 state NEW tcp dpt:5361 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.20.5 state NEW tcp dpt:6891 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject (1 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain rfc1918 (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 255.255.255.255 0 0 DROP all -- * * 169.254.0.0/16 0.0.0.0/0 0 0 logdrop all -- * * 0.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 10.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 127.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 192.0.2.0/24 0.0.0.0/0 0 0 logdrop all -- * * 192.168.0.0/16 0.0.0.0/0 0 0 logdrop all -- * * 172.16.0.0/12 0.0.0.0/0 0 0 logdrop all -- * * 240.0.0.0/4 0.0.0.0/0 Chain shorewall (0 references) pkts bytes target prot opt in out source destination
Tom Eastep
2002-May-22 19:33 UTC
[Shorewall-users] Here I am again (smtp outbound blocked)
On Wed, 22 May 2002, Jim Van Eeckhoutte wrote:> Here they are, before and after txt files >Your firewall is passing port 25 just fine so whatever is happening is happening outside of the firewall: Chain loc2net (1 references) pkts bytes target prot opt in out source destination 2837 252K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 7 336 ACCEPT tcp -- * * 0.0.0.0/0 ----------- <--- 7 packets for a total size of 336 bytes were passed from the local zone to the net zone. 0.0.0.0/0 state NEW tcp dpt:25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110 187 9989 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ----------------------------------------------------------- Your firewall is waiting for a response from my mail server which clearly is accepting connections on TCP port 25 (proof -- I received your email). tcp 6 92 SYN_SENT src=192.168.20.5 dst=206.124.146.177 sport=4611 dport=25 [UNREPLIED] src=206.124.146.177 dst=<your ip address> sport=25 dport=4611 use=1 ----------------------------------------------------------- And my firewall saw nothing: [root@gateway root]# tcpdump -ni eth0 host <your ip address> tcpdump: listening on eth0 So something outside of your firewall is blocking SMTP. How are you sending emails? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net