[plug] firewall issue
Daniel Pittman
daniel at rimspace.net
Tue Dec 9 10:13:46 WST 2008
"Jon Miller" <jlmiller at mmtnetworks.com.au> writes:
> I’m trying to open a port for imap and having a bitch of a time at it.
[...]
> The issue is in the iptables firewall. I’m having the following rules:
>
> $IPT -A FORWARD -i $INT_IFACE -d 192.168.1.100 -p tcp --dport 143 -j ACCEPT
> $IPT -A FORWARD -i $INT_IFACE -s 192.168.1.100 -p tcp --dport 143 -j ACCEPT
I don't think this rule is doing what you think it is doing: it would
match any packet with a *destination* port of 143 outbound, where you
probably want a *source* port of 143. (--sport, not --dport)
> I have these 2 rules in, do I need to add more rules in the INPUT and
> OUTPUT chains?
Well, since you have a private IP address in those rules you would, if
you want this working over the Internet, also need to include
appropriate NAT rules.
I /suspect/ that fixing the second IPT command listed will help, but...
Are you really sure you want to write this stuff by hand? It is almost
certainly going to be easier, safer and more effective for you to use an
existing firewall solution than to build your own from component parts.
I use, and recommend, firehol (http://firehol.sf.net/), but shorewall
also has a good reputation and may be more to your taste.
Using those tools means, for example, that you get stateful packet
inspection for "free", and that you don't have to worry so much about
messing up the rules for communication back from the IMAP server.
(Plus, those two packages add features like a safe mechanism to update
firewall rules remotely, and other helpful facilities.)
Regards,
Daniel
More information about the plug
mailing list