[plug] firewall issue

Jon Miller jlmiller at mmtnetworks.com.au
Tue Dec 9 10:22:58 WST 2008 

Daniel,
I don't mind writing by hand as these servers have been in place for over 8
years and I've always done it that way.  Although I will say the next one
I'm building I had plans to look into shorewall or another package.
I'll try to explain what I need this to do.
The clients are using iPhones and wants access to their mail via the
Internet.  The mail server is on a NetWare 6.5 server (GroupWise 6.5) which
runs IMAP, POP3 and of course SMTP.  There is an Linux Gateway server in
from of the NetWare server running iptables and other security apps, in
front of this is a Cisco Router running it's firewall.
What I've done is open the imap ports on both the Cisco router and Linux
gateway.  What is supposed to happen is once the packets gets pass the Cisco
router (which I know it is) because running tshark on the internal interface
I can see packets hitting the INT_IFACE. So this may be more of a forwarding
issue.  Do you agree?

J

-----Original Message-----
From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On Behalf
Of Daniel Pittman
Sent: Tuesday, 9 December 2008 10:14 AM
To: plug at plug.org.au
Subject: Re: [plug] firewall issue

"Jon Miller" <jlmiller at mmtnetworks.com.au> writes:

> I'm trying to open a port for imap and having a bitch of a time at it.

[...]

> The issue is in the iptables firewall.  I'm having the following rules:
>
> $IPT -A FORWARD -i $INT_IFACE -d 192.168.1.100 -p tcp --dport 143 -j
ACCEPT
> $IPT -A FORWARD -i $INT_IFACE -s 192.168.1.100 -p tcp --dport 143 -j
ACCEPT

I don't think this rule is doing what you think it is doing: it would
match any packet with a *destination* port of 143 outbound, where you
probably want a *source* port of 143.  (--sport, not --dport)

> I have these 2 rules in, do I need to add more rules in the INPUT and
> OUTPUT chains?

Well, since you have a private IP address in those rules you would, if
you want this working over the Internet, also need to include
appropriate NAT rules.

I /suspect/ that fixing the second IPT command listed will help, but...

Are you really sure you want to write this stuff by hand?  It is almost
certainly going to be easier, safer and more effective for you to use an
existing firewall solution than to build your own from component parts.

I use, and recommend, firehol (http://firehol.sf.net/), but shorewall
also has a good reputation and may be more to your taste.

Using those tools means, for example, that you get stateful packet
inspection for "free", and that you don't have to worry so much about
messing up the rules for communication back from the IMAP server.

(Plus, those two packages add features like a safe mechanism to update
 firewall rules remotely, and other helpful facilities.)

Regards,
        Daniel  
_______________________________________________
PLUG discussion list: plug at plug.org.au
http://www.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au

More information about the plug mailing list