[lug] FW: ipchains incongruity
D. Stimits
stimits at idcomm.com
Thu Mar 22 11:56:33 MST 2001
"D. Stimits" wrote:
>
> I'm not familiar with the icmp rules, so I won't comment on them. I am
...big snip...
> ...
> >
> > ipchains -A output -p icmp -i ppp0 -j icmp-acc
> > ipchains -A output -p tcp -i ppp0 -s 0/0 -d 0/0 smtp -j ACCEPT -l
Sorry, I missed this one, it should accept. But do try a copy of this
that explicitly names 199.45.150.249 and the other ip for port 25. At
this point I'm not sure what is going on, other than something must be
denying prior to accept. Also, the log says that rule #6 in the output
chain is guilty. This the final "blanket" deny, which confirms none of
your accept rules caught the outgoing packet. I wonder if using an
explicit port number would help?
> > ipchains -A output -p tcp -i ppp0 -d 0/0 ssh -j ACCEPT -l
> > ipchains -A output -p udp -i ppp0 -d 0/0 ssh -j ACCEPT -l
> > ipchains -A output -p tcp -i ppp0 -s 199.45.150.249 -d 199.45.150.1 telnet
> > -j ACCEPT -l
>
> The failed parts above are all port 25 tcp, smtp stuff. The above rule
> is for telnet port only, so there is no ACCEPT for port 25 (I assume you
> are sending email). Try adding a copy of this rule above, but instead of
> "telnet", name port 25.
>
> > ipchains -A output -i ppp0 -j DENY -l
>
> Without a prior rule to accept output other than for port 23 (telnet),
> you have now denied a large number of ports, including port 25.
>
> >
> > exit
> >
>
> D. Stimits, stimits at idcomm.com
>
> PS: denial is a good thing. Even while writing this response, I had
> someone testing my rpc port.
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list