[lug] FW: ipchains incongruity

Atkinson, Chip CAtkinson at Circadence.com
Thu Mar 22 12:04:38 MST 2001 

My apologies too.  I missed all that you interleaved within the original
message in your reply.  
Yes, I need to have the outgoing telnet so that I can start mail flowing at
my ISP.  I'll later change it to ssh, but I'll tackle that next.  I telnet
in and run sendmail -qRpupman.com to get mail while I'm connected.

Thanks for the explanation about the #6.  I missed that in the docs.  I'll
try an explicit port number on the smtp accept rule tonight.  I bet/hope
that's it.  Everything else seems to work ok so it must be something rather
simple like that.

Chip

> -----Original Message-----
> From: D. Stimits [mailto:stimits at idcomm.com]
> Sent: Thursday, March 22, 2001 11:57 AM
> To: lug at lug.boulder.co.us
> Subject: Re: [lug] FW: ipchains incongruity
> 
> 
> "D. Stimits" wrote:
> > 
> > I'm not familiar with the icmp rules, so I won't comment on 
> them. I am
> ...big snip...
> > ...
> > >
> > > ipchains -A output -p icmp -i ppp0 -j icmp-acc
> > > ipchains -A output -p tcp -i ppp0 -s 0/0 -d 0/0 smtp -j ACCEPT -l
> 
> Sorry, I missed this one, it should accept. But do try a copy of this
> that explicitly names 199.45.150.249 and the other ip for port 25. At
> this point I'm not sure what is going on, other than something must be
> denying prior to accept. Also, the log says that rule #6 in the output
> chain is guilty. This the final "blanket" deny, which confirms none of
> your accept rules caught the outgoing packet. I wonder if using an
> explicit port number would help?
> 
> > > ipchains -A output -p tcp -i ppp0 -d 0/0 ssh  -j ACCEPT -l
> > > ipchains -A output -p udp -i ppp0 -d 0/0 ssh  -j ACCEPT -l
> > > ipchains -A output -p tcp -i ppp0 -s 199.45.150.249 -d 
> 199.45.150.1 telnet
> > > -j ACCEPT -l
> > 
> > The failed parts above are all port 25 tcp, smtp stuff. The 
> above rule
> > is for telnet port only, so there is no ACCEPT for port 25 
> (I assume you
> > are sending email). Try adding a copy of this rule above, 
> but instead of
> > "telnet", name port 25.
> > 
> > > ipchains -A output -i ppp0 -j DENY -l
> > 
> > Without a prior rule to accept output other than for port 
> 23 (telnet),
> > you have now denied a large number of ports, including port 25.
> > 
> > >
> > > exit
> > >
> > 
> > D. Stimits, stimits at idcomm.com
> > 
> > PS: denial is a good thing. Even while writing this response, I had
> > someone testing my rpc port.
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>

More information about the LUG mailing list