[lug] FW: ipchains incongruity
Atkinson, Chip
CAtkinson at Circadence.com
Thu Mar 22 12:04:38 MST 2001
My apologies too. I missed all that you interleaved within the original
message in your reply.
Yes, I need to have the outgoing telnet so that I can start mail flowing at
my ISP. I'll later change it to ssh, but I'll tackle that next. I telnet
in and run sendmail -qRpupman.com to get mail while I'm connected.
Thanks for the explanation about the #6. I missed that in the docs. I'll
try an explicit port number on the smtp accept rule tonight. I bet/hope
that's it. Everything else seems to work ok so it must be something rather
simple like that.
Chip
> -----Original Message-----
> From: D. Stimits [mailto:stimits at idcomm.com]
> Sent: Thursday, March 22, 2001 11:57 AM
> To: lug at lug.boulder.co.us
> Subject: Re: [lug] FW: ipchains incongruity
>
>
> "D. Stimits" wrote:
> >
> > I'm not familiar with the icmp rules, so I won't comment on
> them. I am
> ...big snip...
> > ...
> > >
> > > ipchains -A output -p icmp -i ppp0 -j icmp-acc
> > > ipchains -A output -p tcp -i ppp0 -s 0/0 -d 0/0 smtp -j ACCEPT -l
>
> Sorry, I missed this one, it should accept. But do try a copy of this
> that explicitly names 199.45.150.249 and the other ip for port 25. At
> this point I'm not sure what is going on, other than something must be
> denying prior to accept. Also, the log says that rule #6 in the output
> chain is guilty. This the final "blanket" deny, which confirms none of
> your accept rules caught the outgoing packet. I wonder if using an
> explicit port number would help?
>
> > > ipchains -A output -p tcp -i ppp0 -d 0/0 ssh -j ACCEPT -l
> > > ipchains -A output -p udp -i ppp0 -d 0/0 ssh -j ACCEPT -l
> > > ipchains -A output -p tcp -i ppp0 -s 199.45.150.249 -d
> 199.45.150.1 telnet
> > > -j ACCEPT -l
> >
> > The failed parts above are all port 25 tcp, smtp stuff. The
> above rule
> > is for telnet port only, so there is no ACCEPT for port 25
> (I assume you
> > are sending email). Try adding a copy of this rule above,
> but instead of
> > "telnet", name port 25.
> >
> > > ipchains -A output -i ppp0 -j DENY -l
> >
> > Without a prior rule to accept output other than for port
> 23 (telnet),
> > you have now denied a large number of ports, including port 25.
> >
> > >
> > > exit
> > >
> >
> > D. Stimits, stimits at idcomm.com
> >
> > PS: denial is a good thing. Even while writing this response, I had
> > someone testing my rpc port.
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>
More information about the LUG
mailing list