Iptables settings - Email problem

[cyberbootje]

Hi

I recently re-installed directadmin on debian 3.1 (i did an upgrade to 4.0 no problems so far). I am setting up some iptables to manage my firewall and since then i can't send or receive emails.

If i flush the rules then all mails in que are sent. On some forum i read that i have to include this rule:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

This does not work for me because this line will open up all the ports and that is NOT what i need. I only want to open ports like ftp, http and email nothing more. So i really need specific ports to open up, i did a search and came up with ports: 143, 996, 2525 and so on i even opend up ports from 5000 to 8000 as extra and still noting, if i flush the rules again or insert that line mentioned above it does work fine.

So if someone uses directadmin with a firewall please tell me which ports to open up.

thx

 

[rohit]

why dont u try APF. I think its easier to manage ports and stuff through APF or KISS. These two provide a kind of interface to manage iptables for people like me who are not expert in iptables config's

 

[cyberbootje]

Actually im not planning on giving it up and installing another program, it just has to work in only need the correct port numbers for email.
Everything else is working fine except the email, if someone can tell me which ports are open it would be great.

If you use APF then it creates tables for you right? then would you please do a iptables -L and only give me some port numbers related to email.

Thx

edit: wrong iptables option sorry

 

[nobaloney]

My guess is that most of us use either KISS or APF, and that's why you didn't get any responses yet.

For email you need to open inbound and outbound these ports:

25 smtp
110 pop3
143 imap
587 submission

Jeff

 

[m4ri00sh]

jlasman you're too quick ... with responses ... i was just abouut to write the same thing

 

[cyberbootje]

My guess is that most of us use either KISS or APF, and that's why you didn't get any responses yet.

For email you need to open inbound and outbound these ports:

25 smtp
110 pop3
143 imap
587 submission

Jeff

I opend up those ports even in and out tcp and udp and a whole lot more ports but nothing..

 

[rohit]

try using tcpdump on port 25 to see whether it(traffic) is getting dropped?

 

[cyberbootje]

try using tcpdump on port 25 to see whether it(traffic) is getting dropped?

thx i will look at it

 

[Zoner]

only want to open ports like ftp, http and email nothing more.

So here code:

#!/bin/bash

#Load appropriate modules (FTP NEED THIS).
modprobe ip_conntrack_ftp

echo "Iptables: flush ... "
/sbin/iptables -F
echo "Iptables: Delete user rules ... "
/sbin/iptables -X

echo "Iptable: Default policy INPUT/FORWARD = Drop ... "
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP

echo "Iptables: Rules in ... "
#This for accept only onnection what are connected
/sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# HTTP 80
/sbin/iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT

# HTTPS 443
/sbin/iptables -A INPUT -p tcp --syn --dport 443 -j ACCEPT

# FTP ACTIVE AND PASSIVE MODE
/sbin/iptables -A INPUT -p tcp --syn --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --syn --dport 20 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT

# SMTP 25 & 587
/sbin/iptables -A INPUT -p tcp --syn --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --syn --dport 587 -j ACCEPT

# POP AND IMAP (NON SSL)
/sbin/iptables -A INPUT -p tcp --syn --dport 110 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --syn --dport 143 -j ACCEPT

#LOCAL ADAPTER CONNECTIONS
/sbin/iptables -I INPUT -i lo -p tcp -j ACCEPT
/sbin/iptables -I INPUT -i lo -p udp -j ACCEPT

Also good open DA console ports and so on ... (ex. ssh too, if needed). If not this lockup machine, and need reconfigure in real console.

 

[SeLLeRoNe]

How can i use that script for set a iptable too?

i would like to accept 6667 and 7000 connection too.

could u help me too?

thanks

 

[Zoner]

How can i use that script for set a iptable too?

i would like to accept 6667 and 7000 connection too.

could u help me too?

thanks

should not be difficult, just 2 lines more open incoming ports (if tcp) traffic:

/sbin/iptables -A INPUT -p tcp --syn --dport 6667 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --syn --dport 7000 -j ACCEPT