[afnog] mail server
Hyeroba Peter
phyeroba at cfi.co.ug
Tue Dec 16 12:28:20 UTC 2008
Hi guys again my apologies for the scarcity of info. Below is my
iptables -L -n output.
========================================================================
mail:~ # iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
input_int all -- 0.0.0.0/0 0.0.0.0/0
input_ext all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x02 TCPMSS clamp to PMTU
forward_int all -- 0.0.0.0/0 0.0.0.0/0
forward_ext all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR '
Chain forward_ext (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 18
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3 code 2
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 5
LOG all -- 192.168.200.0/24 192.168.0.0/24 limit: avg
3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDext-ACC-FORW '
ACCEPT all -- 192.168.200.0/24 192.168.0.0/24 state
NEW,RELATED,ESTABLISHED
ACCEPT all -- 192.168.0.0/24 192.168.200.0/24 state
RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix
`SFW2-FWDext-DROP-DEFLT '
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
multicast
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDext-DROP-DEFLT '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 state INVALID LOG flags 6 level 4 prefix
`SFW2-FWDext-DROP-DEFLT-INV '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain forward_int (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 18
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3 code 2
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 5
LOG all -- 192.168.200.0/24 192.168.0.0/24 limit: avg
3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDint-ACC-FORW '
ACCEPT all -- 192.168.200.0/24 192.168.0.0/24 state
NEW,RELATED,ESTABLISHED
ACCEPT all -- 192.168.0.0/24 192.168.200.0/24 state
RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix
`SFW2-FWDint-DROP-DEFLT '
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
multicast
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDint-DROP-DEFLT '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 state INVALID LOG flags 6 level 4 prefix
`SFW2-FWDint-DROP-DEFLT-INV '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain input_ext (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
broadcast
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 18
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3 code 2
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 5
LOG all -- 192.168.200.0/24 0.0.0.0/0 limit: avg
3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-INext-ACC-TRUST '
ACCEPT all -- 192.168.200.0/24 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp dpt:80 flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-INext-ACC-TCP '
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp dpt:110 flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-INext-ACC-TCP '
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp dpt:25 flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-INext-ACC-TCP '
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp dpt:22 flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-INext-ACC-TCP '
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
LOG tcp -- 192.168.200.0/24 0.0.0.0/0 tcp dpt:80
state NEW limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
`SFW2-INext-ACC '
ACCEPT tcp -- 192.168.200.0/24 0.0.0.0/0 tcp dpt:80
LOG tcp -- 192.168.200.0/24 0.0.0.0/0 tcp dpt:22
state NEW limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
`SFW2-INext-ACC '
ACCEPT tcp -- 192.168.200.0/24 0.0.0.0/0 tcp dpt:22
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix
`SFW2-INext-DROP-DEFLT '
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
multicast
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-INext-DROP-DEFLT '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 state INVALID LOG flags 6 level 4 prefix
`SFW2-INext-DROP-DEFLT-INV '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain input_int (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain reject_func (0 references)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with
tcp-reset
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-proto-unreachable
=======================================================================
Hyeroba W. Peter
Computer Frontiers International limited;
Tel: +256 31 230 1800 or +254 41 456 4200; Fax: +256 41 434 0456;
Cell-phone: +256 78 247 9192;
Website: www.cfi.co.ug
-----Original Message-----
From: Noah Sematimba [mailto:ksemat at psg.com]
Sent: Tuesday, December 16, 2008 12:42 PM
To: Hyeroba Peter
Cc: 'Stephane Bortzmeyer'; afnog at afnog.org
Subject: Re: [afnog] mail server
Despite the scarcity of information from your side I would suspect
that the problem is that you're automatically redirecting all your web
requests to squid including those meant to connect to the local server
itself. You need to put an exception to the redirect rule for the
local server.
Please post the output of
iptables -L -n
and the contents of /etc/sysconfig/SuSEfirewall2
cheers,
Noah.
On Dec 16, 2008, at 11:45 AM, Hyeroba Peter wrote:
> Sorry about the very vague initial post,
>
> If I run telnet 192.168.200.1 80 it actually connects
> If I access my webmail from the 192.168.0.1 interface, I can do so
> properly.
>
> The 192.168.200.1 and 192.168.0.1 are the internal and external
> interfaces
> respectively in relation to my firewall.
>
> So if I tell someone outside my network to access my webmail, they
> do so
> perfectly well. But if I try to do so on my LAN, I cannot.
>
>
> Hyeroba W. Peter
> Computer Frontiers International limited;
> Tel: +256 31 230 1800 or +254 41 456 4200; Fax: +256 41 434 0456;
> Cell-phone: +256 78 247 9192;
> Website: www.cfi.co.ug
>
>
> -----Original Message-----
> From: Stephane Bortzmeyer [mailto:bortzmeyer at nic.fr]
> Sent: Tuesday, December 16, 2008 11:12 AM
> To: Hyeroba Peter
> Cc: afnog at afnog.org
> Subject: Re: mail server
>
> On Tue, Dec 16, 2008 at 10:01:36AM +0300,
> Hyeroba Peter <phyeroba at cfi.co.ug> wrote
> a message of 21 lines which said:
>
>> I have a mail server on that also doubles as a firewall, its an suse
>> enterprise server, the problem is I can access the openwebmail off
>> the internet but cannot access it over the local network.
>
> As always, "cannot" is not a proper error message.
>
> 1) What command did you type?
> 2) What result did you get?
>
> Example: "I type telnet mywebmail.example 80 and I get "Connection
> foobared at 192.0.2.1"
>
> Remember that graphical behemoths like Firefox (and, worse, IE) are
> very poor debugging tools.
>
> Typical tools to debug system and network administration problems:
>
> - telnet (you can give a port number after the host name to test
> various services)
>
> - ping (to check IP routing)
>
> - the log of the server (if the connection was refused by the server,
> if the firewall is Linux Netfilter, dmesg - if the target is LOG -
> or 'iptables -v -L CHAINNAME' may help)
>
> ...
>
>
> _______________________________________________
> afnog mailing list
> http://afnog.org/mailman/listinfo/afnog
>
More information about the afnog
mailing list