[afnog] mail server
Noah Sematimba
ksemat at psg.com
Tue Dec 16 12:52:05 UTC 2008
and /etc/sysconfig/SuSEfirewall2 ?
Noah.
On Dec 16, 2008, at 3:28 PM, Hyeroba Peter wrote:
> Hi guys again my apologies for the scarcity of info. Below is my
>
> iptables -L -n output.
>
> =
> =
> ======================================================================
> mail:~ # iptables -L -n
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> input_int all -- 0.0.0.0/0 0.0.0.0/0
> input_ext all -- 0.0.0.0/0 0.0.0.0/0
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
> DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x06/0x02 TCPMSS clamp to PMTU
> forward_int all -- 0.0.0.0/0 0.0.0.0/0
> forward_ext all -- 0.0.0.0/0 0.0.0.0/0
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
> DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,RELATED,ESTABLISHED
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR '
>
> Chain forward_ext (1 references)
> target prot opt source destination
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 0
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 3
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 11
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 12
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 14
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 18
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 3 code 2
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 5
> LOG all -- 192.168.200.0/24 192.168.0.0/24 limit:
> avg
> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDext-ACC-
> FORW '
> ACCEPT all -- 192.168.200.0/24 192.168.0.0/24 state
> NEW,RELATED,ESTABLISHED
> ACCEPT all -- 192.168.0.0/24 192.168.200.0/24 state
> RELATED,ESTABLISHED
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,RELATED,ESTABLISHED
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix
> `SFW2-FWDext-DROP-DEFLT '
> DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
> multicast
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
> `SFW2-FWDext-DROP-DEFLT '
> LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
> LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 state INVALID LOG flags 6 level 4 prefix
> `SFW2-FWDext-DROP-DEFLT-INV '
> DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain forward_int (1 references)
> target prot opt source destination
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 0
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 3
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 11
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 12
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 14
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 18
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 3 code 2
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 5
> LOG all -- 192.168.200.0/24 192.168.0.0/24 limit:
> avg
> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDint-ACC-
> FORW '
> ACCEPT all -- 192.168.200.0/24 192.168.0.0/24 state
> NEW,RELATED,ESTABLISHED
> ACCEPT all -- 192.168.0.0/24 192.168.200.0/24 state
> RELATED,ESTABLISHED
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,RELATED,ESTABLISHED
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix
> `SFW2-FWDint-DROP-DEFLT '
> DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
> multicast
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
> `SFW2-FWDint-DROP-DEFLT '
> LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
> LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 state INVALID LOG flags 6 level 4 prefix
> `SFW2-FWDint-DROP-DEFLT-INV '
> DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain input_ext (1 references)
> target prot opt source destination
> DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
> broadcast
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp
> type 4
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp
> type 8
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 0
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 3
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 11
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 12
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 14
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 18
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 3 code 2
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 5
> LOG all -- 192.168.200.0/24 0.0.0.0/0 limit:
> avg
> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-INext-ACC-
> TRUST '
> ACCEPT all -- 192.168.200.0/24 0.0.0.0/0 state
> NEW,RELATED,ESTABLISHED
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 tcp dpt:80 flags:0x17/0x02 LOG flags 6 level 4 prefix
> `SFW2-INext-ACC-TCP '
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:
> 80
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 tcp dpt:110 flags:0x17/0x02 LOG flags 6 level 4 prefix
> `SFW2-INext-ACC-TCP '
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:
> 110
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 tcp dpt:25 flags:0x17/0x02 LOG flags 6 level 4 prefix
> `SFW2-INext-ACC-TCP '
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:
> 25
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 tcp dpt:22 flags:0x17/0x02 LOG flags 6 level 4 prefix
> `SFW2-INext-ACC-TCP '
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:
> 22
> LOG tcp -- 192.168.200.0/24 0.0.0.0/0 tcp dpt:
> 80
> state NEW limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
> `SFW2-INext-ACC '
> ACCEPT tcp -- 192.168.200.0/24 0.0.0.0/0 tcp dpt:
> 80
> LOG tcp -- 192.168.200.0/24 0.0.0.0/0 tcp dpt:
> 22
> state NEW limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
> `SFW2-INext-ACC '
> ACCEPT tcp -- 192.168.200.0/24 0.0.0.0/0 tcp dpt:
> 22
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix
> `SFW2-INext-DROP-DEFLT '
> DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
> multicast
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
> `SFW2-INext-DROP-DEFLT '
> LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
> LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 state INVALID LOG flags 6 level 4 prefix
> `SFW2-INext-DROP-DEFLT-INV '
> DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain input_int (1 references)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain reject_func (0 references)
> target prot opt source destination
> REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-
> with
> tcp-reset
> REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-
> with
> icmp-port-unreachable
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-
> with
> icmp-proto-unreachable
>
> =
> ======================================================================
>
>
> Hyeroba W. Peter
> Computer Frontiers International limited;
> Tel: +256 31 230 1800 or +254 41 456 4200; Fax: +256 41 434 0456;
> Cell-phone: +256 78 247 9192;
> Website: www.cfi.co.ug
>
>
> -----Original Message-----
> From: Noah Sematimba [mailto:ksemat at psg.com]
> Sent: Tuesday, December 16, 2008 12:42 PM
> To: Hyeroba Peter
> Cc: 'Stephane Bortzmeyer'; afnog at afnog.org
> Subject: Re: [afnog] mail server
>
>
> Despite the scarcity of information from your side I would suspect
> that the problem is that you're automatically redirecting all your web
> requests to squid including those meant to connect to the local server
> itself. You need to put an exception to the redirect rule for the
> local server.
>
> Please post the output of
> iptables -L -n
>
> and the contents of /etc/sysconfig/SuSEfirewall2
>
> cheers,
>
> Noah.
> On Dec 16, 2008, at 11:45 AM, Hyeroba Peter wrote:
>
>> Sorry about the very vague initial post,
>>
>> If I run telnet 192.168.200.1 80 it actually connects
>> If I access my webmail from the 192.168.0.1 interface, I can do so
>> properly.
>>
>> The 192.168.200.1 and 192.168.0.1 are the internal and external
>> interfaces
>> respectively in relation to my firewall.
>>
>> So if I tell someone outside my network to access my webmail, they
>> do so
>> perfectly well. But if I try to do so on my LAN, I cannot.
>>
>>
>> Hyeroba W. Peter
>> Computer Frontiers International limited;
>> Tel: +256 31 230 1800 or +254 41 456 4200; Fax: +256 41 434 0456;
>> Cell-phone: +256 78 247 9192;
>> Website: www.cfi.co.ug
>>
>>
>> -----Original Message-----
>> From: Stephane Bortzmeyer [mailto:bortzmeyer at nic.fr]
>> Sent: Tuesday, December 16, 2008 11:12 AM
>> To: Hyeroba Peter
>> Cc: afnog at afnog.org
>> Subject: Re: mail server
>>
>> On Tue, Dec 16, 2008 at 10:01:36AM +0300,
>> Hyeroba Peter <phyeroba at cfi.co.ug> wrote
>> a message of 21 lines which said:
>>
>>> I have a mail server on that also doubles as a firewall, its an suse
>>> enterprise server, the problem is I can access the openwebmail off
>>> the internet but cannot access it over the local network.
>>
>> As always, "cannot" is not a proper error message.
>>
>> 1) What command did you type?
>> 2) What result did you get?
>>
>> Example: "I type telnet mywebmail.example 80 and I get "Connection
>> foobared at 192.0.2.1"
>>
>> Remember that graphical behemoths like Firefox (and, worse, IE) are
>> very poor debugging tools.
>>
>> Typical tools to debug system and network administration problems:
>>
>> - telnet (you can give a port number after the host name to test
>> various services)
>>
>> - ping (to check IP routing)
>>
>> - the log of the server (if the connection was refused by the server,
>> if the firewall is Linux Netfilter, dmesg - if the target is LOG -
>> or 'iptables -v -L CHAINNAME' may help)
>>
>> ...
>>
>>
>> _______________________________________________
>> afnog mailing list
>> http://afnog.org/mailman/listinfo/afnog
>>
>
>
>
More information about the afnog
mailing list