On Sun, Apr 14, 2002 at 12:28:16PM +0200, Lars Roland Kristiansen wrote: > When using the folowing rules > > ----------------------------------------------------------------------------- > iptables -P INPUT ACCEPT > > iptables -A INPUT -p tcp -m multiport -s 0/0 --dport 25,110,22 -i eth0 -j > ACCEPT > ----------------------------------------------------------------------------- > > > > i get this output from iptables -vL.
Looks like you've appended the same rules multiple times. Use iptables -F to flush all the rules from all chains, then run your "firewall script" or whatever you've cooked up :) Also, this is only the filter table. If you have any rules in the NAT table (contains PRE and POSTROUTING, and OUTPUT chains) , they could be having an effect. > ----------------------------------------------------------------------------- > Chain INPUT (policy ACCEPT 1 packets, 102 bytes) > pkts bytes target prot opt in out source > destination > 0 0 REJECT tcp -- eth0 any anywhere > anywhere tcp dpt:auth reject-with icmp-port-unreachable > 0 0 REJECT tcp -- eth0 any anywhere > anywhere tcp dpt:auth reject-with icmp-port-unreachable > 0 0 REJECT tcp -- eth0 any anywhere > anywhere tcp dpt:auth reject-with icmp-port-unreachable > 12 488 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:pop3 > 1027 85784 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:ssh > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:smtp > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:pop3 > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:ssh > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:smtp > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:pop3 > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:ssh > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:smtp > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:pop3 > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:ssh > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:smtp > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:pop3 > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:ssh > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:smtp > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:pop3 > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:ssh > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:smtp > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:pop3 > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:ssh > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:smtp > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:pop3 > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:ssh > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:smtp > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:pop3 > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:ssh > 0 0 ACCEPT tcp -- eth0 any anywhere > anywhere tcp dpt:smtp > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > > Chain OUTPUT (policy ACCEPT 10804 packets, 584K bytes) > pkts bytes target prot opt in out source > destination > ----------------------------------------------------------------------------- > > > And now i cant telnet to port 25 from antoher machine but i can from the > local one. Like this > > --------------------------------------------------- > localmachine$ telnet 192.168.2.2 25 > Trying 192.168.2.2... > Connected to 192.168.2.2. > Escape character is '^]'. > 220 xxx.yyy.zzz.com ESMTP Postfix (Debian/GNU) > --------------------------------------------------- > > --------------------------------------------------- > remotemachine$ telnet xxx.yyy.zzz.com 25 > 421 xxx.yyy.zzz.com Sorry, unable to contact destination SMTP daemon. > --------------------------------------------------- Have you used tcpdump while you tried this? I bet it's waiting for an ident (aka auth) request, since you reject the auth port with ICMP port-unreachable, not TCP reset. As Laurent mentioned, this web site <http://logi.cc/linux/reject_or_deny.php3> explains this issue. (note that your firewall is blocking the establishment of your outgoing connections because you haven't used iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT or similar.) Also note that all your policies were ACCEPT, so in fact the _only_ thing your firewall is doing is preventing your mail server from working. > > if i issue the comand "/etc/init.d/iptables clear" witch set all policies > to ACCEPT i get the folowing out put from iptables -vL. > > > --------------------------------------------------------- > Chain INPUT (policy ACCEPT 6 packets, 384 bytes) > pkts bytes target prot opt in out source > destination > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > > Chain OUTPUT (policy ACCEPT 3 packets, 360 bytes) > pkts bytes target prot opt in out source > destination > ---------------------------------------------------------- > > And know i can telnet to port 25 from another machine. An important note > is that this problem is only with port 25, i can telnet to port 110 and 22 > all the time. > > Can anyone please enligthen me on this problem as it is a bit wired. > > thanks for all the input and the help Hope this helps, and I hope I didn't make any mistakes, because I'm just getting my feet wet with iptables. Someone please correct any mistakes :) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]