Which ports depend to access gmail (SMTP and IMAP)

[Hashim]

I am led to use and administer servers of any kind, and I especially like the part of network. I have a question:

On a groupware server running a LAMP (groupoffice) I setting a gmail account which works perfectly.

But when I apply my iptables script to secure my server, I can no longer access my gmail IMAP tree, or to send e-mails, brief SMTP and IMAP are blocked. I empty and refill my period my page and hop Mail access is restored.

I said that I test my script, which many other services depend on these rules, so there is no syntax problem, I have allowed port 465 and 993 (SMTP and IMAP Google) of course, but nothing works.

Example:

Code:

To show the usual syntax I use: 

 when I want to remotely access my server as I rule  

iptables-t filter-A INPUT-p tcp - dport $ PORTSSH-j ACCEPT 

when I allow for postfix outgoing mail:  

iptables-t filter-A INPUT-p tcp - dport 25-j ACCEPT 

Here are some of the syntax for ports mail: 


Mail # 
# iptables-t filter-A INPUT-p tcp - dport 25-j ACCEPT 
# iptables-t filter-A INPUT-p tcp - dport 110-j ACCEPT 
# iptables-t filter-A INPUT-p tcp - dport 143-j ACCEPT 
iptables-t filter-A INPUT-p tcp - dport 25-j ACCEPT 
# iptables-t filter-A INPUT-p tcp - dport 110-j ACCEPT 
# iptables-t filter-A INPUT-p tcp - dport 143-j ACCEPT 
echo - Allow outgoing SMTP server OK: [OK] 

# Mail SMTP: 465 
iptables-t filter-A INPUT-p tcp - dport 465-j ACCEPT 
iptables-t filter-A INPUT-p tcp - dport 465-j ACCEPT 

IMAP Mail #: 143 
# iptables-t filter-A INPUT-p tcp - dport 143-j ACCEPT 
# iptables-t filter-A INPUT-p tcp - dport 143-j ACCEPT 

IMAPS Mail #: 993 
iptables-t filter-A INPUT-p tcp - dport 993-j ACCEPT 
iptables-t filter-A INPUT-p tcp - dport 993-j ACCEPT

My question is which ports depend actually to access gmail (SMTP and IMAP) for when I leave the door open (even here in the example where I left for 2 protocol access in and out) for these jammed doors?

[Aleksandra]

What is the Linux platform used? Is it there a dedicated firewall? Have you thought about a generator or script as Shorewall? This script can not work.

First, it seems to me a misunderstanding: Netfilter / Iptables made the management of "states" of the sessions: this greatly simplifies the writing of scripts: one valid packages "being part of an established session (state ESTABLISHED or RELATED) and we write only the rules for initialization of the session (New State).

Illustration : OUTPUT + -p tcp --dport 143 : can not run!

We rather write something like:

Code:

# Package return 
iptables-A INPUT-m state-state RELATED, ESTABLISHED-j ACCEPT 

# IMAP 
iptables-A INPUT-m state-state NEW-p tcp - dport 143-j ACCEPT

Secondly, there are many more things to create. It is much easier to use for generating scripts I recommend Shorewall is quite powerful while remaining simple (once you understand).

[Hashim]

So it is a server GNU/Linux Debian 5.0 Etch-to-date, the firewall is built right into the kernel (netfilter) I "use no software to configure" (just iptables conf)

For examples I do not put my whole script, just part of the mail, my script is dirty, I recognized him but works for my other services (for example, monit on port 9475 is actually available or not available when I run the script)

I'll see what you are talking (fw generator, etc. ..) thank you for the info.

I'll post my full script here that works

So is my iptables.up.rules launched in niger with #:/etc/sh iptables.up.rules

Code:

#!/bin/bash
# Configuration 
PORTSSH = xxxxx 

# Enable the various filters needed 

# No spoofing! It avoids being stung our Public IP ... 
if [-e / proc/sys/net/ipv4/conf/all/rp_filter] 
then 
for filter in / proc/sys/net/ipv4/conf / * / rp_filter 
do 
echo 0> filter 
done 
fi 

# No ICMP! ... It prohibits the ICMP (ping, traceroute, ...) 
if 
# I want to respond to ping [-e / proc/sys/net/ipv4/icmp_echo_ignore_all] & & 
[-e / proc/sys/net/ipv4/icmp_echo_ignore_broadcasts] & & 
[-e / proc/sys/net/ipv4/icmp_ignore_bogus_error_responses] 
then 
# I want to respond to the ping echo 1> / proc/sys/net/ipv4/icmp_echo_ignore_all 
echo 1> / proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 
echo 1> / proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 
fi 

# Disable ICMP redirects! 
for filter in / proc/sys/net/ipv4/conf / * / accept_redirects 
do 
echo 0> filter 
done 

for filter in / proc/sys/net/ipv4/conf / * / send_redirects 
do 
echo 0> filter 
done 

# Disable Source Route Packets 
for filter in / proc/sys/net/ipv4/conf / * / accept_source_route 
do 
echo 0> filter 
done 

# Log Spoofs Packets, Source Routes, redirect! 
for filter in / proc/sys/net/ipv4/conf / * / log_martians 
do 
echo 1> filter 
done 

# Protection syncookies 
if [-e / proc/sys/net/ipv4/tcp_syncookies] 
then 
echo 1> / proc/sys/net/ipv4/tcp_syncookies 
fi 

# Reduces the possibility of DoS attack (Denial Of Service) 
# # By reduction of timeouts 
if [-e / proc/sys/net/ipv4/tcp_fin_timeout] & & 
[-E / proc/sys/net/ipv4/tcp_windows_scaling] & & 
[-E / proc/sys/net/ipv4/tcp_timestamps] & & 
[-E / proc/sys/net/ipv4/tcp_sack] & & 
[-E / proc/sys/net/ipv4/tcp_max_syn_backlog] 
then 
echo 30> / proc/sys/net/ipv4/tcp_fin_timeout 
echo 0> / proc/sys/net/ipv4/tcp_windows_scaling 
echo 0> / proc/sys/net/ipv4/tcp_timestamps 
echo 0> / proc/sys/net/ipv4/tcp_sack 
echo 1024> / proc/sys/net/ipv4/tcp_max_syn_backlog 
fi 


###### Debut Initialization ###### 

# Flush the tables present 
iptables-t filter-F 
iptables-t filter-X 
echo - Dump: [OK] 

# Prohibit any incoming connection 
iptables-t filter-P INPUT DROP 
iptables-t filter-P FORWARD DROP 
echo - Prohibit any incoming connection: [OK] 

# Prohibit any outgoing connection 
iptables-t filter-P OUTPUT DROP 
echo - Prohibit any outgoing connection: [OK] 

# Allow SSH 
iptables-t filter-A INPUT-p tcp - dport $ PORTSSH-j ACCEPT 
echo - Allow SSH: [OK] 

# Do not break established connections 
iptables-t filter-A INPUT-m state - state RELATED, ESTABLISHED-j ACCEPT 
iptables-t filter-A OUTPUT-m state - state RELATED, ESTABLISHED-j ACCEPT 
echo - Do not break established connections: [OK] 

###### End Initialization ###### 

##### ###### Debut Rules 

# Allow DNS queries, HTTP, HTTPS, NTP, released in WHOIS 
# iptables-t filter-A INPUT-p tcp - dport 80-j ACCEPT 
# iptables-t filter-A INPUT-p tcp - dport 443-j ACCEPT 
# iptables-t filter-A INPUT-p tcp - dport 53-j ACCEPT 
# iptables-t filter-A INPUT-p udp - dport 53-j ACCEPT 
# iptables-t filter-A INPUT-p udp - dport 123-j ACCEPT 
# iptables-t filter-A INPUT-p tcp - dport 43-m state - state NEW-j ACCEPT 
# echo - Allow DNS queries, HTTP, HTTPS, NTP WHOIS: [OK] 

# Allow FTP requests 
# iptables-t filter-A INPUT-p tcp - dport 21-j ACCEPT 
# iptables-t filter-A INPUT-p tcp - sport 21-m state - state ESTABLISHED-j ACCEPT 
# echo - Allow FTP requests: [OK] 

# Active FTP 
# iptables-t filter-A INPUT-p tcp - dport 20-m state - state ESTABLISHED-j ACCEPT 
# iptables-t filter-A INPUT-p tcp - sport 20-m state - state ESTABLISHED, RELATED-j ACCEPT 
# echo - Allow requests FTP active mode: [OK] 

# Passive FTP 
# modprobe ip_conntrack_ftp 
# iptables-t filter-A INPUT-p tcp - sport 1024: - dport 1024:-m state - state RELATED, ESTABLISHED-j ACCEPT 
# iptables-t filter-A INPUT-p tcp - sport 1024: - dport 1024:-m state - state ESTABLISHED-j ACCEPT 
# echo - Allow FTP requests (passive mode): [OK] 

# Monit 
iptables-t filter-A INPUT-p tcp - dport 9475-j ACCEPT 

# Allow loopback 
iptables-t filter-A INPUT-i lo-j ACCEPT 
iptables-t filter-A OUTPUT-o lo-j ACCEPT 
echo - Allow loopback: [OK] 

# Allow ping 
iptables-t filter-A INPUT-p icmp-j ACCEPT 
iptables-t filter-A INPUT-p icmp-j ACCEPT 
echo - Allow ping: [OK] 

# NTP Out 
iptables-t filter-A INPUT-p udp - dport 123-j ACCEPT 

# HTTP 
iptables-t filter-A INPUT-p tcp - dport 80-j ACCEPT 
# iptables-t filter-A INPUT-p tcp - dport 443-j ACCEPT 
# iptables-t filter-A INPUT-p tcp - dport 8443-j ACCEPT 
echo - Allow Apache server: [OK] 

# FTP 
# modprobe ip_conntrack_ftp 
# iptables-t filter-A INPUT-p tcp - dport 20-j ACCEPT 
# iptables-t filter-A INPUT-p tcp - dport 21-j ACCEPT 
# iptables-t filter-A INPUT-m state - state ESTABLISHED, RELATED-j ACCEPT 
# echo - Allow FTP server: [OK] 

# Mail 
# iptables-t filter-A INPUT-p tcp - dport 25-j ACCEPT 
# iptables-t filter-A INPUT-p tcp - dport 110-j ACCEPT 
# iptables-t filter-A INPUT-p tcp - dport 143-j ACCEPT 
iptables-t filter-A INPUT-p tcp - dport 25-j ACCEPT 
# iptables-t filter-A INPUT-p tcp - dport 110-j ACCEPT 
# iptables-t filter-A INPUT-p tcp - dport 143-j ACCEPT 
echo - Allow outgoing SMTP server OK: [OK] 

# Mail SMTP: 465 
iptables-t filter-A INPUT-p tcp - dport 465-j ACCEPT 
iptables-t filter-A INPUT-p tcp - dport 465-j ACCEPT 

#IMAP Mail : 143 
# iptables-t filter-A INPUT-p tcp - dport 143-j ACCEPT 
# iptables-t filter-A INPUT-p tcp - dport 143-j ACCEPT 

#IMAPS Mail : 993 
iptables-t filter-A INPUT-p tcp - dport 993-j ACCEPT 
iptables-t filter-A INPUT-p tcp - dport 993-j ACCEPT 


# DMA Monitoring Dedibox 
iptables-t filter-A INPUT-s 88.191.254.0/24-p tcp - dport 161-m state - state NEW, ESTABLISHED-j ACCEPT 
iptables-t filter-A INPUT-s 88.191.254.0/24-p tcp - dport 161-m state - state NEW, ESTABLISHED-j ACCEPT 
iptables-t filter-A OUTPUT-d 88.191.254.0/24-p tcp - sport 161-m state - state ESTABLISHED-j ACCEPT 
iptables-t filter-A OUTPUT-d 88.191.254.0/24-p tcp - sport 161-m state - state ESTABLISHED-j ACCEPT 
echo - Enable DMA Monitoring Dedibox: [OK] 

# Log dropped packets in / var / log / messages 
# echo + Rules of log dropped packets ([IN / FP / OU_PKTS_DROP ]==>) 
# iptables-A INPUT-j LOG - log-prefix = "[IN_PKTS_DROP] ==>" 
# iptables-A FORWARD-j LOG - log-prefix = "[FO_PKTS_DROP] ==>" 
# iptables-A INPUT-j LOG - log-prefix = "[OU_PKTS_DROP] ==>" 
# echo - Turn on the log dropped packets: [OK] 

###### End Rules ###### 

iptables-A FORWARD-p tcp - syn-m limit - limit 1/second-j ACCEPT 
iptables-A FORWARD-p udp-m limit - limit 1/second-j ACCEPT 
echo - Limiting Syn-Flood: [OK] 

# Rules of Destruction! 
# 
# Destroys the connections on the interface <- Internet that would IP_addr those of a private class! 
# # A variation of 'no-spoofing! 

iptables-N Spoofed 
iptables-A spoofed-s 127.0.0.0 / 8-j DROP # loopback addr 
iptables-A spoofed-s 10.0.0.0 / 8-j DROP # Class A private addr 
iptables-A spoofed-s 169.254.0.0/12-j DROP # addr Link Local Network 
iptables-A spoofed-s 172.16.0.0/12-j DROP # Class B private addr 
iptables-A spoofed-s 192.0.2.0/24-j DROP # addr TEST-NET 
iptables-A spoofed-s 192.168.0.0/24-j DROP # Class C adr Privee 
iptables-A spoofed-s 224.0.0.1 / 4-j DROP # Class D multicast addr 
iptables-A spoofed-s 240.0.0.0 / 4-j DROP # Class E Reserveer adr 
echo - Block Spoofing: [OK] 

# Dump of rules for all tables 
# ip6tables-F 

# Allows erasure of all channels that are not in default 
# Filter table 
# ip6tables-X 

# IPV6 
# ip6tables-P INPUT DROP 
# ip6tables-P OUTPUT DROP 
# ip6tables-P FORWARD DROP 
# echo Flushing rules (ip6) 
# ip6tables - flush 
# ip6tables - flush INPUT 
# ip6tables - flush OUTPUT 
# ip6tables - flush FORWARD 
# ip6tables - flush-t mangle 
# ip6tables - delete-chain 
# echo - Prohibit IPv6: [OK] 

# To avoid rotting my logs 
# ip6tables-t filter-A INPUT-p-j DROP icmpv6 

# Log dropped packets in / var / log / messages 
# echo + Rules of log dropped packets ([IN/FO/OU_PKTS_DROP_IP6 ]==>) 
# ip6tables-A INPUT-j LOG - log-prefix = "[IN_PKTS_DROP_IP6] ==>" 
# ip6tables-A FORWARD-j LOG - log-prefix = "[FO_PKTS_DROP_IP6] ==>" 
# ip6tables-A INPUT-j LOG - log-prefix = "[OU_PKTS_DROP_IP6] ==>" 
# echo - Enable log on IPv6 packets rejected: [OK] 

/ home etc/init.d/fail2ban 

echo "+ ======================== END SCRIPT! =========================" 
echo "+ show the configuration of the filter table: iptables-L-n-v '" 
echo "Or + 'iptables-L-n-v-t nat or mangle' table to the other" 
echo "+ show the configuration of the filter table: 'ip6tables-L-n-v'" 
echo "+ or 'ip6tables-L-n-v-t nat or mangle' table to the other" 
echo "+ =================================================================="

So this script works, but does not have a groupware to communicate with gmail, even when SMTP and IMAP open IN and OUT ....

[Aleksandra]

On Debian, Shorewall is at version 4.0.15.

The site is located Shorewall http://www.shorewall.net/

Shorewall is the very type of "killer application": we try and forget everything we did before!

This script is very interesting but related context. There are many things that are quite valid (spoofing, martians, ...)

But frankly, try Shorewall ...