DevHeads.net

Can't connect to server / migrating to iptables

I run my mail server on CENTOS 7. The server is modem/router and as such has
two NICs; internal and external.
Since migrating to iptables, I cannot access the mail server anymore; nor
telnet, neither web client.
My webserver works just fine. I can't find an error message in
/var/log/maillog or /var/log/messages.

I'd appreciate if somebody could go through the lines underneath and tell me
if I am missing a port or has some other idea why this is not working.

The firewll script has several chapters:
* Remove all previous rules, and delete any user defined chains
* Set the default policies to drop
* Loopback device OK
* Allow all ICMP Traffic - IN, OUT and THROUGH
* Allow all Internal traffic to Server
* Allow ALL packets out the external device
* MASQUERADING: All packets from the internal network will appear as if they
had originated from the firewall.
* Allow ALL EXT packets if a connection already exists
And then I open selectively ports, these are the once for the mail server,

# POP3
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn
--dport 110 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn
--dport 995 -j ACCEPT

# IMAP
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn
--dport 143 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn
--dport 993 -j ACCEPT

# SMTP
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn
--dport 25 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn
--dport 465 -j ACCEPT

# Submission
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn
--dport 587 -j ACCEPT

Thank you
Wolfgang

Comments

Re: Can't connect to server / migrating to iptables

By list at 03/12/2018 - 11:13

On 03/12/2018 08:12 AM, wp.rauchholz wrote:
Easy: remove the --syn flag. Also, be sure to have
sys.net.ipv4.syncookies turn on in /etc/sysctl.conf