[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] sendmail delivery failure through IPChains
- Subject: [cobalt-users] sendmail delivery failure through IPChains
- From: "Charles Williams" <hosting.mailing.list.account@xxxxxxxxxxxxxxx>
- Date: Thu Jul 12 00:07:00 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
hey all,
I have searched the archive and haven't found a solution to this problem. I
recently installed IPChains using the script below. The problem is that all
mail sent is being refused by the destination servers. I can telnet from my
raq to the destination SMTP servers but sendmail is continualy deferred. I
can find nothing wrong with the firewall and since I CAN telnet to the
remote smtp server I am inclined to think the script is ok. That can only
leave sendmail as the culprit.
Any ideas?
rc.firewall:
#!/bin/sh
# Script generated Thu July 12 12:00:12 2001
# --------------------------------------------------------------------------
--
# Copyright (C) 1997, 1998, 1999, 2000 Robert L. Ziegler
#
# Permission to use, copy, modify, and distribute this software and its
# documentation for educational, research, private and non-profit purposes,
# without fee, and without a written agreement is hereby granted.
# This software is provided as an example and basis for individual firewall
# development. This software is provided without warranty.
#
# Any material furnished by Robert L. Ziegler is furnished on an
# "as is" basis. He makes no warranties of any kind, either expressed
# or implied as to any matter including, but not limited to, warranty
# of fitness for a particular purpose, exclusivity or results obtained
# from use of the material.
# --------------------------------------------------------------------------
--
# /etc/rc.d/rc.firewall
# Invoked from /etc/rc.d/rc.local.
echo "Starting firewalling... "
# --------------------------------------------------------------------------
--
# Some definitions for easy maintenance.
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
EXTERNAL_INTERFACE="eth0" # Internet connected interface
LOOPBACK_INTERFACE="lo" # or your local naming convention
IPADDR="any/0" # your IP address
ANYWHERE="any/0" # match any IP address
NAMESERVER_1="any/0" # everyone must have at least one
LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # well known, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
# --------------------------------------------------------------------------
--
NFS_PORT="2049" # (TCP/UDP) NFS
SOCKS_PORT="1080" # (TCP) Socks
OPENWINDOWS_PORT="2000" # (TCP) openwindows
# X Windows port allocation begins at 6000 and increments to 6063
# for each additional server running.
XWINDOW_PORTS="6000:6063" # (TCP) X windows
# The SSH client starts at 1023 and works down to 513 for each
# additional simultaneous connection originating from a privileged port.
# Clients can optionally be configured to use only unprivileged ports.
SSH_LOCAL_PORTS="1022:65535" # port range for local clients
SSH_REMOTE_PORTS="513:65535" # port range for remote clients
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
# --------------------------------------------------------------------------
--
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections
# Remove all existing rules belonging to this filter
ipchains -F
# Set the default policy of the filter to deny.
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward DENY
# --------------------------------------------------------------------------
--
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Enable always defragging Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# --------------------------------------------------------------------------
--
# LOOPBACK
# Unlimited traffic on the loopback interface.
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
# --------------------------------------------------------------------------
--
# Network Ghouls
# Deny access to jerks
# --------------------
# /etc/rc.d/rc.firewall.blocked contains a list of
# ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY
# rules to block from any access.
# Refuse any connection from problem sites
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
. /etc/rc.d/rc.firewall.blocked
fi
# --------------------------------------------------------------------------
--
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
#
# # Refuse incoming packets pretending to be from the external address.
# ipchains -A input -s $IPADDR -j DENY -l
#
# Refuse incoming packets claiming to be from a Class A, B or C private
network
ipchains -A input -s $CLASS_A -j DENY
ipchains -A input -s $CLASS_B -j DENY
ipchains -A input -s $CLASS_C -j DENY
# Refuse broadcast address SOURCE packets
ipchains -A input -s $BROADCAST_DEST -j DENY
ipchains -A input -d $BROADCAST_SRC -j DENY
# Refuse Class D multicast addresses
# Multicast is illegal as a source address.
# Multicast uses UDP.
ipchains -A input -s $CLASS_D_MULTICAST -j DENY
# Refuse Class E reserved IP addresses
ipchains -A input -s $CLASS_E_RESERVED_NET -j DENY -l
# Refuse special addresses defined as reserved by the IANA.
# Note: The remaining reserved addresses are not included.
# Filtering them causes problems as reserved blocks are
# being allocated more often now.
# Note: this list includes the loopback, multicast, & reserved
addresses.
# 0.*.*.* - Can't be blocked for DHCP users.
# 127.*.*.* - LoopBack
# 169.254.*.* - Link Local Networks
# 192.0.2.* - TEST-NET
# 224-255.*.*.* - Classes D & E, plus unallocated.
ipchains -A input -s 0.0.0.0/8 -j DENY -l
ipchains -A input -s 127.0.0.0/8 -j DENY -l
ipchains -A input -s 169.254.0.0/16 -j DENY -l
ipchains -A input -s 192.0.2.0/24 -j DENY -l
ipchains -A input -s 224.0.0.0/3 -j DENY -l
# --------------------------------------------------------------------------
--
# NOTE:
# The symbolic names used in /etc/services for the port numbers vary by
# supplier. Using them is less error prone and more meaningful,
though.
# --------------------------------------------------------------------------
--
# TCP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.
# NFS: establishing a TCP connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $NFS_PORT -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $NFS_PORT -j REJECT
# openwindows: establishing a connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $OPENWINDOWS_PORT -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $OPENWINDOWS_PORT -j REJECT
# Xwindows: establishing a connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $XWINDOW_PORTS -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $XWINDOW_PORTS -j REJECT
# SOCKS: establishing a connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $SOCKS_PORT -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $SOCKS_PORT -j REJECT
# --------------------------------------------------------------------------
--
# UDP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--destination-port $NFS_PORT -j DENY -l
# UDP INCOMING TRACEROUTE
# traceroute usually uses -S 32769:65535 -D 33434:33523
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--source-port $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j DENY -l
# DNS server (53)
# ---------------
# DNS: full server
# ----------------
# server/client to server query or response
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--source-port $UNPRIVPORTS \
-d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
--destination-port $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
--destination-port 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--source-port 53 \
-d $IPADDR 53 -j ACCEPT
# DNS client (53)
# ---------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# HTTP server (80)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 80 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 80 \
--destination-port $UNPRIVPORTS -j ACCEPT
# HTTP client (80)
# ----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 80 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 80 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# ADMIN server (81)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 81 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 81 \
--destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# HTTPS server (443)
# ------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 443 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 443 \
--destination-port $UNPRIVPORTS -j ACCEPT
# HTTPS client (443)
# ------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 443 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 443 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# POP server (110)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 110 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 110 \
--destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# SMTP server (25)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 25 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 25 \
--destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# SSH server (22)
# ---------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $SSH_REMOTE_PORTS \
-d $IPADDR 22 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 22 \
--destination-port $SSH_REMOTE_PORTS -j ACCEPT
# SSH client (22)
# ---------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $SSH_LOCAL_PORTS \
--destination-port 22 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 22 \
-d $IPADDR $SSH_LOCAL_PORTS -j ACCEPT
# # ------------------------------------------------------------------
#
# # TELNET server (23)
# # ------------------
# ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# --source-port $UNPRIVPORTS \
# -d $IPADDR 23 -j ACCEPT
#
# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $IPADDR 23 \
# --destination-port $UNPRIVPORTS -j ACCEPT
#
# ------------------------------------------------------------------
# AUTH server (113)
# -----------------
# Accept incoming connections to identd but disable in.identd in
inetd.conf.
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 113 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 113 \
--destination-port $UNPRIVPORTS -j ACCEPT
# AUTH client (113)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 113 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 113 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# # ------------------------------------------------------------------
#
# # WHOIS client (43)
# # -----------------
# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR $UNPRIVPORTS \
# --destination-port 43 -j ACCEPT
#
# ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
# --source-port 43 \
# -d $IPADDR $UNPRIVPORTS -j ACCEPT
#
# ------------------------------------------------------------------
# FTP server (21)
# ---------------
# incoming request
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 21 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 21 \
--destination-port $UNPRIVPORTS -j ACCEPT
# PORT MODE data channel responses
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR 20 \
--destination-port $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port $UNPRIVPORTS \
-d $IPADDR 20 -j ACCEPT
# PASSIVE MODE data channel responses
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
--destination-port $UNPRIVPORTS -j ACCEPT
# FTP client (21)
# ---------------
# outgoing request
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 21 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 21 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# PORT mode data channel
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port 20 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
--destination-port 20 -j ACCEPT
# PASSIVE mode data channel creation
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port $UNPRIVPORTS \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------------
--
# ICMP
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed,
etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type echo-reply \
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type destination-unreachable \
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type source-quench \
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type time-exceeded \
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type parameter-problem \
-d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR fragmentation-needed -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR source-quench -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR echo-request -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR parameter-problem -j ACCEPT
# --------------------------------------------------------------------------
--
# Enable logging for selected denied packets
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--destination-port 0:19 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--destination-port 24 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--destination-port 26:78 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--destination-port 81:109 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--destination-port 112 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--destination-port 114:136 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--destination-port 140:142 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--destination-port 144:442 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--destination-port 444:1023 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--destination-port 0:110 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--destination-port 112:160 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--destination-port 163:634 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--destination-port 636:1023 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--destination-port $UNPRIVPORTS -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 5 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 13:255 -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -j REJECT -l
# --------------------------------------------------------------------------
--
echo "done"
exit 0
Thanks,
chuck
Chuck's Top 10 Things to Remember and Think about!
=======================================================
10. Please return stewardess to original upright position.
9. Fighting for peace is like fucking for virginity.
8. Never date someone because you're too lazy to commit suicide.
7. It is not the fall that kills you. it's the sudden stop at the end.
6. You can't have everything. Where would you put it all?
5. " Real Windows Performance", on the next "In Search Of".
4. 2 rules to success in life. 1. Don't tell people everything you know.
3. 24 hours in a day, 24 beers in a case. Coincidence?
2. 9 out of 10 men who try Camels prefer women.
1. Always borrow money from a pesimist. They never expect it back anyway.
That's it! NO MORE! JEEZ! GET BACK TO WORK!