Undefined non-forwarding zone blocks all ports.
Dan Serban
email hidden
Thu Apr 6 21:52:19 CEST 2006
Hi all, my first time posting to this list (and it's been a few years
since I've been subscribed to a list).
Down to the point, I'm in the midst of setting up a mail server with two
interfaces, one to the big bad internet and one to the local network.
I've successfully setup fiaif on my router and have been using the fiaif
scripts for quite some time (has to be close to a year now).
My problem: On this mail server, it uses two interfaces, one for the
outside world, and the other for our internal requests. What I'd like
to use fiaif for is its specific blocking of martian requests and all
the other nasty cruft out there; but only on the external interface. As
the internal provides other services such as an IMAP server, Apache (for
webmail), snmp monitoring and other such fun.
I will provide the following info as the introductory email requested:
oberon:~# iptables --version
iptables v1.3.3
oberon:~# uname -a
Linux oberon 2.6.16 #1 SMP Mon Apr 3 10:53:37 PDT 2006 x86_64 GNU/Linux
oberon:~# bash --version
GNU bash, version 3.1.14(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2005 Free Software Foundation, Inc.
oberon:~# lsmod
Module Size Used by
dm_mod 60872 0
af_packet 25228 0
ipv6 289888 16
ipt_REDIRECT 2688 0
xt_helper 3328 0
ipt_multiport 3200 0
ipt_TOS 3072 0
xt_tcpudp 4224 0
xt_state 2816 0
ipt_LOG 8064 0
ipt_REJECT 6656 0
xt_limit 3456 0
iptable_nat 9604 0
iptable_filter 3840 0
ip_nat 20504 2 ipt_REDIRECT,iptable_nat
ip_conntrack_ftp 9192 0
ip_conntrack 56592 5
xt_helper,xt_state,iptable_nat,ip_nat,ip_conntrack_ftp
iptable_mangle 3712 0
ip_tables 15080 3 iptable_nat,iptable_filter,iptable_mangle
x_tables 15880 11
ipt_REDIRECT,xt_helper,ipt_multiport,ipt_TOS,xt_tcpudp,xt_state,ipt_LOG,ipt_REJECT,xt_limit,iptable_nat,ip_tables
w83627hf 30224 0
hwmon_vid 3328 1 w83627hf
i2c_isa 6400 1 w83627hf
sbp2 25092 0
sky2 41856 0
i2c_nforce2 8448 0
ohci1394 36168 0
ieee1394 109560 2 sbp2,ohci1394
ohci_hcd 22532 0
ehci_hcd 34824 0
pcspkr 4488 0
forcedeth 26756 0
evdev 12160 0
psmouse 42636 0
i2c_core 25216 3 w83627hf,i2c_isa,i2c_nforce2
unix 32664 199
oberon:~# cat /usr/share/fiaif/VERSION
1.20.1
And I'll add the following info:
oberon:~# netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.0.2:80 0.0.0.0:* LISTEN
tcp 0 0 xx.xx.xx.xx:53 0.0.0.0:* LISTEN
tcp 0 0 192.168.0.2:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 192.168.0.2:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp6 0 0 ::1:953 :::* LISTEN
udp 0 0 0.0.0.0:32768 0.0.0.0:*
udp 0 0 xx.xx.xx.xx:53 0.0.0.0:*
udp 0 0 192.168.0.2:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp6 0 0 :::32769 :::*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 36252
/var/run/apache2/cgisock
unix 2 [ ACC ] STREAM LISTENING 9206 private/relay
unix 2 [ ACC ] STREAM LISTENING 9226 private/virtual
unix 2 [ ACC ] STREAM LISTENING 9210 public/showq
unix 2 [ ACC ] STREAM LISTENING 9246 private/uucp
unix 2 [ ACC ] STREAM LISTENING 9250 private/ifmail
unix 2 [ ACC ] STREAM LISTENING 9254 private/bsmtp
unix 2 [ ACC ] STREAM LISTENING 9258
private/scalemail-backend
unix 2 [ ACC ] STREAM LISTENING 9262 private/mailman
unix 2 [ ACC ] STREAM LISTENING 9158 public/cleanup
unix 2 [ ACC ] STREAM LISTENING 9165 private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 9169 private/rewrite
unix 2 [ ACC ] STREAM LISTENING 9173 private/bounce
unix 2 [ ACC ] STREAM LISTENING 9177 private/defer
unix 2 [ ACC ] STREAM LISTENING 9214 private/error
unix 2 [ ACC ] STREAM LISTENING 9230 private/lmtp
unix 2 [ ACC ] STREAM LISTENING 9234 private/anvil
unix 2 [ ACC ] STREAM LISTENING 9238 private/scache
unix 2 [ ACC ] STREAM LISTENING 9242 private/maildrop
unix 2 [ ACC ] STREAM LISTENING 9181 private/trace
unix 2 [ ACC ] STREAM LISTENING 9190 private/verify
unix 2 [ ACC ] STREAM LISTENING 9194 public/flush
unix 2 [ ACC ] STREAM LISTENING 9198 private/proxymap
unix 2 [ ACC ] STREAM LISTENING 9202 private/smtp
unix 2 [ ACC ] STREAM LISTENING 9218 private/discard
unix 2 [ ACC ] STREAM LISTENING 9222 private/local
After all that ... I'll describe my config currently. Fiaif loads only
the EXT zone, as defined in fiaif.conf, I then set all ports to be
blocked except for smtp (as that's the only service required to the big
bad intarweb).
Most of my internal ports are blocked (I don't know specifically if all
are blocked as I've focused only on apache currently), this is what
fiaif reports when I try to access apache over the local network:
Apr 6 12:48:30 oberon kernel: [FIAIF_GLOBAL_MISS]:IN=eth0 OUT=
MAC=00:13:d3:9d:9d:de:00:50:bf:9e:b0:34:08:00 SRC=192.168.0.1
DST=192.168.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21624 DF PROTO=TCP
SPT=42199 DPT=80 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
I don't understand what GLOBAL_MISS means as it seems to block the
service I'm attempting to contact. Locally I can run elinks
http://192.168.0.2 until my heart's content and it works fine, though I
understand it's a local loop, and nothing is hitting the actual
interface, so I've boiled it down to fiaif being a little too eager in
protecting the box :)
What have I misconfigured? What can I try/do? I would certainly
appreciate any input on this.
Thank you,
Dan Serban
More information about the fiaif
mailing list