|
|
| Paul Roddy 2004-03-31, 2:36 am |
| I want to add a rule to my iptables to allow pop3 to come from the Internet.
Does the following commands look ok to you?
iptables -A INPUT -p tcp --sport 110 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT
Also, what should my iptables --list look like?
| |
| Alexander Dalloz 2004-03-31, 11:37 am |
| On Wed, 31 Mar 2004 01:20:23 -0600 Paul Roddy wrote:
> I want to add a rule to my iptables to allow pop3 to come from the Internet.
> Does the following commands look ok to you?
>
> iptables -A INPUT -p tcp --sport 110 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT
>
>
> Also, what should my iptables --list look like?
You mixed it up.
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 110 -j ACCEPT
And be sure the rules apply before a global REJECT rule is called.
Alexander
--
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653
| |
| Paul Roddy 2004-03-31, 11:37 am |
| > You mixed it up.
>
> iptables -A INPUT -p tcp --dport 110 -j ACCEPT
> iptables -A OUTPUT -p tcp --sport 110 -j ACCEPT
>
> And be sure the rules apply before a global REJECT rule is called.
Thanks Alexander,
How do I make sure it applies before the global REJECT rule?
| |
| Alexander Dalloz 2004-03-31, 12:40 pm |
| On Wed, 31 Mar 2004 10:39:25 -0600 Paul Roddy wrote:
>
> Thanks Alexander,
>
> How do I make sure it applies before the global REJECT rule?
The ruleset is gone through from top top to bottom. So if you apply the
rules for POP3 behind a general REJECT rule it will never be use. If you
want to use a new rule after all other rules have been created already you
better use iptables -I than iptables -A, because -A means add to the end
while -I means insert at top.
See www.netfilter.org to understand the whole thing.
Alexander
--
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653
| |
| Paul Roddy 2004-03-31, 4:37 pm |
|
> You mixed it up.
>
> iptables -A INPUT -p tcp --dport 110 -j ACCEPT
> iptables -A OUTPUT -p tcp --sport 110 -j ACCEPT
Well, I tried it this way and I tried it the way I originally thought. both
don't work. If I disable iptables, then pop3 does work and the clients gets
their mail.
I must be doing something wrong in order to allow pop3 access from the
Internet. Any thoughts?
| |
| Alexander Dalloz 2004-03-31, 4:37 pm |
| On Wed, 31 Mar 2004 15:11:34 -0600 Paul Roddy wrote:
>
>
> Well, I tried it this way and I tried it the way I originally thought. both
> don't work. If I disable iptables, then pop3 does work and the clients gets
> their mail.
>
> I must be doing something wrong in order to allow pop3 access from the
> Internet. Any thoughts?
As I explained in a different answer, then try it different:
iptables -I INPUT -p tcp --dport 110 -j ACCEPT
iptables -I OUTPUT -p tcp --sport 110 -j ACCEPT
But please, understand what you are doing!
Alexander
--
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653
| |
| Paul Roddy 2004-03-31, 5:37 pm |
| > As I explained in a different answer, then try it different:
>
> iptables -I INPUT -p tcp --dport 110 -j ACCEPT
> iptables -I OUTPUT -p tcp --sport 110 -j ACCEPT
>
> But please, understand what you are doing!
Well, I think I knkow what I'm doing... scary eh! Here's what I ended up
doing. let me know what you think of this.
I edited my /etc/sysconfig/iptables.conf and added this line before my
reject statement.
-A Input -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
All is working good now. thanks for the help Alexander
| |
| Alexander Dalloz 2004-03-31, 7:36 pm |
| On Wed, 31 Mar 2004 16:25:19 -0600 Paul Roddy wrote:
> I edited my /etc/sysconfig/iptables.conf and added this line before my
> reject statement.
You mean /etc/sysconfig/iptables 
> -A Input -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
>
> All is working good now. thanks for the help Alexander
Yes, that should do the job, as IIRC in default iptables configuration
OUTPUT will allow ESTABLISHED,RELATED. Right?
Alexander
--
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653
| |
| Paul Roddy 2004-04-01, 10:39 am |
| >
> You mean /etc/sysconfig/iptables
Yes... ;)
>
> Yes, that should do the job, as IIRC in default iptables configuration
> OUTPUT will allow ESTABLISHED,RELATED. Right?
umm... first of all, what is IIRC? and OUTPUT will allow all 4 states
| |
|
|
|
|
|
|