Re: IPTable interfering with email.

As a brief side note, I would personally recommend using 127.0.0.1 in your /etc/resolv.conf on your DNS server. That would serve the purpose of eliminating this issue as well as allowing you to change your IP without breaking your DNS.
--
Paul Mooring
Systems Engineer and Customer Advocate

www.opscode.com

From: keith smith <klsmith2020@yahoo.com<mailto:klsmith2020@yahoo.com>>
Reply-To: Main PLUG discussion list <plug-discuss@lists.phxlinux.org<mailto:plug-discuss@lists.phxlinux.org>>
Date: Sunday, March 31, 2013 3:09 PM
To: Main PLUG discussion list <plug-discuss@lists.phxlinux.org<mailto:plug-discuss@lists.phxlinux.org>>
Subject: Re: IPTable interfering with email.


Thanks!! I added another rule to allow udp on port 53 and that seems to have resolved the issue.

Thank you for your keen eye.

------------------------
Keith Smith

--- On Sat, 3/30/13, Paul Mooring <paul@opscode.com<mailto:paul@opscode.com>> wrote:

From: Paul Mooring <paul@opscode.com<mailto:paul@opscode.com>>
Subject: Re: IPTable interfering with email.
To: "Main PLUG discussion list" <plug-discuss@lists.phxlinux.org<mailto:plug-discuss@lists.phxlinux.org>>
Date: Saturday, March 30, 2013, 6:05 PM

Hi,

Iptables is some of the most misunderstood software around. It isn't actually a service that can be started and stopped, but rather the user interface for the networking filter in the Linux kernel (net filter). I am curious as to where this config came from and if that's the running config while iptables is "started". Starting the iptables "service" on nearly all distros just runs the equivalent of:

    iptables -F
    iptables -t nat -F
    # Maybe flush some more tables if you have any
    source /path/to/some/saved/rules.sh

The command 'iptables-save' will show you the currently running config to see if it differs from your saved config. Your rules for the most part look like they should be valid for a mail server. The only irregularity is allowing tcp port 53. If your server is using it's own IP as a DNS server (not 127.0.0.1 but like 192.168.0.x or something), DNS is generally UDP traffic so it's possible iptables is killing DNS on the server and mx lookups along with it because you have tcp/53 allowed and udp/53 blocked.

--
Paul Mooring
Systems Engineer and Customer Advocate

www.opscode.com

From: keith smith <klsmith2020@yahoo.com</mc/compose?to=klsmith2020@yahoo.com>>
Reply-To: Main PLUG discussion list <plug-discuss@lists.phxlinux.org</mc/compose?to=plug-discuss@lists.phxlinux.org>>
Date: Friday, March 29, 2013 2:12 PM
To: Main PLUG discussion list <plug-discuss@lists.phxlinux.org</mc/compose?to=plug-discuss@lists.phxlinux.org>>
Subject: IPTable interfering with email.


Hi,

I am puzzled.

I cannot receive or send email when I have IP table on, except to Yahoo.com. I get bounded emails when trying to send.

As soon as I stop IPTables I start receiving emails.

CentOS 6.4, Postfix, dovcott, Spamassassin, virtual host server running on my business cox account (no blocked ports).

Router ports that are open 21,22,25,53,80,143,443,587. (port forwarding)

IPTable config:

# Generated by iptables-save v1.4.7 on Fri Mar 29 14:08:56 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4:432]
-A INPUT -s 192.168.20.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Fri Mar 29 14:08:56 2013


Thank you for any insight.
Keith

------------------------
Keith Smith


-----Inline Attachment Follows-----

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org</mc/compose?to=PLUG-discuss@lists.phxlinux.org>
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss