Hi everyone, I am totally lost on this... I have an Ubuntu system set up with squid and dansguardian to do my internet filtering. Everything is working great, except, I cannot connect via imaps (993) or pop3s (995) for my email.

Here is the script I'm using to set up my firewall:

#!/bin/sh

# IPTABLES FIREWALL script
# Again, I'm assuming that both interfaces are "up"

echo -e "\n\nSETTING UP IPTABLES FIREWALL..."


# SET THE INTERFACE DESIGNATION FOR YOUR "EXTERNAL" (INTERNET) CONNECTION
EXTIF="eth0"
EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' \
| awk '{print $2}' | sed -e 's/.*://'`"

# SET THE INTERFACE DESIGNATION FOR YOUR "INTERNAL" (LAN) CONNECTION
INTIF="eth1"
INTIP="`/sbin/ifconfig $INTIF | grep 'inet addr' \
| awk '{print $2}' | sed -e 's/.*://'`"


# SET THE INTERFACE DESIGNATION AND ADDRESS AND NETWORK ADDRESS
# FOR THE NC CONNECTED TO YOUR _INTERNAL_ NETWORK
# Enter the NETWORK address the Internal Interface is on
INTNET="`/sbin/ifconfig $INTIF | grep 'inet addr' \
| awk '{print $2}' | sed -e 's/.*://' \
| sed -e 's?\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)?\1\.\2\.\3.0/24?'`"

UNIVERSE="0.0.0.0/0"

echo 1 > /proc/sys/net/ipv4/ip_forward

# Clear any existing rules and setting default policy to DROP
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -F -t nat

# Flush the user chain.. if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
iptables -F drop-and-log-it
fi

# Delete all User-specified chains
iptables -X

# Reset all IPTABLES counters
iptables -Z

# Creating a DROP chain
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT

echo -e " - Loading INPUT rulesets"

################################################## #####################
# INPUT: Incoming traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#

# TRUST ANYTHING COMING IN ON LOOPBACK
iptables -A INPUT -i lo -j ACCEPT

# remote interface, claiming to be local machines, IP spoofing, get lost
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it

# these are necessary for basic networking functionality
iptables -A INPUT -i $INTIF -p icmp -s $INTNET -d $UNIVERSE -j ACCEPT
iptables -A INPUT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP -j DROP


# THIS ALLOWS ANY TRAFFIC TO COME IN ON THE INTERNAL
# CARD - THIS IS PROBABLY TOO LENIENT. THE RULES BELOW
# ARE MORE SELECTIVE
iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT

################################################## ###########
# HERE ARE RULES FOR WHICH TRAFFIC ORIGINATING ON THE LOCAL
# NETWORK IS ALLOWED TO ACCESS THE FIREWALL ITSELF -
# THIS HAS NOTHING TO DO WITH WHAT IS FORWARDED THROUGH!!!
################################################## ###########

# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state \
--state ESTABLISHED,RELATED -j ACCEPT

# ping/echo
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 7 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 7 -j ACCEPT

# MGT Console (Internal)
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 10000 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 10000 -j ACCEPT

# FTP Access
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 21 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 21 -j ACCEPT

# Windows File Sharing
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 135 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 135 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 136 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 136 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 137 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 137 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 138 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 138 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 139 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 139 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 445 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 445 -j ACCEPT

# other stuff
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 993 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 995 -j ACCEPT

# DNS requests
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 53 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 53 -j ACCEPT

# ident/auth
#iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE \
# --dport 113 -j ACCEPT
#iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE \
# --dport 113 -j ACCEPT

# ssh
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE \
--dport 22 -j ACCEPT

# UNCOMMENT THIS STANZA FOR WEB CACHE/PROXY SUPPORT
# USING A DANSGUARDIAN/SQUID SETUP
iptables -A INPUT -i $INTIF -p tcp --dport 8080 -j ACCEPT
# Redirect port 80 to Dansguardian (port 8080)
iptables -t nat -A PREROUTING -i $INTIF -p tcp \
--dport 80 -j REDIRECT --to-ports 8080


# THIS ALLOWS ANYTHING TO COME IN ON THE EXTERNAL INTERFACE.
# THIS IS OBVIOUSLY UNACCEPTABLE. UNCOMMENT ONLY FOR TESTING
# PURPOSES

iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

################################################## ###########
# HERE ARE RULES FOR WHICH *INBOUND* TRAFFIC IS ALLOWED
# ON THE EXTERNAL INTERFACE - THIS IS THE CRITICAL PART!!!
# ANY SERVICE SPECIFIED HERE MUST BE EITHER PROVIDED BY
# THE FIREWALL ITSELF, OR THE PORT MUST BE FORWARDED TO
# SOME SPECIFIC MACHINE ON THE INTERNAL LAN
# SEE BOTTOM OF SCRIPT FOR PORT FORWARDING EXAMPLE
################################################## ###########

# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state \
--state ESTABLISHED,RELATED -j ACCEPT

# ping/echo
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
-d $EXTIP --dport 7 -j ACCEPT
iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
-d $EXTIP --dport 7 -j ACCEPT

# ident/auth
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
# -d $EXTIP --dport 113 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
# -d $EXTIP --dport 113 -j ACCEPT

# ssh (no restrictions)
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
# -d $EXTIP --dport 22 -j ACCEPT

# FTP Access
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
# -d $EXTIP --dport 21 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
# -d $EXTIP --dport 20 -j ACCEPT

# WWW Access
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
# -d $EXTIP --dport 80 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
# -d $EXTIP --dport 80 -j ACCEPT

# DAAPD Server
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
# -d $EXTIP --dport 3689 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
# -d $EXTIP --dport 5353 -j ACCEPT

# Asterisk Server
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
# -d $EXTIP --dport 5060 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
# -d $EXTIP --dport 5060 -j ACCEPT


# SSH (restricted) to 3 burst attempts, then once per minute
iptables -A INPUT -i $EXTIF -m tcp -p tcp --dport 22 -m state --state \
ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $EXTIF -m tcp -p tcp --dport 22 -m state --state \
NEW -m limit --limit 1/min --limit-burst 3 -j ACCEPT
iptables -A INPUT -i $EXTIF -m tcp -p tcp --dport 22 -j DROP


# REMOTE MANAGEMENT
#iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE \
# -d $EXTIP --dport 10000 -j ACCEPT
#iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE \
# -d $EXTIP --dport 10000 -j ACCEPT



################################################## ##
# SEE SCRIPT AT BEGINNING OF THIS WEBPAGE TO
# LOCATE MORE SERVICES THAT YOU MIGHT WANT

# ADD YOUR OWN RULES
################################################## ###

# Catch all rule, all other incoming is denied and logged.
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


echo -e " - Loading OUTPUT rulesets"

################################################## #####################
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#

# YOU WILL PROBABLY NOT NEED TO MODIFY THE OUTGOING RULES
# UNLESS YOU REALLY WANT A BOMBPROOF FIREWALL

# outgoing to local net on remote interface, stuffed routing, deny
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it

# loopback is valid
iptables -A OUTPUT -o lo -j ACCEPT

# local interface, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -d $INTNET -j ACCEPT

# anything else outgoing on remote interface is valid
iptables -A OUTPUT -o $EXTIF -j ACCEPT

# Catch all rule, all other outgoing is denied and logged.
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


echo -e " - Loading FORWARD rulesets"

################################################## #####################
# FORWARD: Enable Forwarding and thus IPMASQ

################################################## ##############
# ADD PORT FORWARDING RULES HERE
# ANY ENTRY HERE MUST HAVE A CORRESPONDING ENTRY IN THE
# "INPUT ON THE EXTERNAL INTERFACE" SECTION - SEE ABOVE
################################################## ##############

# EXAMPLE FORWARD PORT 8080 TO COMPUTER ON LAN WITH IP 10.69.69.10
# THIS comes in two sections. Forward what comes in on the outside,
# and make a special exception to forward whatever originated
# on INTERNAL network BACK inside
#iptables -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP \
# --dport 8080 -j DNAT --to 10.69.69.10:80
#iptables -A FORWARD -p tcp -i $EXTIF -d 10.69.69.10 --dport 80 -j ACCEPT

################################################## #######
# ADD YOUR RULES HERE FOR TRAFFIC THAT WILL BE
# FORWARDED FROM THE INTERNAL INTERFACE TO THE
# EXTERNAL INTERFACE - this is not as critical as
# the INCOMING filter above, but still worthwhile
################################################## #######

# Enable (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
iptables -t nat -A POSTROUTING -o $INTIF -j MASQUERADE

# this allows everything from inside to outside
# MAYBE too lenient, but maybe not. If you are
# PARANOID THEN COMMENT THIS OUT and consider
# the rules below!!!
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -A FORWARD -i 0.0.0.0 -o $EXTIF -j ACCEPT

# allow any previously established traffic through
iptables -A FORWARD -i $EXTIF -o $INTIF -m state \
--state ESTABLISHED,RELATED -j ACCEPT

# ICMP protocol necessary for ping, etc
iptables -A FORWARD -i $INTIF -p icmp -j ACCEPT

# high port numbers allowed out
iptables -A FORWARD -i $INTIF -p tcp --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 1024:65535 -j ACCEPT

# ping/echo
iptables -A FORWARD -i $INTIF -p tcp --dport 7 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 7 -j ACCEPT

# DNS
iptables -A FORWARD -i $INTIF -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 53 -j ACCEPT

# ident/auth
iptables -A FORWARD -i $INTIF -p tcp --dport 113 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 113 -j ACCEPT

# ssh
iptables -A FORWARD -i $INTIF -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 22 -j ACCEPT

# http
iptables -A FORWARD -i $INTIF -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 80 -j ACCEPT

# https
iptables -A FORWARD -i $INTIF -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 443 -j ACCEPT

# ftp
iptables -A FORWARD -i $INTIF -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 21 -j ACCEPT
# ssl pop
iptables -A FORWARD -i $INTIF -p tcp --dport 995 -j ACCEPT
iptables -A FORWARD -i $INTIF -m state --state ESTABLISHED,RELATED -p TCP --sport 995 -j ACCEPT

# ssl imap
iptables -A FORWARD -i $INTIF -p tcp --dport 993 -j ACCEPT
iptables -A FORWARD -i $INTIF -m state --state ESTABLISHED,RELATED -p TCP --sport 993 -j ACCEPT

# Catch all rule, all other forwarding is denied and logged.
iptables -A FORWARD -j drop-and-log-it


echo -e " Firewall server rule loading complete\n\n"

----------------------------

Why would this traffic not be going through?? Any help would be very appreciated.