Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 15
Hi folks, Ubuntu 7.04 server amd64 SquirrelMail I can't login SquirrelMail if w/o running "sudo iptables -F'. So I tried to find out which rule on /etc/rc.local obstructs the connection. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Guru
    Join Date
    Sep 2004
    Posts
    1,809

    Unable to login SquirrelMail


    Hi folks,


    Ubuntu 7.04 server amd64
    SquirrelMail


    I can't login SquirrelMail if w/o running "sudo iptables -F'. So I tried to find out which rule on /etc/rc.local obstructs the connection. To my surprise after comment out all rules there I still can't login w/o running "sudo iptables -F".

    Adding following rules did not help;
    Code:
    # allows incomming port 143
    iptables -A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
    Replacing eth0 with Server IP address also did not help.


    Remark: ran "sudo /etc/init.d/rc.local start" after changing /etc/rc.local

    Please advise how to solve the problem. TIA


    B.R.
    satimis

  2. #2
    Just Joined!
    Join Date
    Dec 2007
    Posts
    23
    See my post on linuxquestions

    Is squirrelmail on the same box as you imap server? If so, eth0 is irrelevant. You may need a rule along the lines of

    iptables -A INPUT -p ALL -i lo --source 127.0.0.1 -j ACCEPT

  3. #3
    Linux Guru
    Join Date
    Sep 2004
    Posts
    1,809
    Quote Originally Posted by billymayday View Post
    See my post on linuxquestions
    Thanks for your advice.


    Yes, squirrelmail is on the same box as imap server.


    Performed following steps;

    Edited /etc/rc.local

    Copy and paste your line on "Input" section.

    $ sudo /etc/init.d/rc.local start


    Start Squirrelmail and login. Result is the same w/o improvement.


    Do I need to make change on /etc/hosts ?

    $ cat /etc/hosts
    Code:
    127.0.0.1       localhost.localdomain   localhost
    192.168.0.10    mail.satimis.com        mail
    
    # The following lines are desirable for IPv6 capable hosts
    ::1     ip6-localhost ip6-loopback
    fe00::0 ip6-localnet
    ff00::0 ip6-mcastprefix
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    ff02::3 ip6-allhosts
    TIA


    satimis

  4. #4
    Just Joined!
    Join Date
    Dec 2007
    Posts
    23
    Does your initial post mean that you can login if you run iptables -F?

    If not, did you configure squirrelmail?

  5. #5
    Just Joined!
    Join Date
    Dec 2007
    Posts
    23
    Note that iptables is addative - you need to flush the chains with iptables -F before you re-run your firewall rules in rc.local. If you don't, you're just adding rules to the bottom of the chain

  6. #6
    Linux Guru
    Join Date
    Sep 2004
    Posts
    1,809
    Quote Originally Posted by billymayday View Post
    Note that iptables is addative - you need to flush the chains with iptables -F before you re-run your firewall rules in rc.local. If you don't, you're just adding rules to the bottom of the chain
    Oh, thanks


    Following 2 rules must be commented out on /etc/rc.local
    Code:
    # reject all other traffic from localhost
    #iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable
    
    # reject all other traffic from the management interface NIC
    #iptables -I OUTPUT 4 -j REJECT -s IP address --reject-with icmp-port-unreachable
    Adding your rule does not help.


    How to modifiy them? Thanks



    B.R.
    satimis

  7. #7
    Just Joined!
    Join Date
    Dec 2007
    Posts
    23
    try posting your iptables rules. Sounds like you have a mess there

  8. #8
    Linux Guru
    Join Date
    Sep 2004
    Posts
    1,809
    Quote Originally Posted by billymayday View Post
    try posting your iptables rules. Sounds like you have a mess there
    $ cat /etc/rc.local
    Code:
    # rc.local
    #
    # This script is executed at the end of each multiuser runlevel.
    # Make sure that the script will "exit 0" on success or any other
    # value on error.
    #
    # In order to enable or disable this script just change the execution
    # bits.
    #
    # By default this script does nothing.
    
    #exit 0
    
    #
    # INPUT
    #
    
    # allow all incoming traffic from the management interface NIC
    # as long as it is a part of an established connection
    iptables -I INPUT 1 -j ACCEPT -d 220.232.213.178 -m state --state RELATED,ESTABLISHED
    
    # allow all ssh traffic to the management interface NIC
    iptables -I INPUT 2 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 22
    
    # allow all VMware MUI HTTP traffic to the management interface NIC
    iptables -I INPUT 3 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 8222
    
    # allow all VMware MUI HTTPS traffic to the management interface NIC
    iptables -I INPUT 4 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 8333
    
    # allow all VMware Authorization Daemon traffic to the management interface NIC
    iptables -I INPUT 5 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 902
    
    # reject all other traffic to the management interface NIC
    iptables -I INPUT 6 -j REJECT -d 220.232.213.178 --reject-with icmp-port-unreachable
    
    # allows squirrelmail input
    #iptables -A INPUT -p ALL -i lo --source 127.0.0.1 -j ACCEPT
    
    
    #
    # OUTPUT
    #
    
    # allow all outgoing traffic from the management interface NIC
    # if it is a part of an established connection
    iptables -I OUTPUT 1 -j ACCEPT -s 220.232.213.178 -m state --state RELATED,ESTABLISHED
    
    # allow all DNS queries from the management interface NIC
    iptables -I OUTPUT 2 -j ACCEPT -s 220.232.213.178 -p UDP --destination-port 53
    
    # reject all other traffic from localhost
    iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable
    
    # reject all other traffic from the management interface NIC
    iptables -I OUTPUT 4 -j REJECT -s 220.232.213.178 --reject-with icmp-port-unreachable
    B.R.
    satimis

  9. #9
    Just Joined!
    Join Date
    Dec 2007
    Posts
    23
    OK - looks like you have a basic iptables configuration loading and you're adding bits in with rc.local (ie, not a whole script).

    Chnage the rule I gave you to

    iptables -I INPUT 7 -p ALL -i lo --source 127.0.0.1 -j ACCEPT

    or similar (ie insert it rather than adding it - adding won't help if you have a DROP catchall rather than policy)

    If that doesn't work, post the output of

    iptables -L

    to show what rules are in play.

  10. #10
    Linux Guru
    Join Date
    Sep 2004
    Posts
    1,809
    Quote Originally Posted by billymayday View Post
    OK - looks like you have a basic iptables configuration loading and you're adding bits in with rc.local (ie, not a whole script).
    Yes. I copied the rules from the doc which I followed to build this virtual box.


    Chnage the rule I gave you to

    iptables -I INPUT 7 -p ALL -i lo --source 127.0.0.1 -j ACCEPT

    or similar (ie insert it rather than adding it - adding won't help if you have a DROP catchall rather than policy)
    $ sudo nano /etc/rc.local

    Copied your line on the file replacing your previous rule.

    $ sudo iptables -F
    $ sudo /etc/init.d/rc.local start
    Code:
     * Running local boot scripts (/etc/rc.local)                                              [ OK ]
    Start SquirrelMail on Firefox;

    https://satimis.com/squirrelmail

    Login failed
    Code:
    ERROR
    Error connecting to IMAP server: localhost.
    110 : Connection timed out

    $ cat /etc/rc.local
    Code:
    #!/bin/sh -e
    #
    # rc.local
    #
    # This script is executed at the end of each multiuser runlevel.
    # Make sure that the script will "exit 0" on success or any other
    # value on error.
    #
    # In order to enable or disable this script just change the execution
    # bits.
    #
    # By default this script does nothing.
    
    #exit 0
    
    #
    # INPUT
    #
    
    # allow all incoming traffic from the management interface NIC
    # as long as it is a part of an established connection
    iptables -I INPUT 1 -j ACCEPT -d 220.232.213.178 -m state --state RELATED,ESTABLISHED
    
    # allow all ssh traffic to the management interface NIC
    iptables -I INPUT 2 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 22
    
    # allow all VMware MUI HTTP traffic to the management interface NIC
    iptables -I INPUT 3 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 8222
    
    # allow all VMware MUI HTTPS traffic to the management interface NIC
    iptables -I INPUT 4 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 8333
    
    # allow all VMware Authorization Daemon traffic to the management interface NIC
    iptables -I INPUT 5 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 902
    
    # reject all other traffic to the management interface NIC
    iptables -I INPUT 6 -j REJECT -d 220.232.213.178 --reject-with icmp-port-unreachable
    
    # allows squirrelmail input
    iptables -I INPUT 7 -p ALL -i lo --source 127.0.0.1 -j ACCEPT
    
    #
    # OUTPUT
    #
    
    # allow all outgoing traffic from the management interface NIC
    # if it is a part of an established connection
    iptables -I OUTPUT 1 -j ACCEPT -s 220.232.213.178 -m state --state RELATED,ESTABLISHED
    
    # allow all DNS queries from the management interface NIC
    iptables -I OUTPUT 2 -j ACCEPT -s 220.232.213.178 -p UDP --destination-port 53
    
    # reject all other traffic from localhost
    iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable
    
    # reject all other traffic from the management interface NIC
    iptables -I OUTPUT 4 -j REJECT -s 220.232.213.178 --reject-with icmp-port-unreachable
    The last 2 OUTPUT 4 and 5 rules are critical. If comment out login w/o problem. Now I even can't start squirrelmail with;

    https://localhost/squirrelmail

    on the server.


    If that doesn't work, post the output of

    iptables -L

    to show what rules are in play.
    $ sudo iptables -L
    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     0    --  anywhere             220.232.213.178     state RELATED,ESTABLISHED 
    ACCEPT     tcp  --  anywhere             220.232.213.178     tcp dpt:ssh 
    ACCEPT     tcp  --  anywhere             220.232.213.178     tcp dpt:8222 
    ACCEPT     tcp  --  anywhere             220.232.213.178     tcp dpt:8333 
    ACCEPT     tcp  --  anywhere             220.232.213.178     tcp dpt:vmware-authd 
    REJECT     0    --  anywhere             220.232.213.178     reject-with icmp-port-unreachable 
    ACCEPT     0    --  localhost.localdomain  anywhere            
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     0    --  220.232.213.178      anywhere            state RELATED,ESTABLISHED 
    ACCEPT     udp  --  220.232.213.178      anywhere            udp dpt:domain 
    REJECT     0    --  localhost.localdomain  anywhere            reject-with icmp-port-unreachable 
    REJECT     0    --  220.232.213.178      anywhere            reject-with icmp-port-unreachable

    satimis

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •