Unable to login SquirrelMail

[satimis]

Hi folks,


Ubuntu 7.04 server amd64
SquirrelMail


I can't login SquirrelMail if w/o running "sudo iptables -F'. So I tried to find out which rule on /etc/rc.local obstructs the connection. To my surprise after comment out all rules there I still can't login w/o running "sudo iptables -F".

Adding following rules did not help;

Code:

# allows incomming port 143
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT

Replacing eth0 with Server IP address also did not help.


Remark: ran "sudo /etc/init.d/rc.local start" after changing /etc/rc.local

Please advise how to solve the problem. TIA


B.R.
satimis

[billymayday]

See my post on linuxquestions

Is squirrelmail on the same box as you imap server? If so, eth0 is irrelevant. You may need a rule along the lines of

iptables -A INPUT -p ALL -i lo --source 127.0.0.1 -j ACCEPT

[satimis]

See my post on linuxquestions

Thanks for your advice.


Yes, squirrelmail is on the same box as imap server.


Performed following steps;

Edited /etc/rc.local

Copy and paste your line on "Input" section.

$ sudo /etc/init.d/rc.local start


Start Squirrelmail and login. Result is the same w/o improvement.


Do I need to make change on /etc/hosts ?

$ cat /etc/hosts

Code:

127.0.0.1       localhost.localdomain   localhost
192.168.0.10    mail.satimis.com        mail

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

TIA


satimis

[billymayday]

Does your initial post mean that you can login if you run iptables -F?

If not, did you configure squirrelmail?

[billymayday]

Note that iptables is addative - you need to flush the chains with iptables -F before you re-run your firewall rules in rc.local. If you don't, you're just adding rules to the bottom of the chain

[satimis]

Note that iptables is addative - you need to flush the chains with iptables -F before you re-run your firewall rules in rc.local. If you don't, you're just adding rules to the bottom of the chain

Oh, thanks


Following 2 rules must be commented out on /etc/rc.local

Code:

# reject all other traffic from localhost
#iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable

# reject all other traffic from the management interface NIC
#iptables -I OUTPUT 4 -j REJECT -s IP address --reject-with icmp-port-unreachable

Adding your rule does not help.


How to modifiy them? Thanks



B.R.
satimis

[billymayday]

try posting your iptables rules. Sounds like you have a mess there

[satimis]

try posting your iptables rules. Sounds like you have a mess there

$ cat /etc/rc.local

Code:

# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

#exit 0

#
# INPUT
#

# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d 220.232.213.178 -m state --state RELATED,ESTABLISHED

# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 22

# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 8222

# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 8333

# allow all VMware Authorization Daemon traffic to the management interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 902

# reject all other traffic to the management interface NIC
iptables -I INPUT 6 -j REJECT -d 220.232.213.178 --reject-with icmp-port-unreachable

# allows squirrelmail input
#iptables -A INPUT -p ALL -i lo --source 127.0.0.1 -j ACCEPT


#
# OUTPUT
#

# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 220.232.213.178 -m state --state RELATED,ESTABLISHED

# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 220.232.213.178 -p UDP --destination-port 53

# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable

# reject all other traffic from the management interface NIC
iptables -I OUTPUT 4 -j REJECT -s 220.232.213.178 --reject-with icmp-port-unreachable

B.R.
satimis

[billymayday]

OK - looks like you have a basic iptables configuration loading and you're adding bits in with rc.local (ie, not a whole script).

Chnage the rule I gave you to

iptables -I INPUT 7 -p ALL -i lo --source 127.0.0.1 -j ACCEPT

or similar (ie insert it rather than adding it - adding won't help if you have a DROP catchall rather than policy)

If that doesn't work, post the output of

iptables -L

to show what rules are in play.

[satimis]

OK - looks like you have a basic iptables configuration loading and you're adding bits in with rc.local (ie, not a whole script).

Yes. I copied the rules from the doc which I followed to build this virtual box.

Chnage the rule I gave you to

iptables -I INPUT 7 -p ALL -i lo --source 127.0.0.1 -j ACCEPT

or similar (ie insert it rather than adding it - adding won't help if you have a DROP catchall rather than policy)

$ sudo nano /etc/rc.local

Copied your line on the file replacing your previous rule.

$ sudo iptables -F
$ sudo /etc/init.d/rc.local start

Code:

 * Running local boot scripts (/etc/rc.local)                                              [ OK ]

Start SquirrelMail on Firefox;

https://satimis.com/squirrelmail

Login failed

Code:

ERROR
Error connecting to IMAP server: localhost.
110 : Connection timed out

$ cat /etc/rc.local

Code:

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

#exit 0

#
# INPUT
#

# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d 220.232.213.178 -m state --state RELATED,ESTABLISHED

# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 22

# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 8222

# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 8333

# allow all VMware Authorization Daemon traffic to the management interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 902

# reject all other traffic to the management interface NIC
iptables -I INPUT 6 -j REJECT -d 220.232.213.178 --reject-with icmp-port-unreachable

# allows squirrelmail input
iptables -I INPUT 7 -p ALL -i lo --source 127.0.0.1 -j ACCEPT

#
# OUTPUT
#

# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 220.232.213.178 -m state --state RELATED,ESTABLISHED

# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 220.232.213.178 -p UDP --destination-port 53

# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable

# reject all other traffic from the management interface NIC
iptables -I OUTPUT 4 -j REJECT -s 220.232.213.178 --reject-with icmp-port-unreachable

The last 2 OUTPUT 4 and 5 rules are critical. If comment out login w/o problem. Now I even can't start squirrelmail with;

https://localhost/squirrelmail

on the server.

If that doesn't work, post the output of

iptables -L

to show what rules are in play.

$ sudo iptables -L

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             220.232.213.178     state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             220.232.213.178     tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             220.232.213.178     tcp dpt:8222 
ACCEPT     tcp  --  anywhere             220.232.213.178     tcp dpt:8333 
ACCEPT     tcp  --  anywhere             220.232.213.178     tcp dpt:vmware-authd 
REJECT     0    --  anywhere             220.232.213.178     reject-with icmp-port-unreachable 
ACCEPT     0    --  localhost.localdomain  anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  220.232.213.178      anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  220.232.213.178      anywhere            udp dpt:domain 
REJECT     0    --  localhost.localdomain  anywhere            reject-with icmp-port-unreachable 
REJECT     0    --  220.232.213.178      anywhere            reject-with icmp-port-unreachable

satimis