Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 15
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Unable to login SquirrelMail


    Hi folks,


    Ubuntu 7.04 server amd64
    SquirrelMail


    I can't login SquirrelMail if w/o running "sudo iptables -F'. So I tried to find out which rule on /etc/rc.local obstructs the connection. To my surprise after comment out all rules there I still can't login w/o running "sudo iptables -F".

    Adding following rules did not help;
    Code:
    # allows incomming port 143
    iptables -A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
    Replacing eth0 with Server IP address also did not help.


    Remark: ran "sudo /etc/init.d/rc.local start" after changing /etc/rc.local

    Please advise how to solve the problem. TIA


    B.R.
    satimis

  2. #2
    See my post on linuxquestions

    Is squirrelmail on the same box as you imap server? If so, eth0 is irrelevant. You may need a rule along the lines of

    iptables -A INPUT -p ALL -i lo --source 127.0.0.1 -j ACCEPT

  3. #3
    Quote Originally Posted by billymayday View Post
    See my post on linuxquestions
    Thanks for your advice.


    Yes, squirrelmail is on the same box as imap server.


    Performed following steps;

    Edited /etc/rc.local

    Copy and paste your line on "Input" section.

    $ sudo /etc/init.d/rc.local start


    Start Squirrelmail and login. Result is the same w/o improvement.


    Do I need to make change on /etc/hosts ?

    $ cat /etc/hosts
    Code:
    127.0.0.1       localhost.localdomain   localhost
    192.168.0.10    mail.satimis.com        mail
    
    # The following lines are desirable for IPv6 capable hosts
    ::1     ip6-localhost ip6-loopback
    fe00::0 ip6-localnet
    ff00::0 ip6-mcastprefix
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    ff02::3 ip6-allhosts
    TIA


    satimis

  4. $spacer_open
    $spacer_close
  5. #4
    Does your initial post mean that you can login if you run iptables -F?

    If not, did you configure squirrelmail?

  6. #5
    Note that iptables is addative - you need to flush the chains with iptables -F before you re-run your firewall rules in rc.local. If you don't, you're just adding rules to the bottom of the chain

  7. #6
    Quote Originally Posted by billymayday View Post
    Note that iptables is addative - you need to flush the chains with iptables -F before you re-run your firewall rules in rc.local. If you don't, you're just adding rules to the bottom of the chain
    Oh, thanks


    Following 2 rules must be commented out on /etc/rc.local
    Code:
    # reject all other traffic from localhost
    #iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable
    
    # reject all other traffic from the management interface NIC
    #iptables -I OUTPUT 4 -j REJECT -s IP address --reject-with icmp-port-unreachable
    Adding your rule does not help.


    How to modifiy them? Thanks



    B.R.
    satimis

  8. #7
    try posting your iptables rules. Sounds like you have a mess there

  9. #8
    Quote Originally Posted by billymayday View Post
    try posting your iptables rules. Sounds like you have a mess there
    $ cat /etc/rc.local
    Code:
    # rc.local
    #
    # This script is executed at the end of each multiuser runlevel.
    # Make sure that the script will "exit 0" on success or any other
    # value on error.
    #
    # In order to enable or disable this script just change the execution
    # bits.
    #
    # By default this script does nothing.
    
    #exit 0
    
    #
    # INPUT
    #
    
    # allow all incoming traffic from the management interface NIC
    # as long as it is a part of an established connection
    iptables -I INPUT 1 -j ACCEPT -d 220.232.213.178 -m state --state RELATED,ESTABLISHED
    
    # allow all ssh traffic to the management interface NIC
    iptables -I INPUT 2 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 22
    
    # allow all VMware MUI HTTP traffic to the management interface NIC
    iptables -I INPUT 3 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 8222
    
    # allow all VMware MUI HTTPS traffic to the management interface NIC
    iptables -I INPUT 4 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 8333
    
    # allow all VMware Authorization Daemon traffic to the management interface NIC
    iptables -I INPUT 5 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 902
    
    # reject all other traffic to the management interface NIC
    iptables -I INPUT 6 -j REJECT -d 220.232.213.178 --reject-with icmp-port-unreachable
    
    # allows squirrelmail input
    #iptables -A INPUT -p ALL -i lo --source 127.0.0.1 -j ACCEPT
    
    
    #
    # OUTPUT
    #
    
    # allow all outgoing traffic from the management interface NIC
    # if it is a part of an established connection
    iptables -I OUTPUT 1 -j ACCEPT -s 220.232.213.178 -m state --state RELATED,ESTABLISHED
    
    # allow all DNS queries from the management interface NIC
    iptables -I OUTPUT 2 -j ACCEPT -s 220.232.213.178 -p UDP --destination-port 53
    
    # reject all other traffic from localhost
    iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable
    
    # reject all other traffic from the management interface NIC
    iptables -I OUTPUT 4 -j REJECT -s 220.232.213.178 --reject-with icmp-port-unreachable
    B.R.
    satimis

  10. #9
    OK - looks like you have a basic iptables configuration loading and you're adding bits in with rc.local (ie, not a whole script).

    Chnage the rule I gave you to

    iptables -I INPUT 7 -p ALL -i lo --source 127.0.0.1 -j ACCEPT

    or similar (ie insert it rather than adding it - adding won't help if you have a DROP catchall rather than policy)

    If that doesn't work, post the output of

    iptables -L

    to show what rules are in play.

  11. #10
    Quote Originally Posted by billymayday View Post
    OK - looks like you have a basic iptables configuration loading and you're adding bits in with rc.local (ie, not a whole script).
    Yes. I copied the rules from the doc which I followed to build this virtual box.


    Chnage the rule I gave you to

    iptables -I INPUT 7 -p ALL -i lo --source 127.0.0.1 -j ACCEPT

    or similar (ie insert it rather than adding it - adding won't help if you have a DROP catchall rather than policy)
    $ sudo nano /etc/rc.local

    Copied your line on the file replacing your previous rule.

    $ sudo iptables -F
    $ sudo /etc/init.d/rc.local start
    Code:
     * Running local boot scripts (/etc/rc.local)                                              [ OK ]
    Start SquirrelMail on Firefox;

    https://satimis.com/squirrelmail

    Login failed
    Code:
    ERROR
    Error connecting to IMAP server: localhost.
    110 : Connection timed out

    $ cat /etc/rc.local
    Code:
    #!/bin/sh -e
    #
    # rc.local
    #
    # This script is executed at the end of each multiuser runlevel.
    # Make sure that the script will "exit 0" on success or any other
    # value on error.
    #
    # In order to enable or disable this script just change the execution
    # bits.
    #
    # By default this script does nothing.
    
    #exit 0
    
    #
    # INPUT
    #
    
    # allow all incoming traffic from the management interface NIC
    # as long as it is a part of an established connection
    iptables -I INPUT 1 -j ACCEPT -d 220.232.213.178 -m state --state RELATED,ESTABLISHED
    
    # allow all ssh traffic to the management interface NIC
    iptables -I INPUT 2 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 22
    
    # allow all VMware MUI HTTP traffic to the management interface NIC
    iptables -I INPUT 3 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 8222
    
    # allow all VMware MUI HTTPS traffic to the management interface NIC
    iptables -I INPUT 4 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 8333
    
    # allow all VMware Authorization Daemon traffic to the management interface NIC
    iptables -I INPUT 5 -j ACCEPT -p TCP -d 220.232.213.178 --destination-port 902
    
    # reject all other traffic to the management interface NIC
    iptables -I INPUT 6 -j REJECT -d 220.232.213.178 --reject-with icmp-port-unreachable
    
    # allows squirrelmail input
    iptables -I INPUT 7 -p ALL -i lo --source 127.0.0.1 -j ACCEPT
    
    #
    # OUTPUT
    #
    
    # allow all outgoing traffic from the management interface NIC
    # if it is a part of an established connection
    iptables -I OUTPUT 1 -j ACCEPT -s 220.232.213.178 -m state --state RELATED,ESTABLISHED
    
    # allow all DNS queries from the management interface NIC
    iptables -I OUTPUT 2 -j ACCEPT -s 220.232.213.178 -p UDP --destination-port 53
    
    # reject all other traffic from localhost
    iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable
    
    # reject all other traffic from the management interface NIC
    iptables -I OUTPUT 4 -j REJECT -s 220.232.213.178 --reject-with icmp-port-unreachable
    The last 2 OUTPUT 4 and 5 rules are critical. If comment out login w/o problem. Now I even can't start squirrelmail with;

    https://localhost/squirrelmail

    on the server.


    If that doesn't work, post the output of

    iptables -L

    to show what rules are in play.
    $ sudo iptables -L
    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     0    --  anywhere             220.232.213.178     state RELATED,ESTABLISHED 
    ACCEPT     tcp  --  anywhere             220.232.213.178     tcp dpt:ssh 
    ACCEPT     tcp  --  anywhere             220.232.213.178     tcp dpt:8222 
    ACCEPT     tcp  --  anywhere             220.232.213.178     tcp dpt:8333 
    ACCEPT     tcp  --  anywhere             220.232.213.178     tcp dpt:vmware-authd 
    REJECT     0    --  anywhere             220.232.213.178     reject-with icmp-port-unreachable 
    ACCEPT     0    --  localhost.localdomain  anywhere            
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     0    --  220.232.213.178      anywhere            state RELATED,ESTABLISHED 
    ACCEPT     udp  --  220.232.213.178      anywhere            udp dpt:domain 
    REJECT     0    --  localhost.localdomain  anywhere            reject-with icmp-port-unreachable 
    REJECT     0    --  220.232.213.178      anywhere            reject-with icmp-port-unreachable

    satimis

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •