IPTABLES help requested

I am having two problems with iptables. Some websites are
inaccessible and SMTP is not working correctly. The following do not
work:
telnet localhost 25
telnet 127.0.0.1 25
telnet hostname 25
telnet private_ip 25

Maybe someone can tell me what is wrong with my script? My knowledge
of iptables is rudimentary. Maybe I am missing something else related
to the "/proc" directory? I tried the "pmtu" stuff to correct the
problem with some websites being inaccessible but it did not work so I
commented it out. Thanks.

echo "1" > /proc/sys/net/ipv4/ip_forward
LAN=eth0
WAN=eth1
PRIVATE=<localnet/localmask>
LOOP=127.0.0.1
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A INPUT -i ${WAN} -s $LOOP -j DROP
/sbin/iptables -A FORWARD -i ${WAN} -s $LOOP -j DROP
/sbin/iptables -A INPUT -i ${WAN} -d $LOOP -j DROP
/sbin/iptables -A FORWARD -i ${WAN} -d $LOOP -j DROP
/sbin/iptables -A FORWARD -i ${WAN} -s 192.168.0.0/16 -j DROP
/sbin/iptables -A FORWARD -i ${WAN} -s 172.16.0.0/12 -j DROP
/sbin/iptables -A FORWARD -i ${WAN} -s 10.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -i ${WAN} -s 192.168.0.0/16 -j DROP
/sbin/iptables -A INPUT -i ${WAN} -s 172.16.0.0/12 -j DROP
/sbin/iptables -A INPUT -i ${WAN} -s 10.0.0.0/8 -j DROP
/sbin/iptables -A FORWARD -p tcp --sport 137:139 -o ${WAN} -j DROP
/sbin/iptables -A FORWARD -p udp --sport 137:139 -o ${WAN} -j DROP
/sbin/iptables -A OUTPUT -p tcp --sport 137:139 -o ${WAN} -j DROP
/sbin/iptables -A OUTPUT -p udp --sport 137:139 -o ${WAN} -j DROP
/sbin/iptables -A FORWARD -s ! $PRIVATE -i ${LAN} -j DROP
/sbin/iptables -A INPUT -s $LOOP -j ACCEPT
/sbin/iptables -A INPUT -d $LOOP -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport ssh -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport smtp -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport http -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -i ${LAN} -j ACCEPT
/sbin/iptables -A FORWARD -i ${LAN} -j ACCEPT
#/sbin/iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
/sbin/iptables -A OUTPUT -m state --state NEW -o ${WAN} -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -o ${WAN} -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j
ACCEPT
#/sbin/iptables -t nat -A POSTROUTING -s $PRIVATE -o ${WAN} -j
MASQUERADE
/sbin/iptables -A PREROUTING -t nat -i ${WAN} -p tcp --dport 3389 -j
DNAT --to <private_ip>
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j
ACCEPT
/sbin/iptables -A FORWARD -i ${WAN} -s <ip_range> -p tcp --dport 3389
-j ACCEPT
#/sbin/iptables -I INPUT -i ${WAN} -m state --state INVALID,NEW -j LOG
\
# --log-prefix "IPTABLES: " --log-level info
#/sbin/iptables -I FORWARD -i ${WAN} -m state --state INVALID,NEW -j
LOG \
# --log-prefix "IPTABLES: " --log-level info
/sbin/iptables -A FORWARD -p tcp --dport 3389 -j LOG --log-level info
\
--log-prefix "RDT: "

Gururajan Ramachandran wrote:

> I am having two problems with iptables. Some websites are
> inaccessible and SMTP is not working correctly. The following do not
> work:
> telnet localhost 25
> telnet 127.0.0.1 25
> telnet hostname 25
> telnet private_ip 25
>
> Maybe someone can tell me what is wrong with my script? My knowledge
> of iptables is rudimentary. Maybe I am missing something else related
> to the "/proc" directory? I tried the "pmtu" stuff to correct the
> problem with some websites being inaccessible but it did not work so I
> commented it out. Thanks.
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
> LAN=eth0
> WAN=eth1
> PRIVATE=<localnet/localmask>
> LOOP=127.0.0.1
> /sbin/iptables -P OUTPUT DROP
> /sbin/iptables -P INPUT DROP
> /sbin/iptables -P FORWARD DROP
> /sbin/iptables -F
> /sbin/iptables -P OUTPUT ACCEPT
> /sbin/iptables -P INPUT DROP
> /sbin/iptables -P FORWARD DROP
> /sbin/iptables -A INPUT -i ${WAN} -s $LOOP -j DROP
> /sbin/iptables -A FORWARD -i ${WAN} -s $LOOP -j DROP
> /sbin/iptables -A INPUT -i ${WAN} -d $LOOP -j DROP
> /sbin/iptables -A FORWARD -i ${WAN} -d $LOOP -j DROP
> /sbin/iptables -A FORWARD -i ${WAN} -s 192.168.0.0/16 -j DROP
> /sbin/iptables -A FORWARD -i ${WAN} -s 172.16.0.0/12 -j DROP
> /sbin/iptables -A FORWARD -i ${WAN} -s 10.0.0.0/8 -j DROP
> /sbin/iptables -A INPUT -i ${WAN} -s 192.168.0.0/16 -j DROP
> /sbin/iptables -A INPUT -i ${WAN} -s 172.16.0.0/12 -j DROP
> /sbin/iptables -A INPUT -i ${WAN} -s 10.0.0.0/8 -j DROP
> /sbin/iptables -A FORWARD -p tcp --sport 137:139 -o ${WAN} -j DROP
> /sbin/iptables -A FORWARD -p udp --sport 137:139 -o ${WAN} -j DROP
> /sbin/iptables -A OUTPUT -p tcp --sport 137:139 -o ${WAN} -j DROP
> /sbin/iptables -A OUTPUT -p udp --sport 137:139 -o ${WAN} -j DROP
> /sbin/iptables -A FORWARD -s ! $PRIVATE -i ${LAN} -j DROP
> /sbin/iptables -A INPUT -s $LOOP -j ACCEPT
> /sbin/iptables -A INPUT -d $LOOP -j ACCEPT
> /sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --dport ssh -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --dport smtp -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --dport http -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
> /sbin/iptables -A INPUT -i ${LAN} -j ACCEPT
> /sbin/iptables -A FORWARD -i ${LAN} -j ACCEPT
> #/sbin/iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
> --clamp-mss-to-pmtu
> /sbin/iptables -A OUTPUT -m state --state NEW -o ${WAN} -j ACCEPT
> /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> /sbin/iptables -A FORWARD -m state --state NEW -o ${WAN} -j ACCEPT
> /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> #/sbin/iptables -t nat -A POSTROUTING -s $PRIVATE -o ${WAN} -j
> MASQUERADE
> /sbin/iptables -A PREROUTING -t nat -i ${WAN} -p tcp --dport 3389 -j
> DNAT --to <private_ip>
> /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> /sbin/iptables -A FORWARD -i ${WAN} -s <ip_range> -p tcp --dport 3389
> -j ACCEPT
> #/sbin/iptables -I INPUT -i ${WAN} -m state --state INVALID,NEW -j LOG
> \
> # --log-prefix "IPTABLES: " --log-level info
> #/sbin/iptables -I FORWARD -i ${WAN} -m state --state INVALID,NEW -j
> LOG \
> # --log-prefix "IPTABLES: " --log-level info
> /sbin/iptables -A FORWARD -p tcp --dport 3389 -j LOG --log-level info
> \
> --log-prefix "RDT: "
Hello,

take a look with nmap to see whether your port 25 is open at all. By
default, postfix will usually listen only on localhost. To open localhost,
try
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
Alex

Hello,

I would like to know if someone is aware of any project implementing
IPv6 multicast forwarding in the linux kernel ?

Thank you,

Hoerdt Mickael

Hoerdt Mickael <(E-Mail Removed)> wrote in message news:<413c91cb$0$21474$(E-Mail Removed)>...
> Hello,
>
> I would like to know if someone is aware of any project implementing
> IPv6 multicast forwarding in the linux kernel ?
>
> Thank you,
>
> Hoerdt Mickael

Not clear what you have in mind -- ipv6 and multicast forwarding have
been in the kernel for years:
/proc/sys/net/ipv4/conf/mc_forwarding as seen on my old box:

[@pbrain]$ cd /proc/sys/net/ipv4/conf/all
[@pbrain all]$ ls
accept_redirects forwarding proxy_arp shared_media
accept_source_route log_martians rp_filter tag
arp_filter mc_forwarding secure_redirects
bootp_relay medium_id send_redirects
[@pbrain all]$ cat mc_forwarding
0

Though dated it's still very useful:
http://www.tldp.org/HOWTO/Multicast-HOWTO.html

Setting it all up is quite an exercise -- especially if you need a
multicast routing daemon ;-)

hth,
prg
email above disabled

Hoerdt Mickael <(E-Mail Removed)> wrote in message news:<413c91cb$0$21474$(E-Mail Removed)>...
> Hello,
>
> I would like to know if someone is aware of any project implementing
> IPv6 multicast forwarding in the linux kernel ?
>
> Thank you,
>
> Hoerdt Mickael

Sorry I hit the send button when trying to paste in these examples of
current activity:

http://lwn.net/Articles/94565/
Just a note on the ipv6 stack and multicasting work on the tables.
Evidently folks have decided to take a long look at the stack code
;-)/

http://lwn.net/Articles/66224/
http://freshmeat.net/projects/ecmh/

You might try this search while there:
ipv6 multicast

regards,
prg
email above disabled