When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action). If a packet has not matched any rule within the chain, then it is accepted.
But he uses -I without number, i.e. every line is inserted on the first line of chain = real list of rules will be reversed (last rule will be "DROP").
2vlad88: Check FORWARD chain what all is it in ( by "iptables -L FORWARD -v -n" in cmd line on router). It says (almost) everything what you want to know why it not working.
BTW. Use '-A' instead of '-I'. It is "Append" and you will write rules exactly as they is processed (better readable I think). You must change order of rules, of course . It will not resolve your problem, it is only for better readability.
About your rules: You not define outgoing/incoming interface = your rules will be applied for both directions (incoming and also outgoing trafic). I think, this is main problem.
Full rules which allows traffic only for gmail should be probably like this:
Code:
iptables -F FORWARD
iptables -N Gmail_smtp_IPs
iptables -A Gmail_smtp_IPs -d 209.85.129.109 -j ACCEPT
iptables -A Gmail_smtp_IPs -d 209.85.129.111 -j ACCEPT
iptables -N Gmail_imap_IPs
iptables -A Gmail_imap_IPs -d 72.14.221.109 -j ACCEPT
iptables -A Gmail_imap_IPs -d 72.14.221.111 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m multiport --dports 465,587 -j Gmail_smtp_IPs
iptables -A FORWARD -i br0 -p tcp --dport 993 -j Gmail_imap_IPs
iptables -A FORWARD -j DROP
(br0 is bridge interface which contains all LAN ports. On my dd-wrt it is so, so I hope on your it will be same. Chains Gmail_smtp_IPs and Gmail_imap_IPs should be filled with appropriated IP addressess)
I hope not forgoted something. _________________ Asus RT-N16 - working ip6tables for K2.6 wanted.
Sorry for my "english".
Last edited by kmarty on Wed Apr 28, 2010 22:17; edited 4 times in total
About your rules: You not define outgoing/incoming interface = your rules will be applied for both directions (incoming and also outgoing trafic). I think, this is main problem.
Yep, that's the main problem. A secondary problem is that the domain names are looked up when the rule is added and the resulting IP is added instead of the domain name. For a site like google that uses many mirrors, it's possible that you'll allow a single one of their mirrors but not the others. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
... For a site like google that uses many mirrors, it's possible that you'll allow a single one of their mirrors but not the others.
Exactly this I found right now when I tried write an example of rules for gmail. _________________ Asus RT-N16 - working ip6tables for K2.6 wanted.
Sorry for my "english".
Normally you would also need to do a "whois" on those addresses, but in the case of google they are all their addresses.....
I wouldn't differentiate between those ports... For what reason? They are not listening anyhow and you are making your iptables more complicated than necessary.
This is how I would do it if I wanted it _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
I don't think this is good method how to get IP addresses of smtp servers which accepting connections _from clients_ (for submission e-mail). SPF is for server2server, not client2server (or server2client), you have not assurance you allowed the right IP's (if SPF will be set very strictly).
Next (but this is on vlad88's decision), not every time is good allowing IP's generaly (for example: You don't want allow any way for web browsing, but sending e-mails. In this case, you allowed access through google cache or translate). _________________ Asus RT-N16 - working ip6tables for K2.6 wanted.
Sorry for my "english".
I don't think this is good method how to get IP addresses of Gmail smtp servers which accepting connections _from clients_ (for submission e-mail).
I know how it works! (I even use DKIM beside SPF on my own domains)....
SPF is for sending... but I would only use it to find out their complete subnet with 'whois'. This would also cover their incoming MTA's
Anyhow, this wasn't necessary at all as I quickly found out those subnets completely corresponded with their complete subnets...
It's a lot easier for them to maintain (I work for an ISP and I have to think about these things too.)
You did notice how big those subnets are?
Have you found any MX-record which is not among these subnets?
If you don't use those complete subnets you will not be able to reach their service if they suddenly change the IP of some of their incoming mailservers.
Chances are quite slim they will be able to place an incoming server outside one of these subnets....
_________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
It's a lot easier for them to maintain (I work for an ISP and I have to think about these things too.)
You did notice how big those subnets are?
I noticed only that you want to allow a huge amount of IP addresses only because few of them have service which you want, that's all.
OK, take it. I don't know english enough for this debate . _________________ Asus RT-N16 - working ip6tables for K2.6 wanted.
Sorry for my "english".
It's a lot easier for them to maintain (I work for an ISP and I have to think about these things too.)
You did notice how big those subnets are?
I noticed only that you want to allow a huge amount of IP addresses only because few of them have service which you want, that's all.
OK, take it. I don't know english enough for this debate .
Those incoming servers can change for various reasons......
You're already blocking the whole world...
With those 2 extra rules you end up with only ports 465 to 993 on Google's subnets...
What can go wrong here?
The SPF-records represent the IP-space which the Google employees think they could be used for an MTA in the future.... _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
The SPF-records represent the IP-space which the Google employees think they could be used for an MTA in the future....
But MTA which _sends_ e-mails (with sender ..@gmail.com) to another MTA, not necessarilly receive from MUA.
Again, SPF record is not about clients, it is about servers2servers only. _________________ Asus RT-N16 - working ip6tables for K2.6 wanted.
Sorry for my "english".
The SPF-records represent the IP-space which the Google employees think they could be used for an MTA in the future....
But MTA which _sends_ e-mails (with sender ..@gmail.com) to another MTA, not necessarilly receive from MUA.
Again, SPF record is not about clients, it is about servers2servers only.
You are completely missing the point....
Of course I know the SPF is about sending and not receiving. There's no need to repeat that.
The SPF-record is just a means for me to obtain Google's subnets. Some ISP's have seperate subnets for their clients and subnets for their services. If one of the SPFs would have been 209.85.129.0/24 I would still advised to make it 209.85.128.0/17.
A 'whois 209.85.128.0' would have given me this subnet. Google is not an access-provider (AFAIK), but normally the IP's of those clients wouldn't be represented in their SPF-records..
If you limit your access to only those 4 IP's you will one day find yourself unable to access their services. They may change their A-records for whatever reason from 209.85.129.109 to, for instance, 209.85.129.112
Unless you have some inside information about Google's policies you can never be sure those IP's are enough. By defining their SPF's that big as they are already they already tell you how flexible they can be....
The Internet is dynamic.... _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
OK, now that much better to read for me (my fault, I know - I said, my english is not good).
I still have some comments about it, but it is out of my ability to write it in english (and in addition, I don't want to be here for quarreling). _________________ Asus RT-N16 - working ip6tables for K2.6 wanted.
Sorry for my "english".
I tried this rule with no luck:
iptables -A FORWARD -i br0 -p tcp -d mupi.com.sv -j ACCEPT
I can be that v24 micro does not support the -d option?
I don't think.
Option '-d' (--destination when is used as long parameter) is standard parameter for destination IP address/network (same standard parameterlike '-s', '--source' for source IP address or '-p', '--protocol' for protocol).
When hostname is used instead of IP address, iptables try to resolve it to IP address and add it when successful (but it already answered phuzi0n).
Command 'iptables' is very trimmed in dd-wrt. When error occurs, it should say error message. But in dd-wrt it is silent (looks like everything is OK, but is not).
I prefer (and recommend) using numeric IP addresses/networks in netfilter rules, not DNS names. It skip these "mysterious" errors.
About using name of interface, I tend to frater's version - get it from nvram and use the variable instead of direct using interface name (better portability). I didn't knew that WAN/LAN iface can be retrieved from nvram, that's why I didn't used it.
Only one thing - I am not sure if :
Code:
ifLAN=`nvram get lan_ifname`
can be used for retrieve LAN iface, same like this is used for WAN iface:
Code:
ifWAN=`nvram get wan_iface`
If so, it will be good. Can someone confirm it? _________________ Asus RT-N16 - working ip6tables for K2.6 wanted.
Sorry for my "english".