firewall port forward help

BoloMarkIII · March 16, 2009, 7:36pm

I am running a server on suse 11 all is well except for 1 problem.

A local ISP blocks ports 25, 465 and 587 for there smtp email server.

Some of the clients on my email server use this ISP and I can NOT get them to send with any email client.

I am working with some plp on the ISPCONFIG forum for help and they suggested using port forward in the firewall to use another port. I tried ports 8825 and 8025 no joy.

My question is about the firewall and if I am doing it properly.

Here is what I did:
Yast > Security and Users > firewall > Custom rules :
Source network = 0/0 (allow all)
Protocol = TCP
Destination port = smtp (25)
Source port = 8825

also did port 8025 same way

user · March 16, 2009, 8:24pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Those steps sound correct. Did you also unblock port 8025? I don’t know
for sure but you may need to do that as well under Allowed Services (in
the Advanced section where you can specify the port explicitly). What did
you see in logs for the firewall (/var/log/firewall), system
(/var/log/messages), or the SMTP server when ou had this setup? Any
connection attempts/refusals? How did you test the port? Try netcat.

Good luck.

BoloMarkIII wrote:
> I am running a server on suse 11 all is well except for 1 problem.
>
> A local ISP blocks ports 25, 465 and 587 for there smtp email server.
>
> Some of the clients on my email server use this ISP and I can NOT get
> them to send with any email client.
>
> I am working with some plp on the ISPCONFIG forum for help and they
> suggested using port forward in the firewall to use another port. I
> tried ports 8825 and 8025 no joy.
>
> My question is about the firewall and if I am doing it properly.
>
> Here is what I did:
> Yast > Security and Users > firewall > Custom rules :
> Source network = 0/0 (allow all)
> Protocol = TCP
> Destination port = smtp (25)
> Source port = 8825
>
> also did port 8025 same way
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJJvqdiAAoJEF+XTK08PnB5g7sP/1O2FqMwCAcDz3eo8RuFiLxF
jlw42ajt/qmJDWahFNlKjNK17fQjTvwxzK8WCHjz6ELBK5HvV5DyT0R09g52BCJ4
CwG/LSaP8RAYOGgV+0C/wl7x2R3TXrD3bxtrgg/QEYFUnYRx83iwki5dgxnWkSxH
akaihhALS17b3M1z/gKLqbuaofM/jUi82V01KKKOokIzAHdZJ5iYQFb6h7hGQlLa
rfdrds70XYGJAn/obo969FbKdbuQQfCMZN5HToLD6wHj9mg+4J53N5QrQKI1lAHB
d9GPQ/nFH+AqW71xLGGjYaJ0MeJSpuRPLU+V128DdXAxkRRGv3RRuPRXPUgj+HVu
C/Ma4WXIvtP7CpnoPCICxD6CcoY/NHzBNIn1BlxXz1S+ytqEnSqyz4Q9nEE9hl2t
i2YR49VqagW7xrwTLlY4EsEslmc6wIuZ0t4bO4xhnAiFJcHC5as1BVqkW4fj+1Zg
7RrgOOtEFH1KVYhaiZ+rYzDivdhJlGYc/YCcg9LBDoJLLIkTQlkhdreidLsuuhU8
X4lmU0d45yQPQmfHl6Fd9m1HpvNfxfgMu4UBAQ8qkU1kFSVi+Y2iwgm59vpETZux
o5lH0O2qyYPuwnXnNeorDiL5TTWtIwH23jxGsjW70o75VLFnSK+2PGeJnzRwkl4C
HfESF90FhWap3xj4uY9Z
=kYle
-----END PGP SIGNATURE-----

BoloMarkIII · March 16, 2009, 8:58pm

Yes I opened ports in allowed services > advanced still no joy.

BoloMarkIII · March 16, 2009, 9:11pm

Here is an excerpt form firewall log:

Mar 16 14:45:41 vserver1 kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= 
MAC=08:00:27:77:28:01:00:15:f2:04:22:af:08:00 SRC=98.22.60.227 
DST=98.22.60.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7268 DF PROTO=TCP 
SPT=2585 DPT=8825 WINDOW=5840 RES=0x00 SYN URGP=0 OPT 
(020405B40402080A07ACE4710000000001030307) 
Mar 16 14:46:12 vserver1 kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= 
MAC=08:00:27:77:28:01:00:15:f2:04:22:af:08:00 SRC=98.22.60.227 
DST=98.22.60.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18881 DF PROTO=TCP 
SPT=28707 DPT=8025 WINDOW=5840 RES=0x00 SYN URGP=0 OPT 
(020405B40402080A07AD02C10000000001030307)

The mail log tells nothing as the client does not connect.

Akoellh · March 16, 2009, 10:26pm

Destination port = smtp (25)
Source port = 8825

BoloMarkIII:

Here is an excerpt form firewall log:

Mar 16 14:45:41 vserver1 kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= 
MAC=08:00:27:77:28:01:00:15:f2:04:22:af:08:00 SRC=98.22.60.227 
DST=98.22.60.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7268 DF PROTO=TCP 
**SPT=2585** **DPT=8825** WINDOW=5840 RES=0x00 SYN URGP=0 OPT 
(020405B40402080A07ACE4710000000001030307) 
Mar 16 14:46:12 vserver1 kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= 
MAC=08:00:27:77:28:01:00:15:f2:04:22:af:08:00 SRC=98.22.60.227 
DST=98.22.60.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18881 DF PROTO=TCP 
**SPT=28707** **DPT=8025** WINDOW=5840 RES=0x00 SYN URGP=0 OPT 
(020405B40402080A07AD02C10000000001030307)

Get it?

BoloMarkIII · March 17, 2009, 3:45pm

No thats the problem.

Cli syntax is not my strong suite so even after reading man and google netcat is no help.

It should work but there is still something i am missing.

Testing with a laptop with XP pro x32 using Outlook Express and I have access to 3 local ISPs.

Works great, can send on 2 of the ISPs using ports 25, 465 or 587 but my forward ports dont work on any ISP so I am guessing its not working.

Akoellh · March 17, 2009, 9:36pm

It’s very simple, you mix up source port (SPT) and destination port (DPT).

Your firewall log shows clearly, that it’s blocking incoming traffic on the destination ports (sic!) 8025/8825.

Filtering by source port is completely senseless in your case (and in most other cases).

As Churchill said: “No --sports”

LittleRedRooster · March 17, 2009, 9:49pm

BoloMarkIII wrote:
> No thats the problem.
>
> Cli syntax is not my strong suite so even after reading man and google
> netcat is no help.
>
> It should work but there is still something i am missing.
>
> Testing with a laptop with XP pro x32 using Outlook Express and I have
> access to 3 local ISPs.
>
> Works great, can send on 2 of the ISPs using ports 25, 465 or 587 but
> my forward ports dont work on any ISP so I am guessing its not working.

Of course it’s not.
How can you expect a mail-, or any server for that matter, to change its mind
about the port it listens on, just because someone decides to send mail to
some random port number?
The Internet doesn’t work that way, thank heavens.

If the ISP has decided to block mail server ports, there’s nothing you can do
about it, besides voting with your wallet and find a better ISP.