1 Topic by narrington

  • narrington
  • Member
  • Offline
  • Registered: 2020-10-30
  • Posts: 5

Topic: firewall?

So this is a fresh baked debian 10.6 install with iredmail v 1.3.2 installed... everything is working fine (apart from pro not installing without breaking iredadmin but thats another thread).

during install the script asks if I want to allow iredadmin to manage the firewall... I hit "y"... now when I check iptables -L I note there are NO RULES SET!!!

as far as I can tell iRedAdmin is NOT setting up rules...

I am about to just load some rules based on https://docs.iredmail.org/network.ports.html... my question is this: am I missing something? is iRedAdmin managing the firewall and I'm just not seeing it? because if so, port 22 should be closed on the public network and it clearly is not.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: firewall?

On Debian 10, the firewall rule config file is /etc/nftables.conf. Do you have it?

3 Reply by narrington

  • narrington
  • Member
  • Offline
  • Registered: 2020-10-30
  • Posts: 5

Re: firewall?

ZhangHuangbin wrote:

On Debian 10, the firewall rule config file is /etc/nftables.conf. Do you have it?

which explains why the firewall is dead.

The file exists.... however in the minimal install of Debian 10.6 (which I am running), what is being used is iptables-nft. which is basically a fancy iptables wrapper for nftables. YES, the service being called is ultimately nftables. however, nft commands dont work because the binary doesn't exist. which means nftables.conf doesn't work.

So my choices are install nftables, or change my config and manage the firewall myself.

For anyone else running a debian buster config (this includes raspbian), you can install nftables (I suggest installing it BEFORE running the iRedMail config script)

# apt-get install nftables
# systemctl enable nftables.service

OR you can just apply the rules using iptables commands.

# iptables -A INPUT -i lo -j ACCEPT
# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# iptables -A INPUT -p tcp --dport 25 -j ACCEPT
# iptables -A INPUT -p tcp --dport 587 -j ACCEPT
# iptables -A INPUT -p tcp --dport 110 -j ACCEPT
# iptables -A INPUT -p tcp --dport 995 -j ACCEPT
# iptables -A INPUT -p tcp --dport 143 -j ACCEPT
# iptables -A INPUT -p tcp --dport 993 -j ACCEPT
# iptables -A INPUT -j DROP
# iptables -A OUTPUT -j ACCEPT

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: firewall?

narrington wrote:

nft commands dont work because the binary doesn't exist

This is not expected result.

Check line 581-587 here:
https://github.com/iredmail/iRedMail/bl … es.sh#L581

iRedMail installer will install package "nftables" on Debian 10.
I wonder whether there's any error on console while installing iRedMail (maybe apt repo issue), but i guess it's not possible to get it now. Could you be so kind to help test it again and reproduce the error with a VM?