topic Re: IPTABLES - SMTP in Operating System - Linux

IPTABLES - SMTP

Piotr Kirklewski — Wed, 13 Jun 2007 07:01:34 GMT

Hi there

I have set my itables firewall succesfuly, everythink works, but today I have found that it stops SMTP to send the e-mails.

I dont understand why as port 25 is ACCEPTED.

If I disable the firewall then I'm able to send e-mail.If the firewall is on, then e-mails are not going outside.

I was trying to restart master as I'm using postfix, but it wont help.

The only one way to hev e e-mail going out is to disable firewall puting iptables -I INPUT -J ACCEPT.

Can enyone help ?

============================================

Chain INPUT (policy DROP 443 packets, 52393 bytes)
num pkts bytes target prot opt in out source destination
1 5009 1448K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 1685 365K ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
3 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state RELATED,ESTABLISHED
4 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
5 2083 161K ACCEPT tcp -- eth0 * 81.150.xxx.xxx 217.174.xxx.xxx tcp dpt:22 state RELATED,ESTABLISHED
6 4 192 ACCEPT tcp -- eth0 * 81.150.xxx.xxx 217.174.xxx.xxx tcp dpt:22 state NEW
7 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state RELATED,ESTABLISHED
8 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
9 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state RELATED,ESTABLISHED
10 1 71 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW
11 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state RELATED,ESTABLISHED
12 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW
13 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 state RELATED,ESTABLISHED
14 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 state NEW
15 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 state RELATED,ESTABLISHED
16 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 state NEW
17 17 1292 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state RELATED,ESTABLISHED
18 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state NEW
19 188K 12M ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 state RELATED,ESTABLISHED
20 356 21360 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 state NEW
21 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3306 state RELATED,ESTABLISHED
22 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3306 state NEW
23 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5555 state RELATED,ESTABLISHED
24 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5555 state NEW
25 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8002 state RELATED,ESTABLISHED
26 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8002 state NEW
27 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9001 state RELATED,ESTABLISHED
28 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9001 state NEW
29 0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
30 4527 272K ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
31 0 0 ACCEPT tcp -- eth0 * 217.xxx.xxx.xxx 217.xxx.xxx.xxx tcp dpt:22 state RELATED,ESTABLISHED
32 0 0 ACCEPT tcp -- eth0 * 217.xxx.xxx.xxx 217.xxx.xxx.xxx tcp dpt:22 state NEW

Re: IPTABLES - SMTP

Steven E. Protter — Wed, 13 Jun 2007 07:10:58 GMT

Shalom,

There is not enough information to answer your question.

Port 25 is obviously being blocked outbound on this configuration, but your data does not indicate that.

I would guess the default OUTPUT policy is drop. Check /etc/sysconfig/iptables to see if thats true.

To fix it.

1) http://www.fs-security.com It has a gui and handles most problems easily except inbound block lists. It uses iptables commands and you can learn from it.

2) Add a rule with iptables -A OUTPUT -d all --port=25 -J ACCEPT

You'll have to play with that a bit to make the syntax work.

SEP

Re: IPTABLES - SMTP

Piotr Kirklewski — Wed, 13 Jun 2007 08:11:22 GMT

That's my OUTPUT chain - as you see the deafault policy is ACCEPT so any packet not defined as DROP should go -right ?

Chain OUTPUT (policy ACCEPT 181 packets, 13459 bytes)
pkts bytes target prot opt in out source destination
1033K 538M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
96M 131G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:25

Re: IPTABLES - SMTP

Ivan Ferreira — Wed, 13 Jun 2007 08:31:30 GMT

And why you suppose that is a firewall related problem?

Try this:

telnet some.mail.host 25

If you can connect via command line, is not a firewall problem.

Check what is going on with your mails in /var/log/maillog.

Re: IPTABLES - SMTP

Piotr Kirklewski — Wed, 13 Jun 2007 10:37:12 GMT

Because if I'll do:

/sbin/iptables -I INPUT -j ACCEPT

Then evwrythink works fine :)

telnet 217.174.xxx.xxx 25
Trying 217.174.xxx.xxx...
Connected to server217-174-xxx-xxx.live-servers.net (217.174.xxx.xxx).
Escape character is '^]'.
220 as1.markexxx.com ESMTP Postfix

And i can send e-mails.

Without that I can't e-mail nor telnet my server on 25.

Regards

Re: IPTABLES - SMTP

Alexander Chuzhoy — Wed, 13 Jun 2007 10:54:30 GMT

Hi nagileon,
Why do you use 2 rules:
13 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 state RELATED,ESTABLISHED
14 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 state NEW

Did you try to have 1 instead:
iptables -I INPUT -p tcp --dport 25 -j ACCEPT

Re: IPTABLES - SMTP

Piotr Kirklewski — Wed, 13 Jun 2007 11:54:18 GMT

3 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25

Not working as well.

Regards

Re: IPTABLES - SMTP

Alexander Chuzhoy — Thu, 14 Jun 2007 00:59:49 GMT

Should be dpt:25, not spt:25

Re: IPTABLES - SMTP

Stuart Browne — Thu, 14 Jun 2007 01:17:13 GMT

You do know that you don't need to have individual RELATED,ESTABLISHED rules per port, right? Just one will do.