1

Server: Debian Buster.

In nftables.conf I have:

chain INPUT {
..
tcp dport { 25,465,587,993} log prefix "nft smtp: " accept comment "accept SMTP, SMTPS, IMAPS"
..
log prefix "nft nac: " comment "not accepted"
}
chain OUTPUT
{
..
tcp sport { 25,465,587, 993} log prefix "nft smtp: " accept comment "accept SMTP, SMTPS, IMAPS"
..
log prefix "nft nac: " comment "not accepted"
}

When I send an email through Dovecot / Postfix,

nft smtp log shows nothing

nft nac log (not accepted) says:

IN= OUT=eth0 SRC=188.166.29.7 DST=159.65.66.140 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41257 DF PROTO=TCP SPT=58228 DPT=25

mail.info says: Connection timed out.

Apparently nftables does not accept port 25, while it should. I do not understand why.

What is going wrong?

nulacomputers
  • 11
  • 4

2 Answers2

1

Your log shows a packet leaving your Ethernet interface (OUTPUT) with a destination port of 25. What your firewall is allowing in the OUTPUT chain is packets with a TCP source port of 25.

What you likely want to do - instead of filtering by source port in the output chain - is to allow outgoing connections associated with existing (tracked) connections.

What you likely intended but have not yet added to your firewall rules is an OUTGOING rule that allows you to send outgoing mail - that would be TCP connections with a destination port of 25.

anx
  • 8,963
  • 5
  • 24
  • 48
  • You are right, I believe. Thank you. I am new to nftables and copied most of the conf from a server configuration file. – nulacomputers Jan 08 '21 at 09:35
0

To check what is happening, I put the following code in nftables.conf

For the INPUT chain

tcp sport { 25,465,587} log prefix "nft smtp1: " accept
tcp dport { 25,465,587} log prefix "nft smtp2: " accept

For the OUTPUT chain

tcp dport { 25,465,587} log prefix "nft smtp3: " accept
tcp sport { 25,465,587} log prefix "nft smtp4: " accept

In /etc/rsyslog.d/10-nftables.conf

:msg, contains, "nft smtp1" -/var/log/nft_smtp1.log
:msg, contains, "nft smtp2" -/var/log/nft_smtp2.log
:msg, contains, "nft smtp3" -/var/log/nft_smtp3.log
:msg, contains, "nft smtp4" -/var/log/nft_smtp4.log
:msg, contains, "nft nac" -/var/log/nft_not_accepted.log
&stop

After

service rsyslog restart

and

systemctl restart nftables

I can test the email with the firewall and get detailed debug info in the log files. Then I can see what email activity triggers which nftable rule.

After making these changes, I found that dport and sport where in INPUT and OUTPUT chain wrong. It works after changing it in:

For the INPUT chain

tcp dport { 25,465,587} log prefix "nft smtp2: " accept

For the OUTPUT chain

tcp dport { 25,465,587} log prefix "nft smtp3: " accept

Or at least these two lines where triggered by sending and receiving email.

What I am really missing is a thorough overview of the workings of the firewall. Most information is about inserting rules in the config and the 'it should work'. I would like a real understanding of the firewall, so that I can find errors quickly. Is there a good site or book that you can recommend? Thanks!

nulacomputers
  • 11
  • 4