0

I have the following setup, for my iptables, I want my server secured as can be. However, I just have one problem... Sendmail does not work, when I have iptables enabled. Even though I opened port 25. I suspect this is because it can not resolve the mail address, but I am not sure. My server runs at CentOS 5.5.

This is my ip tables set up:

#!/bin/sh
# My system IP/set ip address of server
SERVER_IP="xxx.xxx.xxx.xxx"
# Flushing all rules
/sbin/iptables -F
/sbin/iptables -X
# Setting default filter policy
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
# Allow unlimited traffic on loopback
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# Allow ssh
/sbin/iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

# Allow incoming http 
/sbin/iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 80 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

# Allow incoming smtp
/sbin/iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 25 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

/sbin/iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 1024:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0/0 --sport 25 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

# DNS
/sbin/iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 53 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

/sbin/iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 1024:65535 -d 0/0 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0/0 --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

# make sure nothing comes or goes out of this box
/sbin/iptables -A INPUT -j DROP
/sbin/iptables -A OUTPUT -j DROP

What do I miss, or what do I have to much?

I hope you are able to help me.

Kind regards.

Machiel
  • 105
  • 2
  • Can you do DNS lookups on other systems? via dig or nslookup? Can you connect via telnet to port 25 while iptables is up? – Joseph Kern Apr 24 '11 at 17:30

1 Answers1

0

DNS uses TCP and UDP. Your iptables rules do not have ACCEPT rules for UDP.

That said, why the overly-explicit rules? You can drop all those -s / -d 0/0. And is it really necessary to limit the remote-side ports to 513-65535 (or 1024-65535)?

pepoluan
  • 5,038
  • 4
  • 47
  • 72
  • Thank you very much, opening the UDP ports solved the issue. And regarding the overly-explicit rules, that's how I learned it, I thought it was required. On the other hand, it doesn't harm my system, I believe. – Machiel Apr 24 '11 at 18:29
  • @Machiel well, it won't harm the system, only a (very) slight reduction in performance (due to the need to perform more matches), and a huge reduction in readability :D – pepoluan Apr 24 '11 at 18:35