1

I have iptables running on my server that blocks access on all ports except the ones I allow. One of those ports needs to be SMTP on port 25, and I have the following rule in place for that:

-A INPUT -p tcp --dport 25 -j ACCEPT

The output from iptables -L is below:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             127.0.0.0/8          reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:mysql
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssmtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

However, when I try to do telnet <myip> 25 from a Windows console, I get this error thrown back:

Connecting To <my ip>...Could not open connection to the host, on port 25:
Connect failed

Doing the same on other open ports (80, 993 etc) works fine. So it must be an iptables issue.

What's the correct way to allow access to SMTP on port 25 using iptables?

Chris
  • 23
  • 1
  • 2
  • 4
  • 1
    Did you check for a service listening in that port? (`netstat -an | grep LISTEN` or `ss -n | grep :25`) – dawud Aug 03 '13 at 21:39
  • Ah damn, doesn't look like SMTP is actually running haha. I followed a guide to set up a mail server (https://library.linode.com/email/postfix/postfix2.9.6-dovecot2.0.19-mysql) and just assumed dovecot would be running SMTP. – Chris Aug 03 '13 at 21:40
  • If you add the `-v` option to `iptables -L` you will also get the counts of how many times each rule has been hit. This makes debugging iptables rules *much* easier. – Ladadadada Aug 03 '13 at 23:03
  • @Chris It should be postfix listening on port 25. Dovecot is an POP/IMAP server and should be listening on at least one of: 110 (pop3), 995 (pop3s), 143 (imap), and 993 (imaps). It is possible Postfix is listening on port 25, but only on the localhost interface, or run only on demand. – BillThor Aug 04 '13 at 03:29

1 Answers1

2

Because your input rules start with a universal accept rule, none of your other rules will take effect (because iptables works on a first disposative rule basis: the first rule in the chain to dispose of the packet in some way will be the last rule processed, and the ACCEPT target is disposative). Your second rule is also questionable (block all localhost traffic), but only because there isn't usually any credible reason to do that. It is also unusual to specifically accept only new, related, or established packets on the SSH port.

All that said, your rules correctly accept SMTP traffic, so the problem is indeed that you weren't running SMTP. Dovecot isn't an SMTP server; consider using any of several SMTP daemons such as postfix.

If anything, for your 127.0.0.0/8 rule, specify the input interface on which you are expecting to receive spoofed localhost packets, if you are worried about that.

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92