Iptables blocking smtp

Question

Iptables is blocking outgoing and incomming smtp on my server, although I specified it not to. My policies are DROP everything except what's specified. Changing policies to ACCEPT everything "solves" the problem, but I don't want unlimited traffic on this server. Rules were set as follows (smtp part is the last):

# Flush all rules
iptables -F
iptables -X

# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow incoming and outgoing SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow incoming HTTP/HTTPS
# HTTP
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# HTTPS
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# Allow outgoing SMTP
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

# Finally, change policy to DROP ALL
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

It's a webserver. Django's send_mail function is what is being used to send mail. Settings are as follows:

EMAIL_USE_TLS = True
EMAIL_HOST = 'smtp.gmail.com'
EMAIL_HOST_USER = 'person@gmail.com'
EMAIL_HOST_PASSWORD = 'password'
EMAIL_PORT = 587

I assumed 587 was being used for email, so I added for port 587 the same rules shown above for port 25. I also tried switching --dport/--sport for smtp, nothing. Setting the rules as in this and this questions (both for port 25 and 587) didn't help either. I even tried doing the same for port 1025, just because it was mentioned on the docs, nothing...

Can you make sure that it works with iptables off? (Flush all tables.) — erny, Nov 29 '13 at 17:53
I am sure it works with all tables flushed (and policies changed to ACCEPT). — Alex, Nov 29 '13 at 18:36
Did you look at the exception you received from your Django app? — Michael Hampton, Nov 29 '13 at 19:27
I "fixed it" by using a (very) less restrictive [set of rules](http://pastebin.com/ZFVLJRDX). @MichaelHampton `gaierror at /contact/mailto [Errno -2] Name or service not known` — Alex, Nov 29 '13 at 20:05

score 3 · Accepted Answer · answered Nov 29 '13 at 20:07

Your firewall rules do not allow DNS traffic (UDP port 53). Thus your Django app cannot perform a DNS lookup to locate smtp.gmail.com:

gaierror at /contact/mailto [Errno -2] Name or service not known

To fix this, write firewall rules which permit outgoing DNS queries and incoming DNS responses.

score 0 · Answer 2 · answered Nov 29 '13 at 19:38

Can it be that the --sport and --dsport should be the other way round ?

# Allow outgoing SMTP
iptables -A OUTPUT -o eth0 -p tcp --dport 587 -m state --state NEW,ESTABLISHED -j A
iptables -A INPUT -i eth0 -p tcp --sport 587 -m state --state ESTABLISHED -j ACCEPT

Iptables blocking smtp

2 Answers2