iptables: open port 25 CentOS 7

Question

I have problems opening port 25 for sendmail on my CentOS 7 machine.

Here's my iptables configuration:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Service is running:

[root@server1 /]# netstat -tnlp | grep sendmail
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      5857/sendmail

Any ideas why it's not working? Thanks a lot for the help!

Hasn't CentOS 7 switched to FirewallD instead of plain iptables? — Cristian Ciupitu, Mar 05 '15 at 17:40
don't know. ip6tables was preinstalled but i'm using iptables now. — marp, Mar 06 '15 at 04:41
@marp, make sure that the firewalld service is not running, but the iptables is. — Cristian Ciupitu, Mar 08 '15 at 04:13

score 1 · Answer 1 · answered Mar 05 '15 at 16:30

1

I believe your binding is where you need to look at, desirable output should be:

# netstat -an | egrep '\:25.*LISTEN'
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      
tcp        0      0 :::25                       :::*                        LISTEN      
#

As in your case if you disable firewall all together, you still won't be able to reach your smtp server due to binding to local loop interface only, assuming you're using postfix, look at inet_interfaces inside of your main.cf.

answered Mar 05 '15 at 16:30

alexus

13,112
32
117
174

thanks for this! I'm using sendmail. I made changes to sendmail.mc according to this article. https://www.unixmen.com/configuring-sendmail-smtp-server-on-centos-a-scientific-linux/ I assume the changes haven't really been applied? – marp Mar 05 '15 at 16:52
next time, feel free to include that in your original question instead of making us guess and do double work just because you're lazy to include all relevant information at the first place. – alexus Mar 09 '15 at 14:51

score 1 · Accepted Answer · answered Mar 06 '15 at 05:50

The problem is that the default sendmail configuration is to only listen on localhost, not external interfaces, you will need to reconfigure Sendmail to allow this.

You will need to install sendmail-cf:

sudo yum install sendmail-cf

Then, edit your DAEMON_OPTIONS:

cd /etc/mail
sudo vi sendmail.mc

Look for the entry:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

Change it to:

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl

Save the file, run make:

make

Restart sendmail:

sudo systemctl restart sendmail

That should open you up to listening on port 25 on all interfaces, which should be compatible with the firewall ruleset you have given above.

Thanks a lot, this worked! Now the port is open. However, when I run [root@server1 mail]# netstat -an | egrep '\:25.*LISTEN' tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN the text is red. shouldn't it be green? does it now run correctly is there anything else to configure? — marp, Mar 06 '15 at 07:33

iptables: open port 25 CentOS 7

2 Answers2

Linked