IPtables drops all, but postfix still send emails

Question

My iptables rules:

# delete all current rules and user chains
iptables -F
iptables -X

# global policy (target by default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# dns -> udp
iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

# http
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# ssh
iptables -A INPUT -i eth0 -p tcp --dport 29415 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 29415 -m state --state ESTABLISHED -j ACCEPT

# final LOG
iptables -A INPUT -i eth0  -m limit -j LOG --log-prefix "[fortress:unrule_input] "
iptables -A OUTPUT -o eth0  -m limit -j LOG --log-prefix "[fortress:unrule_output] "
#  --log-ip-options --log-tcp-options

# final DROP
iptables -A INPUT -i eth0 -j DROP
iptables -A OUTPUT -o eth0 -j DROP

Port 25 not open. policy by default - DROP.
Only by udp protocol is possible send out from server NEW packets and establish connection.
But Postfix still sends mails...
For testing I use this in command line:

php -a
mail('to@domen.tl', 'subject', 'body');

Output iptables -vL

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
48089 1119M ACCEPT     all  --  lo     any     anywhere             anywhere            
 1518  165K ACCEPT     udp  --  eth0   any     anywhere             anywhere             udp spt:domain state ESTABLISHED
86211 5672K ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:http state NEW,ESTABLISHED
 2498  184K ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:29415 state NEW,ESTABLISHED
   18   840 LOG        all  --  eth0   any     anywhere             anywhere             limit: avg 3/hour burst 5 LOG level warning prefix "[fortress:unrule_input] "
 1430 75592 DROP       all  --  eth0   any     anywhere             anywhere            

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
48089 1119M ACCEPT     all  --  any    lo      anywhere             anywhere            
 1524  112K ACCEPT     udp  --  any    eth0    anywhere             anywhere             udp dpt:domain state NEW,ESTABLISHED
 181K  253M ACCEPT     tcp  --  any    eth0    anywhere             anywhere             tcp spt:http state ESTABLISHED
 1781  627K ACCEPT     tcp  --  any    eth0    anywhere             anywhere             tcp spt:29415 state ESTABLISHED
   18   948 LOG        all  --  any    eth0    anywhere             anywhere             limit: avg 3/hour burst 5 LOG level warning prefix "[fortress:unrule_output] "
  346 20488 DROP       all  --  any    eth0    anywhere             anywhere

/var/log/maillog

May 21 14:50:44 CentOS-70-64-minimal postfix/qmgr[5169]: B79F311800AB: removed
May 21 14:50:44 CentOS-70-64-minimal postfix/smtp[5484]: B79F311800AB: to=<to@domen.tl>, relay=mx.domen.tl[2a02:6b8::89]:25, delay=121, delays=0.14/0.01/120/0.85, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued on mxfront10j.mail.yandex.net as 1432212643-e6gErcsB7d-ohqGfFN0)
May 21 14:50:42 CentOS-70-64-minimal postfix/smtp[5484]: connect to mx.domen.tl[213.180.204.89]:25: Connection timed out
May 21 14:50:12 CentOS-70-64-minimal postfix/smtp[5484]: connect to mx.domen.tl[93.158.134.89]:25: Connection timed out
May 21 14:49:42 CentOS-70-64-minimal postfix/smtp[5484]: connect to mx.domen.tl[213.180.193.89]:25: Connection timed out
May 21 14:49:12 CentOS-70-64-minimal postfix/smtp[5484]: connect to mx.domen.tl[77.88.21.89]:25: Connection timed out
May 21 14:48:43 CentOS-70-64-minimal postfix/qmgr[5169]: CA04D11800A6: removed
May 21 14:48:43 CentOS-70-64-minimal postfix/smtp[5485]: CA04D11800A6: to=<to2@gmail.com>, orig_to=<root@CentOS-70-64-minimal.localdomain>, relay=gmail-smtp-in.l.google.com[2a00:1450:4013:c01::1b]:25, delay=0.27, delays=0.08/0.01/0.1/0.09, dsn=2.0.0, status=sent (250 2.0.0 OK 1432212522 t8si3023064wjr.69 - gsmtp)
May 21 14:48:42 CentOS-70-64-minimal postfix/local[5483]: B79F311800AB: to=<root@CentOS-70-64-minimal.localdomain>, relay=local, delay=0.23, delays=0.14/0.01/0/0.08, dsn=2.0.0, status=sent (forwarded as CA04D11800A6)
May 21 14:48:42 CentOS-70-64-minimal postfix/qmgr[5169]: CA04D11800A6: from=<root@CentOS-70-64-minimal.localdomain>, size=571, nrcpt=1 (queue active)
May 21 14:48:42 CentOS-70-64-minimal postfix/cleanup[5481]: CA04D11800A6: message-id=<20150521124842.B79F311800AB@CentOS-70-64-minimal.localdomain>
May 21 14:48:42 CentOS-70-64-minimal postfix/qmgr[5169]: B79F311800AB: from=<root@CentOS-70-64-minimal.localdomain>, size=403, nrcpt=2 (queue active)
May 21 14:48:42 CentOS-70-64-minimal postfix/cleanup[5481]: B79F311800AB: message-id=<20150521124842.B79F311800AB@CentOS-70-64-minimal.localdomain>
May 21 14:48:42 CentOS-70-64-minimal postfix/pickup[5376]: B79F311800AB: uid=0 from=<root>

cat rules

# Generated by iptables-save v1.4.21 on Thu May 21 15:18:19 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 29415 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -m limit --limit 3/hour -j LOG --log-prefix "[fortress:unrule_input] "
-A INPUT -i eth0 -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 29415 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -m limit --limit 3/hour -j LOG --log-prefix "[fortress:unrule_output] "
-A OUTPUT -o eth0 -j DROP
COMMIT
# Completed on Thu May 21 15:18:19 2015

Send to where? Please edit the question and add the relevant mail.log lines — masegaloeh, May 21 '15 at 12:09
Are you sure that your rules are applied ? Is `iptables -vL` consistent with what you posted ? — eltrai, May 21 '15 at 12:10
BYW, UDP is a stateless protocol, anyone can overflow your connectionn tracking table with these rules and cause denial of service even for tcp ports. — Marki555, May 21 '15 at 12:27
I added logs, thank You for Your attention! @Marki555 About "overflow" - what does this mean? And how I can to protect from this, if it is something bad :) I write my rules after reading this article: http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html — Sergey Serov, May 21 '15 at 13:09
Could you include the final rule set (as can be seen by `iptables-save`) in the question. — kasperd, May 21 '15 at 13:12
When use use `-m state`, system must remember all active connections, this is called connection tracking. It has limited space (can be increased), when it is full, old conns are removed from the list and iptables will begin to drop packets from these conns. With UDP, anyone can send millions of packets which will fill your conns tracking table. Just don't use it for UDP packets, it has no benefit. — Marki555, May 21 '15 at 13:16
@Marki555 Good Day, again :)) I have read https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#UDPCONNECTIONS and now can't understand about connection tracking: 1). it is seems possible to keep information about new and established states in udp 2). and it is seems that million packets may fill tracking tables too... — Sergey Serov, May 23 '15 at 20:34
You can't know if/when UDP "connection" is "established". You just know that you have received a packet from that IP to that port, there is no ACK, no sequence number. UDP packets can be easily forged by anyone (TCP is much more difficult). Google e.g. DNS or NTP amplification attack and why they were possible. — Marki555, May 24 '15 at 11:52

MadHatter · Accepted Answer · 2015-05-21T14:00:24.103

Your iptables rules are doing exactly what you want: they're blocking outbound port 25 connections:

May 21 14:50:12 CentOS-70-64-minimal postfix/smtp[5484]: connect to mx.domen.tl[93.158.134.89]:25: Connection timed out

Unfortunately, your server appears also to have a valid ipv6 address (I'm guessing it's a modern VPS, I've noticed most of these come v6-enabled, these days) and as many providers these days advertise a v6 mail server, delivery to those is working fine:

May 21 14:48:43 CentOS-70-64-minimal postfix/smtp[5485]: CA04D11800A6: to=<to2@gmail.com>, orig_to=<root@CentOS-70-64-minimal.localdomain>, relay=gmail-smtp-in.l.google.com[2a00:1450:4013:c01::1b]:25, delay=0.27, delays=0.08/0.01/0.1/0.09, dsn=2.0.0, status=sent (250 2.0.0 OK 1432212522 t8si3023064wjr.69 - gsmtp)

Note the address: 2a00:1450:4013:c01::1b, which isn't a v4 address. You will need to make sure that your ipv6 rules are also as strict as you'd like, with ip6tables -L -n -v. Welcome to the 21st century!

Edit: I can't tell you what ip6tables rules you should have, but the syntaxes are broadly the same, yes. And you may or may not choose to duplicate your ruleset, but you are leaving a big hole in your security if you don't have an equally-carefully-designed set of ipv6 rules.

Thank You!! Wow, for ipv6 my chains pretty empty... As I'm right that it is necessary now to duplicate all my rules but only replace 'iptables' with 'ip6tables'? — Sergey Serov, May 21 '15 at 13:58

IPtables drops all, but postfix still send emails

1 Answers1

Linked