How to allow mail through iptables?

Question

I'm securing my server (with iptables) so that only http and ssh ports are open and that is fine, although I use the mail command (server: CentOS 6.2) in some applications and it does not get through now thanks to iptables blocking everything.

What ports do I allow it access to?

Mail usage: echo "{{message}}" | mail -s "{{subject}}" me@mail.com

I've tried the standard mail port 25, but I have had no success with that. Here is the current setup:

iptables --flush

iptables -P INPUT DROP
iptables -P OUTPUT DROP

# incoming ssh
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT 

# outgoing ssh 
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT 

#HTTP
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT 

# mail (does not work)
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

(EDIT) ANSWER: The working iptables rule:

iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

Adam Liss · Accepted Answer · 2012-05-20T04:49:25.770

11

The OUTPUT commands should also refer to --dport, not --sport. You'll also want to allow NEW outgoing packets in order to initiate the connection to the SMTP server.

In general, however, since OUTPUT controls only those packets that your own system generates, you can set the OUTPUT policy to ACCEPT unless you need to prevent the generation of outgoing packets.

Two more comments:

1. Jay D's suggestion to "allow everything and then start blocking specific traffic" is insecure. Never configure iptables this way because you'd have to know in advance which ports an attacker might use and block them all individually. Always use a whitelist instead of a blacklist if you can.

2. A hint from the trenches: when you're debugging iptables, it's often helpful to -Insert and -Append log messages at the beginning and end of each chain, then clear the counters, and run an experiment. (In your case, issue the mail command.) Then check the counters and logs to understand how the packet(s) migrated through the chains and where they may have been dropped.

edited May 20 '12 at 04:49

answered May 20 '12 at 04:25

Adam Liss

47,594
12
108
150

AH Yes, Thank you. I think I'll allow all OUTPUT as well. – Andrew May 20 '12 at 04:40
There are two ways of doing it : 1. As u e doing block everything and then start punching holes for specific protocol traffic. 2. Allow everything And then start blocking pecific traffic. I strongly believe 1. Is a better strategy. – Jay D May 20 '12 at 04:43
3

@JayD: Forgive the bluntness, but #1 is not simply "a better strategy" than #2; #2 is insecure to the point of negligence. Don't _ever_ recommend this method for anything other than a learning exercise. – Adam Liss May 20 '12 at 04:51
Thanks for the additional comments. Yes I don't quite know why anyone would use a whitelist for this type of idea. Didn't know about the log messages - that's a neat little trick. – Andrew May 20 '12 at 05:40

How to allow mail through iptables?

1 Answers1