How to Allow Outgoing SMTP on iptables Debian Linux
You have a rule to let the traffic out, but you don't have a rule to let the return traffic in.
I'm guessing you meant for these 2 rules to be -A INPUT
instead:
iptables -A OUTPUT -p tcp --sport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 587 -j ACCEPT
However using the source port as a method of allowing return traffic in is a bad way to secure the system. All someone has to do is use one of these source ports and your firewall ruleset becomes useless.
A much better idea would be to remove all the -A INPUT ... --sport
rules and use just this single rule instead:
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
The way this rule works is that when your system makes an outbound connection, the kernel records the connection in a tracking table. Then when packets from the remote system come back in, it looks to see if those packets are associated with any connections in the tracking table.
The ESTABLISHED
bit is the one that allows traffic directly related to the session. This will be TCP packets coming back on the stream.
The RELATED
bit lets traffic that's related to the connection, but isn't part of the connection itself, through. This can be things like ICMP packets, such as "ICMP can't fragment". These packets aren't part of the TCP stream, but are vitally important to keeping the stream alive (which is also another thing your ruleset doesn't cover, and without which you will see odd connection issues and loss).
This rule also works for UDP traffic, but because UDP is stateless, it's not quite the same. Instead the kernel has to keep track of UDP packets that go out, and just assumes that when UDP packets come back on the same host/port combination, and it's within a short time frame, that they're related.
Related videos on Youtube
SmartFingers
Updated on September 18, 2022Comments
-
SmartFingers almost 2 years
If I choose to allow all traffic on the OUTPUT chain (
iptables -P OUTPUT ACCEPT
) mail sends fine. As soon as I lock down my server with these rules, outgoing mail stops working. All else works though, which is strange.Does anyone see anything in here that would keep my outgoing mail from sending? I am stumped, have looked at these rules over and over and tried lots of different versions.
iptables -F iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT iptables -A OUTPUT -p tcp --sport 25 -j ACCEPT iptables -A OUTPUT -p tcp --sport 587 -j ACCEPT iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p udp --sport 53 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT iptables -N LOGGING iptables -A INPUT -j LOGGING iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7 iptables -A LOGGING -j DROP
-
SmartFingers over 10 yearsThanks for the reply. I think I don't want to let the traffic back in because I'm only making an outgoing SMTP connection? Was thinking if I added the rule to the INPUT chain then i would be allowing SMTP back. This is a web server that just needs to connect to an external SMTP host to send mail....thx!
-
phemmer over 10 yearsIf you don't let the return traffic back in, how is your system going to receive all the "yes I got your data" messages that the TCP and SMTP protocols use?
-
phemmer over 10 yearsI added an explanation of how that rule works.