iptables blocking access to SMTP on port 25
Because your input rules start with a universal accept rule, none of your other rules will take effect (because iptables works on a first disposative rule basis: the first rule in the chain to dispose of the packet in some way will be the last rule processed, and the ACCEPT target is disposative). Your second rule is also questionable (block all localhost traffic), but only because there isn't usually any credible reason to do that. It is also unusual to specifically accept only new, related, or established packets on the SSH port.
All that said, your rules correctly accept SMTP traffic, so the problem is indeed that you weren't running SMTP. Dovecot isn't an SMTP server; consider using any of several SMTP daemons such as postfix.
If anything, for your 127.0.0.0/8 rule, specify the input interface on which you are expecting to receive spoofed localhost packets, if you are worried about that.
Related videos on Youtube
01 : 32
12 : 16
03 : 55
01 : 50
02 : 08
Chris
Updated on September 18, 2022Comments
-
Chris almost 2 years
I have iptables running on my server that blocks access on all ports except the ones I allow. One of those ports needs to be SMTP on port 25, and I have the following rule in place for that:
-A INPUT -p tcp --dport 25 -j ACCEPTThe output from
iptables -Lis below:Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:mysql ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp ACCEPT tcp -- anywhere anywhere tcp dpt:submission ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT icmp -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: " DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhereHowever, when I try to do
telnet <myip> 25from a Windows console, I get this error thrown back:Connecting To <my ip>...Could not open connection to the host, on port 25: Connect failedDoing the same on other open ports (80, 993 etc) works fine. So it must be an iptables issue.
What's the correct way to allow access to SMTP on port 25 using iptables?
-
dawud almost 11 yearsDid you check for a service listening in that port? (
netstat -an | grep LISTENorss -n | grep :25) -
Chris almost 11 yearsAh damn, doesn't look like SMTP is actually running haha. I followed a guide to set up a mail server (library.linode.com/email/postfix/…) and just assumed dovecot would be running SMTP.
-
Ladadadada almost 11 yearsIf you add the
-voption toiptables -Lyou will also get the counts of how many times each rule has been hit. This makes debugging iptables rules much easier. -
BillThor almost 11 years@Chris It should be postfix listening on port 25. Dovecot is an POP/IMAP server and should be listening on at least one of: 110 (pop3), 995 (pop3s), 143 (imap), and 993 (imaps). It is possible Postfix is listening on port 25, but only on the localhost interface, or run only on demand.
-
