Have to ACCEPT port 25 for outgoing mail?
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
So I am accepting http and ssh explicitly, and also allowing anything RELATED,ESTABLISHED which I think should cover outgoing mail. However, mail goes nowhere unless I add an explicit accept for smtp:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I have read several forums and howtos on the RELATED,ESTABLISHED bit, but I still don't get why RELATED does not cover outgoing mail… any takers?
3 Replies
@widowmaker:
However, mail goes nowhere unless I add an explicit accept for smtp:
Ok, shot in the dark, but maybe you have a problem with local connections (sendmail to smtp server)? If the above are all your firewall rules I think connections from localhost to localhost will be blocked. Add something like this also (to your firewall rules):
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
It might be safer to replace "! -i eth0" with "-i lo" but I'm too lazy to test that now.
@widowmaker:
I have read several forums and howtos on the RELATED,ESTABLISHED bit, but I still don't get why RELATED does not cover outgoing mail… any takers?
Well, RELATED is for protocols that are known to use several ports at once. For example ftp that first opens a control connection where you issue your commands, and then a second data connection when you actually up- or download some file. And so the firewall dynamically opens up for that one on a as-needed basis (and then I suppose only from the right host, etc, etc).
SMTP only uses port 25, but first from localhost to your server. Then from your server to someone elses port 25.
Might be worth mentioning that the default behavior of Fedora is to only accept smtp connections from localhost, so even with the explicit smtp accept rule in place, connections from outside are refused, which is good enough for stopping relays.
Thanks!
iptables -A INPUT -p -i eth0 –dport 113 -j REJECT
Also double-check that your reverse lookup is working properly on your allocated IPs.
To allow all traffic on your loopback interface:
iptables -A OUTPUT -o lo -s 127.0.0.0/8 -j ACCEPT
iptables -A INPUT -i lo -d 127.0.0.0/8 -j ACCEPT
Once you connect and immediately get a welcome string to remote mail servers when you telnet to them on port 25, then try mail again. If that fails, read your logs carefully: that will generally tell you why it isn't working.
That incoming SMTP rule shouldn't be necessary.