iptables
When I change the configuration in iptables I don't seem to get the responses I expect. According to the file below I think I have opened port 587, which I want for TLS authentication for my mail server. According to iptables -L the port is open but when I use nmap the port appears closed.
I am probably missing something simple but can someone help me identify the problem?
Thanks.
File: /etc/iptables.firewall.rules
*filter
Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
Accept all established inbound connections
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
SMTP
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
POP
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT
IMAP
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
Allow SSH connections
#
The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
Allow ping
-A INPUT -p icmp -j ACCEPT
Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
****After:
sudo iptables -F
sudo iptables-restore < /etc/iptables.firewall.rules
Gives:****
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all – anywhere anywhere
REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
nmap from another machine on an external network gives:
Starting Nmap 5.21 (
Nmap scan report for
Host is up (0.033s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp closed pop3
143/tcp closed imap
443/tcp closed https
554/tcp open rtsp
587/tcp closed submission
993/tcp open imaps
995/tcp open pop3s
7070/tcp open realserver
2 Replies
@simpzoid:
Dear All,
When I change the configuration in iptables I don't seem to get the responses I expect. According to the file below I think I have opened port 587, which I want for TLS authentication for my mail server. According to iptables -L the port is open but when I use nmap the port appears closed.
If you try to talk to the port directly:
% telnet 178.79.177.96 587
Trying 178.79.177.96...
telnet: connect to address 178.79.177.96: Connection refused
telnet: Unable to connect to remote host: Connection refused
Your rules say "DROP" which means that this packet is being accepted by the firewall, but there's nothing listening. (You can see the difference if you try to telnet to port 588, for example; it hangs, showing the traffic is being dropped).
You're probably not running any service listening on port 587. Opening the firewall will allow traffic through, but you still need a daemon running on it.
