Allow Outgoing SMTP on iptables Debian Linux – Email Configuration

emailiptableslinuxsmtp

If I choose to allow all traffic on the OUTPUT chain (iptables -P OUTPUT ACCEPT) mail sends fine. As soon as I lock down my server with these rules, outgoing mail stops working. All else works though, which is strange.

Does anyone see anything in here that would keep my outgoing mail from sending? I am stumped, have looked at these rules over and over and tried lots of different versions.

 iptables -F
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT DROP


 iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

 iptables -A INPUT  -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A OUTPUT -p tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

 iptables -A INPUT  -p tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

 iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A OUTPUT -p tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

 iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
 iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT

 iptables -A OUTPUT -p tcp --sport 25 -j ACCEPT
 iptables -A OUTPUT -p tcp --sport 587 -j ACCEPT

 iptables -A OUTPUT  -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

 iptables -A OUTPUT  -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -A INPUT  -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT

 iptables -A OUTPUT -p udp  --dport 53 -j ACCEPT
 iptables -A INPUT -p udp  --sport 53 -j ACCEPT

 iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
 iptables -A INPUT -p tcp --dport 443 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT


 iptables -N LOGGING
 iptables -A INPUT -j LOGGING
 iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
 iptables -A LOGGING -j DROP

Best Answer

You have a rule to let the traffic out, but you don't have a rule to let the return traffic in.

I'm guessing you meant for these 2 rules to be -A INPUT instead:

iptables -A OUTPUT -p tcp --sport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 587 -j ACCEPT

However using the source port as a method of allowing return traffic in is a bad way to secure the system. All someone has to do is use one of these source ports and your firewall ruleset becomes useless.

A much better idea would be to remove all the -A INPUT ... --sport rules and use just this single rule instead:

iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

The way this rule works is that when your system makes an outbound connection, the kernel records the connection in a tracking table. Then when packets from the remote system come back in, it looks to see if those packets are associated with any connections in the tracking table.
The ESTABLISHED bit is the one that allows traffic directly related to the session. This will be TCP packets coming back on the stream.
The RELATED bit lets traffic that's related to the connection, but isn't part of the connection itself, through. This can be things like ICMP packets, such as "ICMP can't fragment". These packets aren't part of the TCP stream, but are vitally important to keeping the stream alive (which is also another thing your ruleset doesn't cover, and without which you will see odd connection issues and loss).

This rule also works for UDP traffic, but because UDP is stateless, it's not quite the same. Instead the kernel has to keep track of UDP packets that go out, and just assumes that when UDP packets come back on the same host/port combination, and it's within a short time frame, that they're related.

Related Solutions

Iptables: Matching Outgoing Traffic with Conntrack and Owner – Troubleshooting Drops

To cut a long story short, that ACK was sent when the socket didn't belong to anybody. Instead of allowing packets that pertain to a socket that belongs to user x, allow packets that pertain to a connection that was initiated by a socket from user x.

The longer story.

To understand the issue, it helps to understand how wget and HTTP requests work in general.

wget http://cachefly.cachefly.net/10mb.test

wget establishes a TCP connection to cachefly.cachefly.net, and once established sends a request in the HTTP protocol that says: "Please send me the content of /10mb.test (GET /10mb.test HTTP/1.1) and by the way, could you please not close the connection after you're done (Connection: Keep-alive). The reason it does that is because in case the server replies with a redirection for a URL on the same IP address, it can reuse the connection.

Now the server can reply with either, "here comes the data you requested, beware it's 10MB large (Content-Length: 10485760), and yes OK, I'll leave the connection open". Or if it doesn't know the size of the data, "Here's the data, sorry I can't leave the connection open but I'll tell when you can stop downloading the data by closing my end of the connection".

In the URL above, we're in the first case.

So, as soon as wget has obtained the headers for the response, it knows its job is done once it has downloaded 10MB of data.

Basically, what wget does is read the data until 10MB have been received and exit. But at that point, there's more to be done. What about the server? It's been told to leave the connection open.

Before exiting, wget closes (close system call) the file descriptor for the socket. Upon, the close, the system finishes acknowledging the data sent by the server and sends a FIN to say: "I won't be sending any more data". At that point close returns and wget exits. There is no socket associated to the TCP connection anymore (at least not one owned by any user). However it's not finished yet. Upon receiving that FIN, the HTTP server sees end-of-file when reading the next request from the client. In HTTP, that means "no more request, I'll close my end". So it sends its FIN as well, to say, "I won't be sending anything either, that connection is going away".

Upon receiving that FIN, the client sends a "ACK". But, at that point, wget is long gone, so that ACK is not from any user. Which is why it is blocked by your firewall. Because the server doesn't receive the ACK, it's going to send the FIN over and over until it gives up and you'll see more dropped ACKs. That also means that by dropping those ACKs, you're needlessly using resources of the server (which needs to maintain a socket in the LAST-ACK state) for quite some time.

The behavior would have been different if the client had not requested "Keep-alive" or the server had not replied with "Keep-alive".

As already mentioned, if you're using the connection tracker, what you want to do is let every packet in the ESTABLISHED and RELATED states through and only worry about NEW packets.

If you allow NEW packets from user x but not packets from user y, then other packets for established connections by user x will go through, and because there can't be established connections by user y (since we're blocking the NEW packets that would establish the connection), there will not be any packet for user y connections going through.

Best Answer

Related Solutions

Iptables: Matching Outgoing Traffic with Conntrack and Owner – Troubleshooting Drops

Related Question