If I choose to allow all traffic on the OUTPUT chain (iptables -P OUTPUT ACCEPT
) mail sends fine. As soon as I lock down my server with these rules, outgoing mail stops working. All else works though, which is strange.
Does anyone see anything in here that would keep my outgoing mail from sending? I am stumped, have looked at these rules over and over and tried lots of different versions.
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 587 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP
Best Answer
You have a rule to let the traffic out, but you don't have a rule to let the return traffic in.
I'm guessing you meant for these 2 rules to be
-A INPUT
instead:However using the source port as a method of allowing return traffic in is a bad way to secure the system. All someone has to do is use one of these source ports and your firewall ruleset becomes useless.
A much better idea would be to remove all the
-A INPUT ... --sport
rules and use just this single rule instead:The way this rule works is that when your system makes an outbound connection, the kernel records the connection in a tracking table. Then when packets from the remote system come back in, it looks to see if those packets are associated with any connections in the tracking table.
The
ESTABLISHED
bit is the one that allows traffic directly related to the session. This will be TCP packets coming back on the stream.The
RELATED
bit lets traffic that's related to the connection, but isn't part of the connection itself, through. This can be things like ICMP packets, such as "ICMP can't fragment". These packets aren't part of the TCP stream, but are vitally important to keeping the stream alive (which is also another thing your ruleset doesn't cover, and without which you will see odd connection issues and loss).This rule also works for UDP traffic, but because UDP is stateless, it's not quite the same. Instead the kernel has to keep track of UDP packets that go out, and just assumes that when UDP packets come back on the same host/port combination, and it's within a short time frame, that they're related.