Re: smtp and iptables
From: Tatome (gar_keiner_at_hotmail.com)
Date: 16 Feb 2005 04:30:35 -0800
thank you very much for your answer. You gave me quite a few pointers
on what to look for to improve my firewall. I'll definetly remove the
rule for identd for example.
Still - even with that rule in the OUTPUT chain permitting outgoing
smtp connections I can't send e-mails. I would've been surprised, too,
if I could: the chain policy for OUTPUT is ACCEPT. It really seems to
be something with the INPUT chain configuration since everything works
just fine if I do iptables -P INPUT ACCEPT.
Last night I checked if the box in question finds out what machine to
connect to. It does. And it can resolve the host name, too. If I
permit returning icmp packages I can even ping the target mail server.
But the smtp connection times out and my guess is that my firewall
filters the mail server's answers, although I don't understand why.
But I really don't know enough about the smtp and tcp protocols.
Thanks again for your help,
"Jim Ficarra" <email@example.com> wrote in message news:<4xeQd.21962$ya6.12554@trndny01>...
> The INPUT chain defines rules coming IN to the box, not out. You had
> indicated you want your exim server to send outgoing e-mail. To do this,
> you want to add a rule to allow outgoing TCP connections on Port 25 on the
> OUTPUT chain.
> Source: Your debian box
> Destination: 0.0.0.0/0
> Protocol: TCP
> Dpt: 25
> The rules you have listed below allow ANY machine to:
> 1) Establish an SMTP session with your Debian box (port 25)
> If this is the incoming mail server, then this is what you want
> 2) Use the Ident protocol (port 113) - Unless you really, really, really
> need this for a specific reason, don't allow it
> I'd get rid of it if I were you.
> 3) Connect to your debian box using SSH (port 22)
> See if you can narrow down the source so that a limited # of machines
> can attempt connection
> 4) Connect to your debian box using their web browser (port 80) assuming you
> have Apache or other HTTP Daemon installed
> Make sure you have all the security patches installed
> 5) Allow your name server to connect to this debian box on all protocols and
> all ports
> Ugh. I'm not sure why you want your name server to connect to you on
> any and all ports and protocols. Assuming your debian box does not have
> BIND or other DNS Daemon installed, you don't want this. Instead, on the
> output chain allow the Debian box to establish outbound connections to your
> name server on port 53 using both tcp and udp.
> 6) Ping your debian box
> You might want to consider dropping ICMP packets.
> One big, final thing: You should use the "state" feature of iptables to
> allow related and established packets back in. If you use this feature, for
> example, when establishing your outbound connections on the output chain,
> the return packets from the established connection will be automatically
> allowed back in. This prevents you from having to explicitly define rules
> on the INPUT chain to allow the return traffic.
> I hope this helps. If you're really intersted in a good book on IP Tables,
> try "Linux Firewalls, 2nd Edition" by Bob Ziegler (ISBN: 0735710996).
> Good luck.
> "Tatome" <firstname.lastname@example.org> wrote in message
> > Hi, everyone,
> > I'm trying to get my debian box to send out messages via exim.
> > Unfortunately this desire seems to collide with my wish to make my
> > server as secure as possible. I set up a few firewall rules that seem
> > to effectively make smtp connections impossible although I don't know
> > how.
> > iptables -nL INPUT reads as follows:
> > Chain INPUT (policy DROP)
> > target prot opt source destination
> > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
> > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> > dpt:113
> > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
> > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
> > ACCEPT all -- [my.name.server] 0.0.0.0/0
> > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
> > As you can see the smtp port as well as the ident port are wide open.
> > Still exim says "Connection timed out" in the mainlog as long as the
> > chain policy is "DROP".
> > One thing I can think of is that there might be some other protocol
> > required for sending e-mails. I don't know which one though and I
> > don't find anything on the net.
> > Any help is greatly appreciated.
> > Johannes
> > PS: I'm fairly new to iptables and I guess these aren't the smartest
> > ever firewall rules. Feel free to tell me if I'm missing something
> > important.