I've set up a self-contained Moodle system on a Debian LAMP machine.
This works fine... until I try to set up a simple iptables setup to block all incoming traffic except ports 22, 80 and 443.
My iptables config (produced with iptables -L) looks like the attached screenshot.
This successfully allows access to the site (and SSH) but stops the sending of email. If I remove the DROP rule from the INPUT chain, it all starts working again. As far as I can tell, the rules should allow all outgoing traffic. Does sending via a SMTP host require additional INPUT ports to be allowed?
I've tried turning on logging and inspected the blocked traffic, but can't see any obvious reason for the issue. I'll be honest and say that I am fairly new to Linux and iptables, and googling didn't suggest anything helpful.
I'm not overly concerned as the box is NAT'd behind a dedicated firewall, but I was hoping to make it a little more protected by setting up iptables.
Any suggestions? Thanks!
This belongs in an iptables forum rather than a Moodle forum, but...
iptables operates on packets rather than on connections. When you make an SMTP connection (or any other type of connection), packets flow in both directions, so you need to make sure that you allow packet flow in both directions. You are allowing outgoing connections to the SMTP server by having an ACCEPT policy on your OUTPUT table, and not having any rules, but when the SMTP server replies, it hits the INPUT chain, sees that the packet isn't heading to the SSH, HTTP, or HTTPS port, so it gets dropped.
You'll want to use the conntrack module, and ACCEPT any ESTABLISHED packets (and it may also be a good idea to ACCEPT RELATED packets as well, though I don't think it's necessary for SMTP), which will cause iptables to realize that the incoming packets are part of the SMTP connection that you already initiated. (See also the Ubuntu iptables HOWTO.)
Thanks - I've been doing some further digging and you are, of course, absolutely correct.
Adding INPUT rules for the returning connection helped, as did rules for DNS and LDAP (as I have LDAP authentication running). See below.
Coming from a Windows background has obviously made me lazy, I forget how explicit you need to be when configuring a Linux box.
I would avoid filtering the INPUT based solely on source port. In theory, an attacker could send a packet from, say, the LDAP port to any other port on your system, effectively bypassing your firewall.
By the way, instead of writing the iptables rules manually, you may want to use a frontend such as shorewall.
What's your MTA (mail transfer agent) for local host (ie, the Moodle server)? Sendmail? Postfix? Exim?
If using iptables, wouldn't one have to have the smtp port opened at least for outbound traffic? One doesn't config a full blown mail server ... ie, one that both sends and receives - just the send part. ;)
'spirit of sharing', Ken
I'm not entirely sure - it's a standard Moodle install on a dedicated Debian box. Sendmail?
I think I'm just going to go down the
Thanks for your help guys. I can see I have much to learn.
smtp uses port 25
the first URL is old but it does help explain:
Might also read:
Suggest installing something like pine/alpine to be able to test sending mail from Moodle server operating system (also handy if an account is setup to rec. notifications, etc. from Moodle).
And a comment/thought about local firewall ... what would protect the server from an inside attack ... either un-intentional (workstation contracted a worm) or intentional?
'spirit of sharing', Ken
Thanks for the additional info. I find the official Debian documentation well intentioned, but sometimes you're just not sure if it's relevant or out of date.
I'm not sure what package Moodle uses to send email when using another server as an SMTP host. But it's currently working OK for me now and I'm getting Moodle update notifications and user-to-user messages via email.
A quick look suggests that it's exim4, but I'm not sure that Moodle's using it.
I'm sure my iptables config is OK now (as in my last post) and not too open on the local network. I'm glad I'm not trying to do anything too complicated with it.
Yes, tried to suggest that about the link found for Debian. In your IP Tables config, you don't show port 25 (the smtp port) as being liberally allowed as the other ports ... last statement there denies all that are not listed. Think that's why some messages not being received. Moodle was attempting to send, but blocked by the local MTA/IP Tables.
Consider installing Webmin on your server. Perl based so even if apache/mysql/moodle down, one has access. Has lots of tools to help admin a Linux server (including exim4, I think) - even helps one find things is not known ... like the mail logs, etc.. and backup DB. etc..
'spirit of sharing', Ken