Security and privacy

 
 
Picture of Hubert Chathi
Re: iptables firewall stops email messages to SMTP host
 

This belongs in an iptables forum rather than a Moodle forum, but...

iptables operates on packets rather than on connections.  When you make an SMTP connection (or any other type of connection), packets flow in both directions, so you need to make sure that you allow packet flow in both directions.  You are allowing outgoing connections to the SMTP server by having an ACCEPT policy on your OUTPUT table, and not having any rules, but when the SMTP server replies, it hits the INPUT chain, sees that the packet isn't heading to the SSH, HTTP, or HTTPS port, so it gets dropped.

You'll want to use the conntrack module, and ACCEPT any ESTABLISHED packets (and it may also be a good idea to ACCEPT RELATED packets as well, though I don't think it's necessary for SMTP), which will cause iptables to realize that the incoming packets are part of the SMTP connection that you already initiated.  (See also the Ubuntu iptables HOWTO.)

 
Average of ratings: -
Picture of Adrian Scarle
Re: iptables firewall stops email messages to SMTP host
 

Hi Hubert,

Thanks - I've been doing some further digging and you are, of course, absolutely correct.

Adding INPUT rules for the returning connection helped, as did rules for DNS and LDAP (as I have LDAP authentication running). See below.

Coming from a Windows background has obviously made me lazy, I forget how explicit you need to be when configuring a Linux box.

Adrian


 
Average of ratings: -
Picture of Hubert Chathi
Re: iptables firewall stops email messages to SMTP host
 

I would avoid filtering the INPUT based solely on source port.  In theory, an attacker could send a packet from, say, the LDAP port to any other port on your system, effectively bypassing your firewall.

By the way, instead of writing the iptables rules manually, you may want to use a frontend such as shorewall.

 
Average of ratings: -