Linux Iptables: How to block or open mail server / SMTP protocol

by on July 22, 2005 · 12 comments· LAST UPDATED November 12, 2007

in , ,

SMTP is used to send mail. Sendmail, Qmail, Postfix, Exim etc all are used on Linux as mail server. Mail server uses the TCP port 25. Following two iptable rule allows incoming SMTP request on port 25 for server IP address 202.54.1.20 (open port 25):
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 25 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

In order to block port 25 simply use target REJECT instead of ACCEPT in above rules.

And following two iptables rules allows outgoing SMTP server request for server IP address 202.54.1.20:
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 1024:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 --sport 25 -d 202.54.1.20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 12 comments… read them below or add one }

1 rajkumar July 23, 2005 at 2:24 pm

Rockdalinux, how to block multimedia ports? Please include some info aka rulez on this

Reply

2 Anonymous December 22, 2005 at 1:33 pm

how to block all port 25 access except on one legitimate mail server?

so that other pc must use this legit mail server and
can not use their own smtp relay to send mail

tia
rex
http://www.gobloglah.com

Reply

3 Debian etch user November 12, 2007 at 3:10 pm

Im running Debian etch with sendmail for sending email from web pages and normal account gui and this just DOES NOT WORK!!!!! what does work is:

(yes it could be altered and improved but i spent ages trying different things and this is the first that worked)

###########################################################
#ALLOW SMTP
iptables -A INPUT -p tcp -m state –state NEW,ESTABLISHED –dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -m state –state NEW,ESTABLISHED,RELATED –sport 25 -j ACCEPT
iptables -A FORWARD -p tcp -m state –state ESTABLISHED,RELATED –sport 25 -j ACCEPT

##########################################################
#ALLOW DNS

iptables -A INPUT -p tcp –dport 53:50956 -j ACCEPT
iptables -A OUTPUT -p tcp –sport 53:50956 -j ACCEPT
iptables -A INPUT -p udp –dport 53:50956 -j ACCEPT
iptables -A OUTPUT -p udp –sport 53:50956 -j ACCEPT

YOU MUST ALLOW DNS NOT ONLY FOR UPDATES BUT TO GET THE CONTACT SERVER ADDRESS OF COURSE OR IT WONT KNOW WHERE TO SEND THE MAIL.

most of the other stuff on this site will work on debian so stick with it.

Reply

4 Debian etch user November 12, 2007 at 3:28 pm

Can i add that upon getting dns throu i didnt go back to what is actually listed on this page – so it may work but im not sure

Reply

5 Debian etch user November 12, 2007 at 4:28 pm

FORGET IT I DIDNT REALISE IT JUST ALLOWS ALL PORTS BETWEEN 53-50956 TO PASS

Reply

6 Nishal May 22, 2009 at 10:19 am

Hi,

I have run those two rules for allowing SMTP port 25, but its still not working,
I did nmap for the server, and it still says
.
25/tcp filtered smtp
.

Is there anything like i need to restart some network service to take affect.
Excuse me for my childish question, i new to linux n network system.

Reply

7 nixCraft May 22, 2009 at 12:19 pm

Can you telnet to port 25 and get response?
telnet mail.server.ip 25

Reply

8 Earth January 18, 2010 at 5:17 pm

If it doesn’t work for you and your connection is hanging on outgoing mail then it probably means that your firewall is blocking DNS queries. This should always be allowed since many software (web server, mail server, etc.) perform DNS lookups to get IPs for domains.

Note: whether you need to have DNS software installed is irrelative, you just need a DNS resolver to perform DNS queries to.

Just add these two records:

iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

DNS queries can both be either UDP or TCP based, depending on the size of the request, therefore both types must be allowed.

Hope this helps

Reply

9 scott September 27, 2010 at 8:16 pm

Thanks! Exactly what I was looking for and every other page simply complicated the matter.

Reply

10 dato000 August 16, 2012 at 11:20 pm

thanks dude

Reply

11 Vadiraj Joish September 9, 2012 at 6:19 am

I want to allow all the users to access only company mails and ftp through iptables How can i do that?

Regards
Vadiraj Joish

Reply

12 Mac November 8, 2012 at 9:17 pm

Are you needing iptables – chains for only ftp and email?

Note: for ftp you will need to load the ip_conntrack_ftp otherwise it will not work.

in – /etc/sysconfig/iptables-config
IPTABLES_MODULES=”ip_conntrack_ftp”

port 21 you will need this rule:

-A INPUT -s 192.168.1.0/24 -d 192.168.1.5/32 -i eth0 -p tcp -m tcp –sport 1024:65535 –dport 21 -m state –state NEW -j ACCEPT

example above place below:

-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

then for port 25

-A fw -s 192.168.0.1/24 -d 192.168.0.8/24 -i eth0 -p tcp -m state –state NEW -m tcp –dport 25 -j ACCEPT

another example just plug in your ip range

see if this help you out any

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , ,

Previous post:

Next post: