Linux Iptables: How to block or open mail server / SMTP protocol
SMTP is used to send mail. Sendmail, Qmail, Postfix, Exim etc all are used on Linux as mail server. Mail server uses the TCP port 25. Following two iptable rule allows incoming SMTP request on port 25 for server IP address 202.54.1.20 (open port 25):
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 25 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
In order to block port 25 simply use target REJECT instead of ACCEPT in above rules.
And following two iptables rules allows outgoing SMTP server request for server IP address 202.54.1.20:
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 1024:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 25 -d 202.54.1.20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
You may also be interested in other helpful articles:
- Linux Iptables allow or open IMAP server port
- Linux: Iptables # 14 How to allow POP3 server/protocol request
- Linux Iptables block outgoing access to selected or specific ip address
- Linux Iptables block all network traffic
- Linux Iptables block incoming access to selected or specific ip address
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Tags: block port 25, exim, iptable, Iptables, Linux, Mail server, open port 25, outgoing smtp server, Postfix, sendmail, server ip address, server mail, tcp port
Rockdalinux, how to block multimedia ports? Please include some info aka rulez on this
how to block all port 25 access except on one legitimate mail server?
so that other pc must use this legit mail server and
can not use their own smtp relay to send mail
tia
rex
http://www.gobloglah.com
Im running Debian etch with sendmail for sending email from web pages and normal account gui and this just DOES NOT WORK!!!!! what does work is:
(yes it could be altered and improved but i spent ages trying different things and this is the first that worked)
###########################################################
#ALLOW SMTP
iptables -A INPUT -p tcp -m state –state NEW,ESTABLISHED –dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -m state –state NEW,ESTABLISHED,RELATED –sport 25 -j ACCEPT
iptables -A FORWARD -p tcp -m state –state ESTABLISHED,RELATED –sport 25 -j ACCEPT
##########################################################
#ALLOW DNS
iptables -A INPUT -p tcp –dport 53:50956 -j ACCEPT
iptables -A OUTPUT -p tcp –sport 53:50956 -j ACCEPT
iptables -A INPUT -p udp –dport 53:50956 -j ACCEPT
iptables -A OUTPUT -p udp –sport 53:50956 -j ACCEPT
YOU MUST ALLOW DNS NOT ONLY FOR UPDATES BUT TO GET THE CONTACT SERVER ADDRESS OF COURSE OR IT WONT KNOW WHERE TO SEND THE MAIL.
most of the other stuff on this site will work on debian so stick with it.
Can i add that upon getting dns throu i didnt go back to what is actually listed on this page - so it may work but im not sure
FORGET IT I DIDNT REALISE IT JUST ALLOWS ALL PORTS BETWEEN 53-50956 TO PASS