About nixCraft

Topics

Linux Iptables: How to block or open mail server / SMTP protocol

Posted by Vivek Gite [Last updated: November 12, 2007]

SMTP is used to send mail. Sendmail, Qmail, Postfix, Exim etc all are used on Linux as mail server. Mail server uses the TCP port 25. Following two iptable rule allows incoming SMTP request on port 25 for server IP address 202.54.1.20 (open port 25):
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 25 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

In order to block port 25 simply use target REJECT instead of ACCEPT in above rules.

And following two iptables rules allows outgoing SMTP server request for server IP address 202.54.1.20:
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 1024:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 --sport 25 -d 202.54.1.20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Tell us how we're doing: Please answer a few questions about your experience to help us improve nixCraft.

You may also be interested in other helpful articles:

Discussion on This Article:

  1. rajkumar Says:

    Rockdalinux, how to block multimedia ports? Please include some info aka rulez on this

  2. Anonymous Says:

    how to block all port 25 access except on one legitimate mail server?

    so that other pc must use this legit mail server and
    can not use their own smtp relay to send mail

    tia
    rex
    http://www.gobloglah.com

  3. Debian etch user Says:

    Im running Debian etch with sendmail for sending email from web pages and normal account gui and this just DOES NOT WORK!!!!! what does work is:

    (yes it could be altered and improved but i spent ages trying different things and this is the first that worked)

    ###########################################################
    #ALLOW SMTP
    iptables -A INPUT -p tcp -m state –state NEW,ESTABLISHED –dport 25 -j ACCEPT
    iptables -A OUTPUT -p tcp -m state –state NEW,ESTABLISHED,RELATED –sport 25 -j ACCEPT
    iptables -A FORWARD -p tcp -m state –state ESTABLISHED,RELATED –sport 25 -j ACCEPT

    ##########################################################
    #ALLOW DNS

    iptables -A INPUT -p tcp –dport 53:50956 -j ACCEPT
    iptables -A OUTPUT -p tcp –sport 53:50956 -j ACCEPT
    iptables -A INPUT -p udp –dport 53:50956 -j ACCEPT
    iptables -A OUTPUT -p udp –sport 53:50956 -j ACCEPT

    YOU MUST ALLOW DNS NOT ONLY FOR UPDATES BUT TO GET THE CONTACT SERVER ADDRESS OF COURSE OR IT WONT KNOW WHERE TO SEND THE MAIL.

    most of the other stuff on this site will work on debian so stick with it.

  4. Debian etch user Says:

    Can i add that upon getting dns throu i didnt go back to what is actually listed on this page - so it may work but im not sure

  5. Debian etch user Says:

    FORGET IT I DIDNT REALISE IT JUST ALLOWS ALL PORTS BETWEEN 53-50956 TO PASS

Leave a Reply

We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word

Tags: , , , , , , , , , , , ,

Copyright © 2004-2008 nixCraft. All rights reserved - TOS/Disclaimer - Privacy policy - Sitemap - Powered by Open source software.