≡ Menu

Linux Iptables: How to block or open mail server / SMTP protocol

SMTP is used to send mail. Sendmail, Qmail, Postfix, Exim etc all are used on Linux as mail server. Mail server uses the TCP port 25. Following two iptable rule allows incoming SMTP request on port 25 for server IP address 202.54.1.20 (open port 25):
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 25 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

In order to block port 25 simply use target REJECT instead of ACCEPT in above rules.

And following two iptables rules allows outgoing SMTP server request for server IP address 202.54.1.20:
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 1024:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 --sport 25 -d 202.54.1.20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Comments on this entry are closed.

  • rajkumar July 23, 2005, 2:24 pm

    Rockdalinux, how to block multimedia ports? Please include some info aka rulez on this

  • Anonymous December 22, 2005, 1:33 pm

    how to block all port 25 access except on one legitimate mail server?

    so that other pc must use this legit mail server and
    can not use their own smtp relay to send mail

    tia
    rex
    http://www.gobloglah.com

  • Debian etch user November 12, 2007, 3:10 pm

    Im running Debian etch with sendmail for sending email from web pages and normal account gui and this just DOES NOT WORK!!!!! what does work is:

    (yes it could be altered and improved but i spent ages trying different things and this is the first that worked)

    ###########################################################
    #ALLOW SMTP
    iptables -A INPUT -p tcp -m state –state NEW,ESTABLISHED –dport 25 -j ACCEPT
    iptables -A OUTPUT -p tcp -m state –state NEW,ESTABLISHED,RELATED –sport 25 -j ACCEPT
    iptables -A FORWARD -p tcp -m state –state ESTABLISHED,RELATED –sport 25 -j ACCEPT

    ##########################################################
    #ALLOW DNS

    iptables -A INPUT -p tcp –dport 53:50956 -j ACCEPT
    iptables -A OUTPUT -p tcp –sport 53:50956 -j ACCEPT
    iptables -A INPUT -p udp –dport 53:50956 -j ACCEPT
    iptables -A OUTPUT -p udp –sport 53:50956 -j ACCEPT

    YOU MUST ALLOW DNS NOT ONLY FOR UPDATES BUT TO GET THE CONTACT SERVER ADDRESS OF COURSE OR IT WONT KNOW WHERE TO SEND THE MAIL.

    most of the other stuff on this site will work on debian so stick with it.

  • Debian etch user November 12, 2007, 3:28 pm

    Can i add that upon getting dns throu i didnt go back to what is actually listed on this page – so it may work but im not sure

  • Debian etch user November 12, 2007, 4:28 pm

    FORGET IT I DIDNT REALISE IT JUST ALLOWS ALL PORTS BETWEEN 53-50956 TO PASS

  • Nishal May 22, 2009, 10:19 am

    Hi,

    I have run those two rules for allowing SMTP port 25, but its still not working,
    I did nmap for the server, and it still says
    .
    25/tcp filtered smtp
    .

    Is there anything like i need to restart some network service to take affect.
    Excuse me for my childish question, i new to linux n network system.

    • nixCraft May 22, 2009, 12:19 pm

      Can you telnet to port 25 and get response?
      telnet mail.server.ip 25

  • Earth January 18, 2010, 5:17 pm

    If it doesn’t work for you and your connection is hanging on outgoing mail then it probably means that your firewall is blocking DNS queries. This should always be allowed since many software (web server, mail server, etc.) perform DNS lookups to get IPs for domains.

    Note: whether you need to have DNS software installed is irrelative, you just need a DNS resolver to perform DNS queries to.

    Just add these two records:

    iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

    DNS queries can both be either UDP or TCP based, depending on the size of the request, therefore both types must be allowed.

    Hope this helps

  • scott September 27, 2010, 8:16 pm

    Thanks! Exactly what I was looking for and every other page simply complicated the matter.

  • dato000 August 16, 2012, 11:20 pm

    thanks dude

  • Vadiraj Joish September 9, 2012, 6:19 am

    I want to allow all the users to access only company mails and ftp through iptables How can i do that?

    Regards
    Vadiraj Joish

    • Mac November 8, 2012, 9:17 pm

      Are you needing iptables – chains for only ftp and email?

      Note: for ftp you will need to load the ip_conntrack_ftp otherwise it will not work.

      in – /etc/sysconfig/iptables-config
      IPTABLES_MODULES=”ip_conntrack_ftp”

      port 21 you will need this rule:

      -A INPUT -s 192.168.1.0/24 -d 192.168.1.5/32 -i eth0 -p tcp -m tcp –sport 1024:65535 –dport 21 -m state –state NEW -j ACCEPT

      example above place below:

      -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

      then for port 25

      -A fw -s 192.168.0.1/24 -d 192.168.0.8/24 -i eth0 -p tcp -m state –state NEW -m tcp –dport 25 -j ACCEPT

      another example just plug in your ip range

      see if this help you out any

  • Craig March 25, 2015, 8:43 pm

    How can I block (all) email from all sources other than 10.10.10.10 (my barracuda spam firewall)?