SMTP is used to send mail. Sendmail, Qmail, Postfix, Exim etc all are used on Linux as mail server. Mail server uses the TCP port 25. Following two iptable rule allows incoming SMTP request on port 25 for server IP address 202.54.1.20 (open port 25):
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 25 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
In order to block port 25 simply use target REJECT instead of ACCEPT in above rules.
And following two iptables rules allows outgoing SMTP server request for server IP address 202.54.1.20:
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 1024:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 25 -d 202.54.1.20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- My 10 UNIX Command Line Mistakes
- 25 PHP Security Best Practices For Sys Admins
- The Novice Guide To Buying A Linux Laptop
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
Facebook it - Tweet it - Print it -
We're here to help you make the most of sysadmin work. So, subscribe!
{ 9 comments… read them below or add one }
Rockdalinux, how to block multimedia ports? Please include some info aka rulez on this
how to block all port 25 access except on one legitimate mail server?
so that other pc must use this legit mail server and
can not use their own smtp relay to send mail
tia
rex
http://www.gobloglah.com
Im running Debian etch with sendmail for sending email from web pages and normal account gui and this just DOES NOT WORK!!!!! what does work is:
(yes it could be altered and improved but i spent ages trying different things and this is the first that worked)
###########################################################
#ALLOW SMTP
iptables -A INPUT -p tcp -m state –state NEW,ESTABLISHED –dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -m state –state NEW,ESTABLISHED,RELATED –sport 25 -j ACCEPT
iptables -A FORWARD -p tcp -m state –state ESTABLISHED,RELATED –sport 25 -j ACCEPT
##########################################################
#ALLOW DNS
iptables -A INPUT -p tcp –dport 53:50956 -j ACCEPT
iptables -A OUTPUT -p tcp –sport 53:50956 -j ACCEPT
iptables -A INPUT -p udp –dport 53:50956 -j ACCEPT
iptables -A OUTPUT -p udp –sport 53:50956 -j ACCEPT
YOU MUST ALLOW DNS NOT ONLY FOR UPDATES BUT TO GET THE CONTACT SERVER ADDRESS OF COURSE OR IT WONT KNOW WHERE TO SEND THE MAIL.
most of the other stuff on this site will work on debian so stick with it.
Can i add that upon getting dns throu i didnt go back to what is actually listed on this page – so it may work but im not sure
FORGET IT I DIDNT REALISE IT JUST ALLOWS ALL PORTS BETWEEN 53-50956 TO PASS
Hi,
I have run those two rules for allowing SMTP port 25, but its still not working,
I did nmap for the server, and it still says
.
25/tcp filtered smtp
.
Is there anything like i need to restart some network service to take affect.
Excuse me for my childish question, i new to linux n network system.
Can you telnet to port 25 and get response?
telnet mail.server.ip 25If it doesn’t work for you and your connection is hanging on outgoing mail then it probably means that your firewall is blocking DNS queries. This should always be allowed since many software (web server, mail server, etc.) perform DNS lookups to get IPs for domains.
Note: whether you need to have DNS software installed is irrelative, you just need a DNS resolver to perform DNS queries to.
Just add these two records:
iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
DNS queries can both be either UDP or TCP based, depending on the size of the request, therefore both types must be allowed.
Hope this helps
Thanks! Exactly what I was looking for and every other page simply complicated the matter.