I am trying to set up iptables to allow SMTP connections, and it does not seem to be working.
Here is the output of iptables -L
:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:afs3-callback
ACCEPT tcp -- anywhere anywhere tcp dpt:3980
ACCEPT tcp -- anywhere anywhere tcp dpt:irdmi
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
ACCEPT tcp -- anywhere anywhere tcp dpt:hbci
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:hbci
ACCEPT tcp -- anywhere anywhere tcp dpt:irdmi
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination
When I try to do telnet host.address.com 25
, it says Connection refused
. Connecting on other ports (for example, 80) works just fine. How do I figure out what's going on here?
EDIT:
Trying to connect on the machine to itself does work:
[root@machine user]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 host.address.com ESMTP Postfix
EDIT 2:
Below is the output from iptables-save
:
# Generated by iptables-save v1.3.5 on Wed Oct 13 22:50:11 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7001 -j ACCEPT
-A INPUT -p udp -m multiport --dports 137,138 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7002 -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p udp -m udp --dport 25 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 139,445 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Wed Oct 13 22:50:11 2010
# Generated by iptables-save v1.3.5 on Wed Oct 13 22:50:11 2010
*raw
:PREROUTING ACCEPT [3267:2601193]
:OUTPUT ACCEPT [1984:334831]
COMMIT
# Completed on Wed Oct 13 22:50:11 2010
Best Answer
Gah, what a silly mistake. There was a problem in my
main.cf
file. I needed to setinet_interfaces = all
. Before it was only accepting fromlocalhost
.