I have a Debian server from which I want to block all incoming and outgoing ports (especially all outgoing email ports), except those that I specifically add in iptables. The current setup I have is working and seems restrictive enough, but when I start up a telnet
session to test for example port 25 for smtp it just seems to connect without problems, even though I did not specifically open port 25 as OUTPUT port. I noticed that when I flush the iptables with iptables -F
, the connection is blocked but then DNS resolution and http traffic also don't work. It might be important to mention that I also run Docker on this server, which means that Docker maintains its own iptables chains which I won't specifically list in this question. None of the Docker rules have port 25 in them, but maybe Docker sets the overall rules too loose?
I haven't found an easy way to actually try to send email to smtp port 25, but I guessed that successfully establising a telnet session would also allow the same connection to be used for sending mail.
Might anyone be able to point me in the right direction?
The telnet output:
$ telnet smtp-relay.gmail.com 25
Trying 2a00:1450:4013:c03::1c...
Connected to smtp-relay.gmail.com.
Escape character is '^]'.
220 smtp-relay.gmail.com ESMTP k6sm844273wms.37 - gsmtp
INPUT and OUTPUT chains of my current iptables:
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere match-set blacklist src
ACCEPT icmp -- 192.168.4.0/24 anywhere icmp echo-request
ACCEPT tcp -- 192.168.4.0/24 anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere multiport dports http,https state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-reply state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:domain state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:domain state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport sports http,https state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere 192.168.4.0/24 icmp echo-reply state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.4.0/24 tcp spt:ssh state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports http,https
Best Answer
Your system has IPv6 enabled and is connecting to the remote server using it.
You only show excerpts from your IPv4 firewall so I'll guess you did not configure your Ipv6 firewall appropriately.