Iptables – How to Block Ports with Telnet and Iptables

dockerfirewalliptablessmtptelnet

I have a Debian server from which I want to block all incoming and outgoing ports (especially all outgoing email ports), except those that I specifically add in iptables. The current setup I have is working and seems restrictive enough, but when I start up a telnet session to test for example port 25 for smtp it just seems to connect without problems, even though I did not specifically open port 25 as OUTPUT port. I noticed that when I flush the iptables with iptables -F, the connection is blocked but then DNS resolution and http traffic also don't work. It might be important to mention that I also run Docker on this server, which means that Docker maintains its own iptables chains which I won't specifically list in this question. None of the Docker rules have port 25 in them, but maybe Docker sets the overall rules too loose?

I haven't found an easy way to actually try to send email to smtp port 25, but I guessed that successfully establising a telnet session would also allow the same connection to be used for sending mail.

Might anyone be able to point me in the right direction?

The telnet output:

$ telnet smtp-relay.gmail.com 25
Trying 2a00:1450:4013:c03::1c...
Connected to smtp-relay.gmail.com.
Escape character is '^]'.
220 smtp-relay.gmail.com ESMTP k6sm844273wms.37 - gsmtp

INPUT and OUTPUT chains of my current iptables:

Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             match-set blacklist src
ACCEPT     icmp --  192.168.4.0/24       anywhere             icmp echo-request
ACCEPT     tcp  --  192.168.4.0/24       anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             multiport dports http,https state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:domain state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             multiport sports http,https state RELATED,ESTABLISHED

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     icmp --  anywhere             192.168.4.0/24       icmp echo-reply state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.4.0/24       tcp spt:ssh state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             multiport dports http,https

Best Answer

$ telnet smtp-relay.gmail.com 25
Trying 2a00:1450:4013:c03::1c...

Your system has IPv6 enabled and is connecting to the remote server using it.

You only show excerpts from your IPv4 firewall so I'll guess you did not configure your Ipv6 firewall appropriately.

Related Topic