Iptables – Without iptables, telnet smtp.gmail.com 465 fine. With, no go. However, ports outbound open…

iptables

Question here regarding iptables.

I have ports 465 and 587 open in the OUTPUT chain for my iptables. However, trying to do a telnet smtp.gmail.com 465 or telnet smtp.gmail.com 587 from my Fedora Core 10 server, no luck, times out.

Yet, when I try the same telnet sequence without iptables running, I'm connected instantly.

Anyway, thanks if anyone is able to help. The 1.2.3.4 is my static home ip to get to the server (changed of course).

Chain INPUT (policy ACCEPT 1375 packets, 161K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  210 17483 ACCEPT     all  --  any    any     1.2.3.4  anywhere            state NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  any    any     anywhere             serverA.myserver.com   tcp dpt:smtps 
    0     0 ACCEPT     tcp  --  any    any     1.2.3.4  serverA.myserver.com   tcp dpt:mysql 
    0     0 ACCEPT     tcp  --  any    any     1.2.3.4  serverA.myserver.com   tcp dpt:ndmp 
    0     0 ACCEPT     tcp  --  any    any     localhost.localdomain  anywhere            tcp dpt:mysql 
    0     0 ACCEPT     udp  --  any    any     localhost.localdomain  anywhere            udp dpt:mysql 
   29  3442 ACCEPT     all  --  any    any     hostingco.ipsubnet/24       serverA.myserver.com   
   36  2052 ACCEPT     tcp  --  any    any     anywhere             serverA.myserver.com   tcp dpt:http 
    0     0 ACCEPT     tcp  --  any    any     anywhere             serverA.myserver.com   tcp dpt:https 
    0     0 ACCEPT     icmp --  any    any     anywhere             serverA.myserver.com   
  152  7920 REJECT     all  --  any    any     anywhere             serverA.myserver.com   reject-with icmp-port-unreachable 
    0     0 ACCEPT     tcp  --  any    any     1.2.3.4  anywhere            tcp dpt:mysql state NEW,ESTABLISHED 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 392 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   29  2490 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:domain 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:domain 
    2   120 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:smtp 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:pop3 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:smtps 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:https 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:submission 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ftp-data 
  320 33300 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:telnet 
    0     0 ACCEPT     tcp  --  any    eth0    anywhere             anywhere            tcp spt:smtps dpt:smtps

Best Answer

can it be that you accept outgoing packets:

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p tcp --dport 465 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT

but your input policy is DROP and you dont accept packets that are responses to your queries? make sure your input chain contains [for performance benefits - as first instruction]:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

?

Related Topic