Firewall (iptables) blocking sendmail some how

ganz_friedrich · 02-15-2006, 11:53 AM

Hello,

I have iptables set to accept input and output on port 25 (conf below for reference), yet for some reason when I have the firewall enabled, emails won't send.

Are there some other ports sendmail needs to send emails?

Thanks

IP tables set-up script
-----

Code:

*mangle
:PREROUTING ACCEPT [444:43563]
:INPUT ACCEPT [444:43563]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:144198]
:POSTROUTING ACCEPT [402:144198]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT

*filter
:INPUT DROP [1:242]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LOG_DROP - [0:0]
:LOG_ACCEPT - [0:0]
:icmp_packets - [0:0]


-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j LOG_ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p icmp -j icmp_packets
-A INPUT -j DROP


-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p icmp -j icmp_packets
-A OUTPUT -j DROP



-A LOG_ACCEPT -j LOG --log-prefix "[IPTABLES ACCEPT] : " --log-tcp-options --log-ip-options
-A LOG_ACCEPT -j ACCEPT



-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A icmp_packets -s 127.0.0.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
COMMIT

Dudydoo · 02-15-2006, 12:49 PM

it's probably failing on DNS lookups.

-A INPUT -p udp --sport <nameserver> -j ACCEPT
-A OUTPUT -p udp --dport <nameserver> -j ACCEPT

ganz_friedrich · 02-15-2006, 02:49 PM

?????

smtp is udp???

Dudydoo · 02-15-2006, 04:23 PM

no, smtp is tcp.

DNS queries are udp.

Sorry, I typed the rules wrong. It should be:

-A INPUT -p udp --sport 53 -s <nameserver> -j ACCEPT
-A OUTPUT -p udp --dport 53 -d <nameserver> -j ACCEPT

ganz_friedrich · 02-16-2006, 10:26 AM

I am an idiot. You are a genius.
I am an idiot. You are a genius.
I am an idiot. You are a genius.
I am an idiot. You are a genius.
I am an idiot. You are a genius.

Sorry about that last post. I thought you were high - I completely did not know what you meant. I didn't even think that mtas need to resolve domains.

Thank you very much for helping me out. This one was beginning to really frustrate me.

It seems to be working aok now.

scorbett · 02-16-2006, 10:30 AM

Quote:

Originally Posted by Dudydoo

Sorry, I typed the rules wrong. It should be:

-A INPUT -p udp --sport 53 -s <nameserver> -j ACCEPT
-A OUTPUT -p udp --dport 53 -d <nameserver> -j ACCEPT

I see why you'd need to allow outbound dns requests, but what's with the INPUT rule? Why allow incoming connections from the nameserver?

doublejoon · 02-16-2006, 10:35 AM

Quote:

Originally Posted by scorbett

I see why you'd need to allow outbound dns requests, but what's with the INPUT rule? Why allow incoming connections from the nameserver?

I would allow tcp as well for dns zone tranfers to work

-A INPUT -p tcp --sport 53 -s <nameserver> -j ACCEPT
-A OUTPUT -p tcp --dport 53 -d <nameserver> -j ACCEPT

Dudydoo · 02-16-2006, 12:45 PM

Quote:

Originally Posted by scorbett

I see why you'd need to allow outbound dns requests, but what's with the INPUT rule? Why allow incoming connections from the nameserver?

To receive replies to the queries.

scorbett · 02-16-2006, 12:58 PM

Quote:

Originally Posted by Dudydoo

To receive replies to the queries.

Oh... duh. Not enough caffeine this morning, I think!

unSpawn · 02-16-2006, 01:54 PM

it's probably failing on DNS lookups
If that's the case it should show from the maillog.

I would allow tcp as well for dns zone tranfers to work
I thought most won't allow that anymore from unauth'ed sources?..

To receive replies to the queries.
So your INPUT.*RELATED,ESTABLISHED rule is for what?

emails won't send
..also some remotes like to ident you.
Dropping TCP/113 won't fix it, -j REJECT will.

Dudydoo · 02-16-2006, 02:34 PM

Quote:

Originally Posted by unSpawn

To receive replies to the queries.
So your INPUT.*RELATED,ESTABLISHED rule is for what?

Point taken. But if your output policy is DROP, you need:

iptables -A OUTPUT -p udp -m state --state NEW -j ACCEPT

unSpawn · 02-16-2006, 02:55 PM

But if your output policy is DROP
Now *that* I missed reading, good one!

ganz_friedrich · 02-16-2006, 03:36 PM

Also, someone pointed out to me that I needed to allow the required FORWARD packets when sending with apache/php (I think since its going from nobody@localhost -> localhost.localdomain -> (fqdn on net) ).

I notice there are four entries in the log for each email that is sent this method (apache/php). The first two seem to be almost the same and so do the last two. Is there some redundancy in the set-up - can this be done more directly?

Code:

Feb 16 10:18:48 host sendmail[15516]: k1GFImIq015516: from=nobody, size=2238, class=0, nrcpts=1, msgid=<200602161518.k1GFImIq015516@serverdomainname.com>, relay=nobody@localhost
Feb 16 10:18:48 host sendmail[15517]: k1GFImCj015517: from=<nobody@serverdomainname.com>, size=2465, class=0, nrcpts=1, msgid=<200602161518.k1GFImIq015516@serverdomainname.com>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Feb 16 10:18:48 host sendmail[15516]: k1GFImIq015516: to=test@test.com, ctladdr=nobody (99/99), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=32238, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (k1GFImCj015517 Message accepted for delivery)
Feb 16 10:18:54 host sendmail[15519]: k1GFImCj015517: to=<test@test.com>, ctladdr=<nobody@serverdomainname.com> (99/99), delay=00:00:06, xdelay=00:00:06, mailer=esmtp, pri=122465, relay=TestsRelayServer.com. [A.B.C.D], dsn=2.0.0, stat=Sent (OK id=1F9ksr-0003Np-R8)

(Dispite my earlier stupidity I was astute to the point about the INPUT rule also wondering why that was necessary - but I thought maybe it was so because it is udp and that it does not establish a connections - just sends packets blindly.)

P.s. I've looked in a couple of places including the manual and I can't seem to find what the -m flag means/does? (but the manual is big and I don't know how to search in less