Problem with sendmail combined with iptables
I have the following setup, for my iptables, I want my server secured as can be. However, I just have one problem… Sendmail does not work, when I have iptables enabled. Even though I opened port 25. I suspect this is because it can not resolve the mail address, but I am not sure. My server runs at CentOS 5.5.
This is my ip tables set up:
#!/bin/sh
# My system IP/set ip address of server
SERVER_IP="xxx.xxx.xxx.xxx"
# Flushing all rules
/sbin/iptables -F
/sbin/iptables -X
# Setting default filter policy
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
# Allow unlimited traffic on loopback
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT# Allow ssh
/sbin/iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT# Allow incoming http
/sbin/iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 80 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT# Allow incoming smtp
/sbin/iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 25 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT/sbin/iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 1024:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0/0 --sport 25 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT# DNS
/sbin/iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 53 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT/sbin/iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 1024:65535 -d 0/0 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0/0 --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT# make sure nothing comes or goes out of this box
/sbin/iptables -A INPUT -j DROP
/sbin/iptables -A OUTPUT -j DROP
What do I miss, or what do I have to much?
I hope you are able to help me.
Kind regards.
DNS uses TCP and UDP. Your iptables rules do not have ACCEPT rules for UDP.
That said, why the overly-explicit rules? You can drop all those -s / -d 0/0. And is it really necessary to limit the remote-side ports to 513-65535 (or 1024-65535)?
Check more discussion of this question.
Related posts:
Leave a comment
Recent Posts
- Windows File Permissions and Attributes
- What is the easiest way to upgrade my existing Perl 5.14 to Perl 5.16 on FreeBSD 9 using the ports system?
- Know if mysql has done its job
- Redirect https .com to https .co.uk without a valid SSL cert on .com without DNS change
- Why is it a bad idea to use customer email as from address
Tags
active-directory
amazon-ec2
apache
apache2
backup
bash
centos
cisco
command-line
debian
dns
email
exchange
firewall
iis
iis7
iptables
linux
macosx
monitoring
mysql
networking
nginx
performance
permissions
php
postfix
raid
security
sql-server
sql-server-2005
sql-server-2008
ssh
ssl
ubuntu
unix
virtualization
vpn
webserver
windows
windows-7
windows-server-2003
windows-server-2008
windows-server-2008-r2
windows-xp