Score:0

Iptables + telnet not blocking ports

lr flag

I have a Debian server from which I want to block all incoming and outgoing ports (especially all outgoing email ports), except those that I specifically add in iptables. The current setup I have is working and seems restrictive enough, but when I start up a telnet session to test for example port 25 for smtp it just seems to connect without problems, even though I did not specifically open port 25 as OUTPUT port. I noticed that when I flush the iptables with iptables -F, the connection is blocked but then DNS resolution and http traffic also don't work. It might be important to mention that I also run Docker on this server, which means that Docker maintains its own iptables chains which I won't specifically list in this question. None of the Docker rules have port 25 in them, but maybe Docker sets the overall rules too loose?

I haven't found an easy way to actually try to send email to smtp port 25, but I guessed that successfully establising a telnet session would also allow the same connection to be used for sending mail.

Might anyone be able to point me in the right direction?

The telnet output:

$ telnet smtp-relay.gmail.com 25
Trying 2a00:1450:4013:c03::1c...
Connected to smtp-relay.gmail.com.
Escape character is '^]'.
220 smtp-relay.gmail.com ESMTP k6sm844273wms.37 - gsmtp

INPUT and OUTPUT chains of my current iptables:

Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             match-set blacklist src
ACCEPT     icmp --  192.168.4.0/24       anywhere             icmp echo-request
ACCEPT     tcp  --  192.168.4.0/24       anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             multiport dports http,https state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:domain state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             multiport sports http,https state RELATED,ESTABLISHED

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     icmp --  anywhere             192.168.4.0/24       icmp echo-reply state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.4.0/24       tcp spt:ssh state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             multiport dports http,https
Sem van den Broek avatar
lr flag
I might mention, that a telnet command to a webserver with something other than the default port 80 or 443 (8000 for example) is also blocked. I am kind of lost here
Score:2
cn flag
$ telnet smtp-relay.gmail.com 25
Trying 2a00:1450:4013:c03::1c...

Your system has IPv6 enabled and is connecting to the remote server using it.

You only show excerpts from your IPv4 firewall so I'll guess you did not configure your Ipv6 firewall appropriately.

Sem van den Broek avatar
lr flag
As ipv6 has been rolled out only recently at my address, this completely skipped my attention. Thanks I will set this up!
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.