Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

iptables --sport vs --dport. INPUT vs OUTPUT

Tags:

linux

iptables

I am having some trouble understanding iptables. I know it acts as a filter but something isn't clicking because it isn't working the way I think it should. Let me start by saying that I'm creating a white list, so all policies (INPUT, FORWARD, OUTPUT) default to DROP.

I have the following rules related to SMTP:

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p tcp --dport 25 -j ACCEPT -A OUTPUT -p tcp --dport 25 -j ACCEPT //needed for receiving? -A OUTPUT -p tcp --sport 25 -j ACCEPT //needed for sending?

*these 3 lines also exist verbatim for ports 587 & 465

If I remove the first OUTPUT line then my server won't receive emails & if I remove the last line it won't send emails. What I don't understand is why. Shouldn't:

-A INPUT -p tcp --dport 25 -j ACCEPT -A OUTPUT -p tcp --sport 25 -j ACCEPT

be enough to let everything through? AFAIK all SMTP communication should go over 25, 587 or 465. My current understanding says an SMTP packet should always match one of these two rules. All input packets should come to port 25, and all output packets be sent from 25? What am I missing?

like image 615
J.M. Avatar asked Mar 09 '15 14:03

J.M.


People also ask

What is Dport and sport in iptables?

--dport — Specifies the destination port of the UDP packet, using the service name, port number, or range of port numbers. The --destination-port match option is synonymous with --dport. --sport — Specifies the source port of the UDP packet, using the service name, port number, or range of port numbers.

What is input and output in iptables?

The filter table in iptables has three chains (sets of rules). The INPUT chain is used for any packet coming into the system. The OUTPUT chain is for any packet leaving the system. And the FORWARD chain is for packets that are forwarded (routed) through the system.

Which will list all input rules in iptables?

To output all of the active iptables rules in a table, run the iptables command with the -L option: sudo iptables -L.

What is input chain in iptables?

In this iptables tutorial, we are going to work with one of the default tables, called filter. It consists of three chains: INPUT – controls incoming packets to the server. FORWARD – filters incoming packets that will be forwarded somewhere else. OUTPUT – filter packets that are going out from your server.


2 Answers

For SMTP you don't need any --sport rule. The source and destination don't depend on direction - they're match on the packet's source and destination ports. Every connection will have a random source port, so there's nothing to match on.

If I remove the first OUTPUT line then my server won't receive emails & if I remove the last line it won't send emails.

This is wrong. Only the INPUT line matters for receiving emails. Also, only the OUTPUT --dport 25 line matters for sending emails. So these rules should be enough:

-A INPUT -p tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp --dport 25 -j ACCEPT

The problem may be that you set OUTPUT to default to DROP, but allowed established connection on INPUT only. Usually people leave OUTPUT defaulting to ACCEPT. If you want to continue using a whitelist for OUTPUT, you'll have to add:

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Also, please read up on SMTP ports. Some of those you listed are only needed for email submissions and deprecated encryption, not for server-to-server communication. This may change how you plan your rules.

like image 158
viraptor Avatar answered Oct 04 '22 00:10

viraptor


Previous answer state: Also, only the OUTPUT --dport 25 line matters for sending emails.

This is not always true. For instance some systems are configured as smarthost where the MTA become a client. In such case, the MTA will connect to a remote server on submission port (587) USING SASL authentication to send mails.

To resume, a client is sending mail through a remote server and the remote server itself connect to another remote server on port 587 with SASL authentication.

In such case, the following iptable rules applies (for the smarthost)

iptables -I OUTPUT -p -tcp -dport 597 -j ACCEPT
iptables -I INPUT -p -tcp -sport 587 -j ACCEPT
like image 38
Laurent DECLERCQ a.k.a Nuxwin Avatar answered Oct 03 '22 22:10

Laurent DECLERCQ a.k.a Nuxwin