Results 1 to 3 of 3

Thread: How to allow email delivery when IPTABLES policy is DROP for all ip's not declared

  1. #1
    Join Date
    Nov 2016
    Beans
    2

    How to allow email delivery when IPTABLES policy is DROP for all ip's not declared

    Hello.

    Whenever I am finishing a website and I want to test it online, I use IPTABLES rules to allow access only to certain IP’s (me and rest of the developers).

    This way we can be sure the website is yet not public, but the developer team can navigate through it and check if there is any issue to be addressed before making the website public.

    The only problem found with this method is the fact that when IPTABLES rules are set, we are not able to send emails through our website.


    These are the rules we use:


    1.- iptables -A INPUT -s IP_DEVELOPER -j ACCEPT

    2.- iptables -A OUTPUT -d IP_DEVELOPER -j ACCEPT

    3.- iptables -P INPUT DROP

    4.- iptables -P OUTPUT DROP

    With this, we are only allowing access to the developer, and any other other IP will be denied.

    For emails, we use Gmail, SMTP, port 465 and SSL:

    $mail->Mailer = "smtp";
    $mail->IsSMTP();
    $mail->CharSet = 'UTF-8';
    $mail->Host = "ssl://smtp.gmail.com";
    $mail->SMTPAuth = true;
    $mail->Username = myname@mydomain.com
    $mail->Password = "mypassword";
    $mail->Port = 465;

    *It is important to note that emails are being sent with no problem when these IPTABLES are not present.

    Now, to allow email delivery from our website when these iptables are present, we have been setting some specific rules, however none of them has worked to us so far.

    We have tried:


    5.- iptables -A INPUT -s smtp.gmail.com -p tcp -m tcp --sport 465 -j ACCEPT

    6.- iptables -A OUTPUT -d smtp.gmail.com -p tcp -m tcp --dport 465 -j ACCEPT

    After that, we tried:


    7.- iptables -A INPUT -p tcp –s 64.233.160.0/19 --sport 465 -j ACCEPT

    8.- iptables -A OUTPUT -p tcp –d 64.233.160.0/19 --dport 465 -j ACCEPT

    After that, this:


    9.- iptables -A OUTPUT -o eth0 -p tcp --sport 465 -m state --state NEW,ESTABLISHED -j ACCEPT

    10.- iptables -A OUTPUT -o eth0 -p tcp --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT

    11.- iptables -A INPUT -i eth0 -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT

    And it did not work either…


    My question is:


    What IPTABLES rules should I set in this case to allow email delivery from my website??


    Thank’s in advanced, any insight is appreciated.


    Regards

  2. #2
    Join Date
    Jan 2007
    Beans
    768
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: How to allow email delivery when IPTABLES policy is DROP for all ip's not declare

    First of all, you don't need to block packets going out from the server to the internet at large, unless you want to restrict what services can connect. Also, you need to use RELATED, ESTABLISHED on the first rule, so:
    Code:
     iptables -A OUTPUT -p ALL -m state --state RELATED,ESTABLISHED -j ACCEPT
    will allow outbound packets for all established connections. To allow outbound connections to be initiated, add:
    Code:
     iptables -A OUTPUT -p ALL -j ACCEPT
    You can add --dport 465 if you only want to allow outbound connections on port 465.

    You'll want to do the same on the INPUT chain, so established connections can also receive packets:
    Code:
     iptables -A INPUT -p ALL -m state --state RELATED,ESTABLISHED -j ACCEPT
    After these rules, set up the rules on the INPUT chain to allow your developers access to your website:
    Code:
    iptables -A INPUT -s $IP_DEVELOPER --dport 80 -j ACCEPT
    I added dport 80 to allow access only on port 80, but you can change or remove this if you like.
    Current 'buntu systems: multiple systems running Server or Desktop 22.04 LTS / Retired or Upgraded: 18.04.2 LTS, Mythbuntu 16.04 LTS, Ubuntu 16.04.1 LTS, 14.04 LTS, 10.04 LTS, 8.04 LTS
    Been using ubuntu since 6.04 (16 years!)

  3. #3
    Join Date
    Nov 2016
    Beans
    2

    Re: How to allow email delivery when IPTABLES policy is DROP for all ip's not declare

    Ohhh man, your answer really made the job.

    Thank you so much!

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •