Using iptables to block SMTP except for one host?

iptables

I have a single server that functions as both a mail and web server. I'd like to use iptables to permit all incoming and outgoing connections, except to incoming port 25. I only want one remote host to be able to connect to port 25 (in order to relay mail).

Essentially, I'd like a wide open server without turning it into a spam relay. Any suggestions? Thanks!


That sounds like a fairly straightforward request. Having said that, I'm still a little squeamish about telling somebody to configure their SMTP server as a wide-open relay. You Even if you're limiting the incoming connections to the machine you really should be using some kind of authentication to control relaying. Even consumer ISPs don't allow unauthenticated relaying from inside their networks anymore.

Assuming your INPUT chain is set to an "ACCEPT" policy and currently allows new incoming packets to fall off the end of the chain, just do:

iptables -A INPUT -p tcp --dport 25 -s ! x.x.x.x -j DROP

For completeness, my initial answer looked like:

iptables -A INPUT -p tcp --dport 25 -s x.x.x.x -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j DROP

The first method has the economy of using a single rule and being very easy to visually parse, since it's all self-contained. The second is easier to add additional addresses to.

Substitute the source address for "x.x.x.x". I suspect that you really want more than just once source, but you can figure that out. (You probably have machines on your LAN or other clients that you want to talk to it to-- but perhaps not.)

(Hopefully you've got rules at the top of your INPUT chain to allow established connections to shortcut the rest of the chain and just ACCEPT. You really don't want anything but the initial handshake hitting the rules above.)

Obviously, save those rules in whatever iptables state-persisting contrivance your distribution uses.

Edit: Thanks, womble.


Something like this is more future proof, in case you need to allow more addresses.

iptables -A INPUT -p tcp --dport 25 -s x.x.x.x -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j DROP

it is also easier to transition from that to a default DENY policy, which is always a good thing.

Additionally, most mail servers let you define the list of addresses allowed to relay, which can add another level of protection. You didn't say which mail server you are using, but they all should have this feature.

Related

python list comprehension to produce two values in one iteration
OpenVZ: limit number of cpu cores per VE
How do I get varnish to return in the http response header from which backend it took the response?
Cable guides for CAT 5e in the rafters?
Planning to buy some cat5e cables. 568A or 568b?
Server attack, how to fix it
ThreadLocal & Memory Leak
How to get netbios name from network computer? (Linux)
Should a sysadmin contractor charge overtime for off-peak hours? [closed]
Problem with slow hard disk
Ubuntu syslog does not show previous days's logs
RtKit on my ubuntu?