nftables does not accept port 25. Why?
Server: Debian Buster.
In nftables.conf I have:
chain INPUT {
..
tcp dport { 25,465,587,993} log prefix "nft smtp: " accept comment "accept SMTP, SMTPS, IMAPS"
..
log prefix "nft nac: " comment "not accepted"
}
chain OUTPUT
{
..
tcp sport { 25,465,587, 993} log prefix "nft smtp: " accept comment "accept SMTP, SMTPS, IMAPS"
..
log prefix "nft nac: " comment "not accepted"
}
When I send an email through Dovecot / Postfix,
nft smtp log shows nothing
nft nac log (not accepted) says:
IN= OUT=eth0 SRC=188.166.29.7 DST=159.65.66.140 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41257 DF PROTO=TCP SPT=58228 DPT=25
mail.info says: Connection timed out.
Apparently nftables does not accept port 25, while it should. I do not understand why.
What is going wrong?
Your log shows a packet leaving your Ethernet interface (OUTPUT) with a destination port of 25. What your firewall is allowing in the OUTPUT chain is packets with a TCP source port of 25.
What you likely want to do - instead of filtering by source port in the output chain - is to allow outgoing connections associated with existing (tracked) connections.
What you likely intended but have not yet added to your firewall rules is an OUTGOING rule that allows you to send outgoing mail - that would be TCP connections with a destination port of 25.