nftables does not accept port 25. Why?

postfix smtp nftables

Server: Debian Buster.

In nftables.conf I have:

chain INPUT {
..
tcp dport { 25,465,587,993} log prefix "nft smtp: " accept comment "accept SMTP, SMTPS, IMAPS"
..
log prefix "nft nac: " comment "not accepted"
}
chain OUTPUT
{
..
tcp sport { 25,465,587, 993} log prefix "nft smtp: " accept comment "accept SMTP, SMTPS, IMAPS"
..
log prefix "nft nac: " comment "not accepted"
}

When I send an email through Dovecot / Postfix,

nft smtp log shows nothing

nft nac log (not accepted) says:

IN= OUT=eth0 SRC=188.166.29.7 DST=159.65.66.140 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41257 DF PROTO=TCP SPT=58228 DPT=25

mail.info says: Connection timed out.

Apparently nftables does not accept port 25, while it should. I do not understand why.

What is going wrong?


Your log shows a packet leaving your Ethernet interface (OUTPUT) with a destination port of 25. What your firewall is allowing in the OUTPUT chain is packets with a TCP source port of 25.

What you likely want to do - instead of filtering by source port in the output chain - is to allow outgoing connections associated with existing (tracked) connections.

What you likely intended but have not yet added to your firewall rules is an OUTGOING rule that allows you to send outgoing mail - that would be TCP connections with a destination port of 25.

Related

Full network forwarder with linux
Looking for examples of costs for deploying web app to Azure vs 3rd party hosting
SSH has started prompting for password
Efficiently defining many nginx custom error pages
Apache2 - Define two working Auth Providers
How to run wall command as another user in Linux (RHEL8)
How to work out the rack requirements for a specific machine?
PowerDNS Master Slave Transfer method
Virtualhost1 SSL affecting Virtualhost2 Aliase SSL
How can I expect PowerLine Networking to work?
Putty automatically log in into different sessions
Firefox text search - How to disable automatic wrap-around when reaching the end of a document