iptables - ruby on rails mailer problems

Question

Hey guys i am having issues with my iptables configuration. When i allow all packets my mailer in ruby works. When i deny all and have my rules setup i have issues sending mail.

The output from the syslog

Jun 21 20:00:41 JJD-PRODUCTION-WEBSITE kernel: [ 1450.576269] IPTables Packet Dropped: IN=eth0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=40128 PROTO=TCP SPT=587 DPT=37296 WINDOW=14180 RES=0x00 ACK SYN URGP=0 Jun 21 20:00:41 JJD-PRODUCTION-WEBSITE kernel: [ 1450.979805] IPTables Packet Dropped: IN=eth0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=40129 PROTO=TCP SPT=587 DPT=37296 WINDOW=14180 RES=0x00 ACK SYN URGP=0 Jun 21 20:00:42 JJD-PRODUCTION-WEBSITE kernel: [ 1451.574917] IPTables Packet Dropped: IN=eth0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=40130 PROTO=TCP SPT=587 DPT=37296 WINDOW=14180 RES=0x00 ACK SYN URGP=0 Jun 21 20:00:42 JJD-PRODUCTION-WEBSITE kernel: [ 1451.579830] IPTables Packet Dropped: IN=eth0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=40131 PROTO=TCP SPT=587 DPT=37296 WINDOW=14180 RES=0x00 ACK SYN URGP=0 Jun 21 20:00:43 JJD-PRODUCTION-WEBSITE kernel: [ 1452.779869] IPTables Packet Dropped: IN=eth0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=40132 PROTO=TCP SPT=587 DPT=37296 WINDOW=14180 RES=0x00 ACK SYN URGP=0 

I have removed the source port, destination port and mac addresses/

Also here is my iptables -L output.

root@JJD-PRODUCTION-WEBSITE:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:submission state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http limit: avg 25/min burst 100 LOGGING all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp state NEW,ESTABLISHED Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp spt:submission state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:ssmtp state ESTABLISHED Chain LOGGING (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level debug prefix "IPTables Packet Dropped: " DROP all -- anywhere anywhere root@JJD-PRODUCTION-WEBSITE:~# 

anyone have any ideas why this isn't working?

I made rules to allow both 587 and 465 both in and out

Answer 1

• Your rules seem a bit messy, you have a bunch of rules after ACCEPT anywhere, which doesn't make sense.

• With this exact iptables -L, you allow all packets in and out, so I doubt your issues are related to firewalling. Please provide us with the output of iptables -nvL when E-mail delivery is broken (-n makes things more readable for network people, we admins like port numbers).