Iptables blocking smtp

Alex asked:

Iptables is blocking outgoing and incomming smtp on my server, although I specified it not to. My policies are DROP everything except what’s specified. Changing policies to ACCEPT everything “solves” the problem, but I don’t want unlimited traffic on this server. Rules were set as follows (smtp part is the last):

# Flush all rules
iptables -F
iptables -X

# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow incoming and outgoing SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow incoming HTTP/HTTPS
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# Allow outgoing SMTP
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

# Finally, change policy to DROP ALL
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

It’s a webserver. Django’s send_mail function is what is being used to send mail. Settings are as follows:

EMAIL_HOST = 'smtp.gmail.com'
EMAIL_HOST_USER = '[email protected]'

I assumed 587 was being used for email, so I added for port 587 the same rules shown above for port 25. I also tried switching --dport/--sport for smtp, nothing. Setting the rules as in this and this questions (both for port 25 and 587) didn’t help either. I even tried doing the same for port 1025, just because it was mentioned on the docs, nothing…

My answer:

Your firewall rules do not allow DNS traffic (UDP port 53). Thus your Django app cannot perform a DNS lookup to locate smtp.gmail.com:

gaierror at /contact/mailto [Errno -2] Name or service not known

To fix this, write firewall rules which permit outgoing DNS queries and incoming DNS responses.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.