Dear All,

When I change the configuration in iptables I don't seem to get the responses I expect. According to the file below I think I have opened port 587, which I want for TLS authentication for my mail server. According to iptables -L the port is open but when I use nmap the port appears closed.

I am probably missing something simple but can someone help me identify the problem?

Thanks.

File: /etc/iptables.firewall.rules

*filter

# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#email
#SMTP
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
#POP
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT
#IMAP
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT

# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allow SSH connections
#
# The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow ping
-A INPUT -p icmp -j ACCEPT

# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

After:
sudo iptables -F

sudo iptables-restore < /etc/iptables.firewall.rules
Gives:

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

nmap from another machine on an external network gives:

Starting Nmap 5.21 ( http://nmap.org ) at 2013-12-31 12:05 GMT
Nmap scan report for http://www.simpzoid.org (178.79.177.96)
Host is up (0.033s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp closed pop3
143/tcp closed imap
443/tcp closed https
554/tcp open rtsp
587/tcp closed submission
993/tcp open imaps
995/tcp open pop3s
7070/tcp open realserver

If you try to talk to the port directly:

% telnet 178.79.177.96 587
Trying 178.79.177.96...
telnet: connect to address 178.79.177.96: Connection refused
telnet: Unable to connect to remote host: Connection refused

Your rules say "DROP" which means that this packet is being accepted by the firewall, but there's nothing listening. (You can see the difference if you try to telnet to port 588, for example; it hangs, showing the traffic is being dropped).

You're probably not running any service listening on port 587. Opening the firewall will allow traffic through, but you still need a daemon running on it.

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)

As another diagnostic, netstat -lvpnut | grep 587 should show you if anything is listening on port 587.