Opened some ports with iptables but they aren't open

mouseowl asked:

I’m running a Debian 7 server via Linode VPS, and have recently installed/configured a mail server using Postfix and Dovecot. The final step to complete this was to open up ports 993, 995, 465, and 587. I did this by correctly adding rules allowing those ports in iptables.

However when I tested to see if they were open using telnet and then nmap, port 465 and 587 were not open. I also noticed from the nmap scan that the https port 443 was also not open when it should be according to my rules.

I also have an Ubuntu server on linode with the same mail setup and same firewall rules, and it works fine (except for the https port).

What is going on? I can’t figure out why this is happening.

Here are my iptables rules:

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows SMTP access
#-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 465 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT

# Allows pop and pops connections
#-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT

# Allows imap and imaps connections
#-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and    SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

Here is the output of iptables -L:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             loopback/8           reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssmtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

Here is my nmap portscan:

Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-04 21:09 EST
Nmap scan report for ******.com (***.**.***.**)
Host is up (0.11s latency).
Not shown: 93 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  open   http
443/tcp closed https
465/tcp closed smtps
587/tcp closed submission
993/tcp open   imaps
995/tcp open   pop3s

Nmap done: 1 IP address (1 host up) scanned in 2.64 seconds

Any help would be appreciated. Thanks!

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      
tcp        0      0 *:imaps                 *:*                     LISTEN      root       5002       
tcp        0      0 *:pop3s                 *:*                     LISTEN      root       4983       
tcp        0      0 localhost:mysql         *:*                     LISTEN      mysql      4947       
tcp        0      0 *:ssh                   *:*                     LISTEN      root       3648       
tcp        0      0 *:smtp                  *:*                     LISTEN      root       5531       
tcp6       0      0 [::]:imaps              [::]:*                  LISTEN      root       5003       
tcp6       0      0 [::]:pop3s              [::]:*                  LISTEN      root       4984       
tcp6       0      0 [::]:http               [::]:*                  LISTEN      root       7548       
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      root       3650       
tcp6       0      0 [::]:smtp               [::]:*                  LISTEN      root       5533

My answer:


Your netstat output shows that you don’t have an SMTP server listening on ports 465 and 587. Reconfigure the SMTP server and try again.

The same applies to your web server and port 443.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.