New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Vesta CP firewall blocks port 465- PHPMailer can't send mails
On one of My Debian 7 installs, I'm not able to send mails through PHPMailer (PHP Class) which sends mails via Google SMTP (regardless of EXIM on server)
If I stop Firewall[/b] -- it sends through but NOT when Firewall is active.
I have a rule ACCEPT for 993,465,25,587
in the Rules.... Yet its not working.
I know Vesta is not good at handling Firewall rules, can you point me to what may be wrong?
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-VESTA tcp -- anywhere anywhere tcp dpt:8083
fail2ban-MAIL tcp -- anywhere anywhere multiport dports smtp,ssmtp,submission,2525,pop3,pop3s,imap2,imaps
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:9562
ACCEPT tcp -- anywhere anywhere tcp dpt:5901
ACCEPT tcp -- anywhere anywhere tcp dpt:2257
ACCEPT tcp -- anywhere anywhere tcp dpt:9810
DROP tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere multiport dports http,https
ACCEPT tcp -- anywhere anywhere multiport dports ftp-data,ftp,12000:12100
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere multiport dports smtp,ssmtp,submission,2525
ACCEPT tcp -- anywhere anywhere multiport dports pop3,pop3s
ACCEPT tcp -- anywhere anywhere multiport dports imap2,imaps
DROP tcp -- anywhere anywhere multiport dports mysql,postgresql
DROP tcp -- anywhere anywhere tcp dpt:8083
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- 127.0.0.2 anywhere
ACCEPT all -- rn2g anywhere
ACCEPT all -- localhost.localdomain anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:smtp
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT tcp -- anywhere anywhere tcp spt:pop3
ACCEPT udp -- anywhere anywhere udp spt:ntp
ACCEPT tcp -- anywhere anywhere tcp spt:imap2
ACCEPT tcp -- anywhere anywhere tcp spt:mysql
ACCEPT tcp -- anywhere anywhere tcp spt:postgresql
ACCEPT tcp -- anywhere anywhere tcp spt:http-alt
ACCEPT tcp -- anywhere anywhere tcp spt:8433
ACCEPT tcp -- anywhere anywhere tcp spt:8083
ACCEPT udp -- google-public-dns-a.google.com anywhere udp spt:domain state ESTABLISHED
ACCEPT tcp -- google-public-dns-a.google.com anywhere tcp spt:domain state ESTABLISHED
ACCEPT udp -- google-public-dns-b.google.com anywhere udp spt:domain state ESTABLISHED
ACCEPT tcp -- google-public-dns-b.google.com anywhere tcp spt:domain state ESTABLISHED
Comments
By this you mean VestaCP > Services > IPTables/Firewall > Stop ?
The firewall rules only accepts IN rules.
Your rule has to be defined in the custom.sh file.
You can see my post about DNS issues that I had when firewall was active.
Its the same thing.
http://www.lowendguide.com/3/networking/iptables-and-vestacp-output-rules-to-allow-dns-lookups/
Yes exactly.
@Mikho,
I was thinking to contact you... Yes it Seems like outgoing PORT is blocked.
While DNS is working fine, Can you tell me what specifically to add in your Script for 465 to be explicitly open in and out ?
I already have your Custom.sh in place !!
If you are using my version of custom.sh ( found here) then add at the end of the file something like this:
gmailip=$(resolveip -s smtp.gmail.com) $IPT -A OUTPUT -p tcp -d $gmailip --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A INPUT -p tcp -s $gmailip --sport 465 -m state --state ESTABLISHED -j ACCEPT
I havent tested it so don't do this on a production site without testing it properly.
I used
resolveip
to get the current ip since the command is included in the mysql package and smtp.gmail.com is a CNAME record.@Mikho... This works! Thanks a TON brother.
but don't you think IP for smtp.gmail.com keeps changing ?
Also if I want to connect another External SMTP over p465, it won't work.
What shall be changed in your script to open 465 to any IP (0.0.0./0).
Thanks
My script resolved smtp.gmail.com so that should take care of ip updates.
To allow everything:
Remove
gmailip=$(resolveip -s smtp.gmail.com)
Change $gmailip to 0.0.0.0/0
$IPT -A OUTPUT -p tcp -d $gmailip --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A INPUT -p tcp -s $gmailip --sport 465 -m state --state ESTABLISHED -j ACCEPT
That should do it.
or just remove
-d *
and-s *
Just to confirm the final lines should be
Good ??
Honestly speaking this firewall ruleset is a bit backwards, you should be doing DROP/ACCEPT filtering for NEW connections only.
Then ACCEPT any ESTABLISHED, and DROP and INVALID.
Less rules, less rule hits.
@SplitIce, I'd much appreciate if you can write the Exact full rules here. Will be much faster and better for me.
thanks