CentOS 7 Firewall: How to allow SMTP outgoing emails with IPTables?

Question

I am running a Spring-Boot Java application inside a Docker container on a server running CentOS 7.

[root@dev-machine ~]# rpm --query centos-release
centos-release-7-5.1804.4.el7.centos.x86_64

I would like to send emails on user registration, but it only works locally and not on the server. So I think there may be something missing or wrong with the firewall rules.

Here is the output of iptables -S:

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-f0479a22f469 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-f0479a22f469 -j DOCKER
-A FORWARD -i br-f0479a22f469 ! -o br-f0479a22f469 -j ACCEPT
-A FORWARD -i br-f0479a22f469 -o br-f0479a22f469 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-3d65bc697485 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-3d65bc697485 -j DOCKER
-A FORWARD -i br-3d65bc697485 ! -o br-3d65bc697485 -j ACCEPT
-A FORWARD -i br-3d65bc697485 -o br-3d65bc697485 -j ACCEPT
-A FORWARD -o br-e9afb76ffa7a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-e9afb76ffa7a -j DOCKER
-A FORWARD -i br-e9afb76ffa7a ! -o br-e9afb76ffa7a -j ACCEPT
-A FORWARD -i br-e9afb76ffa7a -o br-e9afb76ffa7a -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-e9afb76ffa7a -o br-e9afb76ffa7a -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 5000 -j ACCEPT
-A DOCKER -d 172.20.0.2/32 ! -i br-f0479a22f469 -o br-f0479a22f469 -p tcp -m tcp --dport 8761 -j ACCEPT
-A DOCKER -d 172.20.0.5/32 ! -i br-f0479a22f469 -o br-f0479a22f469 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-f0479a22f469 ! -o br-f0479a22f469 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-e9afb76ffa7a ! -o br-e9afb76ffa7a -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-3d65bc697485 ! -o br-3d65bc697485 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-f0479a22f469 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-e9afb76ffa7a -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-3d65bc697485 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

and this the output of iptables-save -C

[root@dev-machine ~]# iptables-save -c
# Generated by iptables-save v1.4.21 on Sat Sep 15 13:38:03 2018
*nat
:PREROUTING ACCEPT [19421:2552711]
:INPUT ACCEPT [18758:2423782]
:OUTPUT ACCEPT [39206:2367366]
:POSTROUTING ACCEPT [39206:2367366]
:DOCKER - [0:0]
[39177:2349612] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[44:2790] -A POSTROUTING -s 172.20.0.0/16 ! -o br-f0479a22f469 -j MASQUERADE
[2396:157880] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[62:3999] -A POSTROUTING -s 172.19.0.0/16 ! -o br-3d65bc697485 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.0/16 ! -o br-e9afb76ffa7a -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 5000 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.20.0.2/32 -d 172.20.0.2/32 -p tcp -m tcp --dport 8761 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.20.0.5/32 -d 172.20.0.5/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
[0:0] -A DOCKER -i br-f0479a22f469 -j RETURN
[0:0] -A DOCKER -i docker0 -j RETURN
[0:0] -A DOCKER -i br-e9afb76ffa7a -j RETURN
[0:0] -A DOCKER -i br-3d65bc697485 -j RETURN
[0:0] -A DOCKER ! -i br-e9afb76ffa7a -p tcp -m tcp --dport 9000 -j DNAT --to-destination 172.18.0.2:9000
[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 5000 -j DNAT --to-destination 172.17.0.2:5000
[0:0] -A DOCKER ! -i br-f0479a22f469 -p tcp -m tcp --dport 8761 -j DNAT --to-destination 172.20.0.2:8761
[0:0] -A DOCKER ! -i br-f0479a22f469 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.20.0.5:8080
COMMIT
# Completed on Sat Sep 15 13:38:03 2018
# Generated by iptables-save v1.4.21 on Sat Sep 15 13:38:03 2018
*filter
:INPUT ACCEPT [495382:341584285]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [448313:353150279]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
[1853096:1761639004] -A FORWARD -j DOCKER-USER
[1853096:1761639004] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[82:10098] -A FORWARD -o br-f0479a22f469 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-f0479a22f469 -j DOCKER
[116:11141] -A FORWARD -i br-f0479a22f469 ! -o br-f0479a22f469 -j ACCEPT
[0:0] -A FORWARD -i br-f0479a22f469 -o br-f0479a22f469 -j ACCEPT
[4610393:6820102985] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[2710958:152407715] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[186:20837] -A FORWARD -o br-3d65bc697485 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-3d65bc697485 -j DOCKER
[248:27845] -A FORWARD -i br-3d65bc697485 ! -o br-3d65bc697485 -j ACCEPT
[0:0] -A FORWARD -i br-3d65bc697485 -o br-3d65bc697485 -j ACCEPT
[0:0] -A FORWARD -o br-e9afb76ffa7a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-e9afb76ffa7a -j DOCKER
[0:0] -A FORWARD -i br-e9afb76ffa7a ! -o br-e9afb76ffa7a -j ACCEPT
[0:0] -A FORWARD -i br-e9afb76ffa7a -o br-e9afb76ffa7a -j ACCEPT
[0:0] -A DOCKER -d 172.18.0.2/32 ! -i br-e9afb76ffa7a -o br-e9afb76ffa7a -p tcp -m tcp --dport 9000 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 5000 -j ACCEPT
[0:0] -A DOCKER -d 172.20.0.2/32 ! -i br-f0479a22f469 -o br-f0479a22f469 -p tcp -m tcp --dport 8761 -j ACCEPT
[0:0] -A DOCKER -d 172.20.0.5/32 ! -i br-f0479a22f469 -o br-f0479a22f469 -p tcp -m tcp --dport 8080 -j ACCEPT
[116:11141] -A DOCKER-ISOLATION-STAGE-1 -i br-f0479a22f469 ! -o br-f0479a22f469 -j DOCKER-ISOLATION-STAGE-2
[2710958:152407715] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i br-e9afb76ffa7a ! -o br-e9afb76ffa7a -j DOCKER-ISOLATION-STAGE-2
[152:17009] -A DOCKER-ISOLATION-STAGE-1 -i br-3d65bc697485 ! -o br-3d65bc697485 -j DOCKER-ISOLATION-STAGE-2
[7321815:6972561781] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-f0479a22f469 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-e9afb76ffa7a -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-3d65bc697485 -j DROP
[2711226:152435865] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[16330669:15452836360] -A DOCKER-USER -j RETURN
COMMIT
# Completed on Sat Sep 15 13:38:03 2018
[root@dev-machine ~]#

The container, involved in sending mails, is running on 172.20.0.5 8080:8080

I found few similar questions:

These questions had suggested enabling the outgoing traffic, but in my case it seems to be already open. Is there anything missing or wrong?

Here, the Spring-Boot property if needed (for now it's specific to gmail, but in future it must be configurable for every SMTP via env variables):

mail:
    host: smtp.gmail.com
    port: 587
    username: ${EMAIL_USERNAME}
    password: ${EMAIL_PASSWORD}
    protocol: smtp
    tls: true
    auth: true
    properties.mail.smtp:
        auth: true
        starttls.enable: true
        ssl.trust: smtp.gmail.com

a few remarks: iptables -S doesn't include nat rules (`iptables-save -c` would have). Docker might even sometimes add iptables rules inside containers, so it's not always easy to know what's going on. You should debug from your container and using tcpdump on the host for example — A.B, Sep 15 '18 at 11:34
I have updated the question with the requested informations. Any hint for the `tcpdump` command to use? — 1Z10, Sep 15 '18 at 11:46
sorry you'll have to dig on internet on methods to debug this kind of thing. it's too broad for me — A.B, Sep 15 '18 at 11:59

CentOS 7 Firewall: How to allow SMTP outgoing emails with IPTables?

0 Answers0