Bastille firewall - basic instructions!

Hi, I'm simply trying to block all outgoing port 25. In shell (as root) I'm using this:

iptables -I OUTPUT -p tcp --dport 25 -j DROP
/etc/init.d/bastille-firewall restart

however when I telnet to an SMTP server on port 25 it connects okay still.

Here's what I'm doing, including my attempt to connect by telnet. Any ideas?

-------

root@doris:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
fail2ban-pureftpd tcp -- anywhere anywhere multiport dports ftp
fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:smtp

Chain fail2ban-dovecot-pop3imap (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-pureftpd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
root@doris:~# telnet alt4.gmail-smtp-in.l.google.com 25
Trying 2404:6800:4008:c01::1a...
Connected to alt4.gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP wf3si1330115pab.166 - gsmtp

 

Are your sure that bastille-firewall does not flush your rules on (re)start? I think, you should use the two fw-commands in reverse order (or just add the rule for port 25 without restarting bastille-firewall.

 

Hi Florian
Thanks, I tried that. Then I ran iptables -L, and the firewall rule is present.
However when I try to telnet out on port 25 to e.g. a gmail SMTP server, it communicates back to me!
I'm SSH'ing as root running telnet, there's nothing silly like exceptions for root is there? I'm confused!

 

use telnet -4 to force ipv4 connection or add the same rule to ipv6:
ip6tables -I OUTPUT ....