0

I have a dedicated server with an LXC container on it. The container has IP: 11.22.33.44.

I want to block outgoing port 25 of this container, so that the container cannot send out email.

From the host machine (Ubuntu 16.04), i use the following commands:

iptables -A FORWARD -p tcp --dport 25 -s 11.22.33.44 -j DROP
iptables -A OUTPUT -p tcp --dport 25 -s 11.22.33.44 -j DROP

However, from inside the container, i still can telnet to port 25 of another server

bash-4.1# telnet mysite.com 25
Trying 64.14.157.215...
Connected to mysite.com.
Escape character is '^]'.
220 phoenix.mysite.com ESMTP Postfix (Ubuntu)

Previously, i used debian 8 as the OS for my host machine, and it work great, but in ubuntu 16.04, i may miss some important steps to make it work.

Could anyone help me point out what is wrong here?

Thank you!

aye
  • 221
  • 2
  • 13
  • `iptables` is used for incoming connections, once you've stopped the mail server on the "host server", `telnet` is used for outgoing connections. Or I don't understand the question. – waltinator Sep 25 '16 at 15:32
  • @waltinator I'm trying to block outgoing block port 25, so that from the container the user cannot send out email – aye Sep 25 '16 at 15:36

1 Answers1

0

Did you try to use ufw on the host machine? You could do for example

sudo ufw deny proto tcp from 10.0.0.1 to any port 25

This should disallow tcp from 10.0.0.1 to any IP address on port 25.

You can find more examples here: How to deny an ip address from connecting to my system?

Community
  • 1
torusJKL
  • 111
  • 9
  • From what i see, that link is to prevent incoming connection. Anyway i have tested your code, but i still can telnet port 25 and can still send out email from the container – aye Sep 25 '16 at 16:03
  • Please try `sudo ufw deny out proto tcp from 11.22.33.44 to any port 25` – torusJKL Sep 25 '16 at 16:07
  • 1
    It still not working :( – aye Sep 25 '16 at 16:10