I’ve been playing around with router OS v5 on an Alix2D3 and have come across a bit of an odd situation.
It seems if you configure a rule in the forward chain to drop TCP port 25 connection it ignores it completely.
I’ve even tried making this the first rule in the chain and yet somehow it still manages not to do it.
The strange thing is if I edit the rule in winbox and change the port to something else (e.g 80) then the rule works fine, it’s only when the rule is set to drop TCP 25 it doesn’t do anything.
Any ideas on that one?
Edit:
The mystery deepens
With that rule in place I can open some destinations on port 25 and get no matches shown and the connection is made
Yet with others I see that the rule is matching packets and it is not possible to connect to the SMTP server.
It’s exceedingly unlikely that there’s an error in the iptables code related only to a destination port of 25.
If you want help troubleshooting the issue post a network diagram, a description of your situation and any peculiarities (are you running a Hotspot? That introduces dynamic firewall rules) as well as the output of “/ip address print detail”, “/ip route print detail”, and “/ip firewall export” as well a detailed description of how you’re testing together with the results you are seeing.
You’re right RouterOS isn’t actually allowing the connection through on port 25, infact it seems the PC wasn’t even bothering to try and make an SMTP connection to the server.
Turns out it was the Antivirus App running on the pc (Avast) looks like its SMTP proxy was either replying with a cached welcome banner (Or the connection between avast and the real server was done on the SSL port, I haven’t checked), Either way it was avast making it look like the SMTP connection was successful when I was testing (I was using a telnet app to telnet on port 25) dispite no actual traffic on port 25.
That happens a lot with antivirus software. McAfee does the same thing - by default “prevent worms from mass emailing” is enabled, and telnet isn’t a whitelisted process: can’t check mail servers via telnet that way. Bit me more than a few times.
With avast it actually does look like it’s connected, and you do see the welcome banner of the server in the telnet window.
So either it’s cached it from a previous connection attempt, or it initiated an SSL connection between avast and the server.
One things for sure It did a great job of confusing the hell out of me
