Email
無法從外部 ip 連接到 telnet
我有一個在 kimsufi VPS 上執行的 postfix 伺服器,我在上面安裝了 roundcube,一切正常。問題是,當我嘗試從另一台伺服器連接時,我有一個超時:
telnet whys.fr 25 Trying 5.196.66.189... telnet: Unable to connect to remote host: Connection timed out
這是我的 netstat 輸出:
netstat -ntpul | grep 25 tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 17643/master tcp6 0 0 :::25 :::* LISTEN 17643/master
和目前的 iptables 規則:
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:smtp fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere
來自 localhost 的 telnet 執行良好:
telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. 220 whys.fr ESMTP Postfix (Debian/GNU) ehlo whys.fr 250-whys.fr 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host.
伺服器託管在 OVH 的數據中心,25 埠沒有被阻塞:
nmap -p 25 whys.fr Starting Nmap 6.47 ( http://nmap.org ) at 2015-02-20 15:16 CET Nmap scan report for whys.fr (5.196.66.189) Host is up (0.019s latency). rDNS record for 5.196.66.189: ns330237.ip-5-196-66.eu PORT STATE SERVICE 25/tcp filtered smtp Nmap done: 1 IP address (1 host up) scanned in 0.72 seconds
我還檢查了郵件垃圾郵件列表,以查看我的 ip 是否在其中之一中,但事實並非如此。
我該如何接受來自外部的 telnet 25?我現在不知道,已經在 SF 上看到了所有關於它的問題,而且在網際網路的其他地方也看到了很多。
根據 nmap 文件:
filtered Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. These ports frustrate attackers because they provide so little information. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically.
所以看起來你的埠只是被某處的防火牆阻止了。也許您當地的ISP?因為當我嘗試連接它時,我得到了一個連接:
$ telnet whys.fr 25 Trying 5.196.66.189... Connected to whys.fr. Escape character is '^]'. 220 whys.fr ESMTP Postfix (Debian/GNU)
遺憾的是,ISP 阻止直接連接到他們自己網路之外的埠 25 的情況並不少見,以防止客戶端電腦上的機器人直接發送垃圾郵件。