Email

無法從外部 ip 連接到 telnet

  • February 20, 2015

我有一個在 kimsufi VPS 上執行的 postfix 伺服器,我在上面安裝了 roundcube,一切正常。問題是,當我嘗試從另一台伺服器連接時,我有一個超時:

telnet whys.fr 25
Trying 5.196.66.189...
telnet: Unable to connect to remote host: Connection timed out

這是我的 netstat 輸出:

netstat -ntpul | grep 25
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      17643/master    
tcp6       0      0 :::25                   :::*                    LISTEN      17643/master

和目前的 iptables 規則:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

來自 localhost 的 telnet 執行良好:

telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 whys.fr ESMTP Postfix (Debian/GNU)
ehlo whys.fr
250-whys.fr
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

伺服器託管在 OVH 的數據中心,25 埠沒有被阻塞:

nmap -p 25 whys.fr

Starting Nmap 6.47 ( http://nmap.org ) at 2015-02-20 15:16 CET
Nmap scan report for whys.fr (5.196.66.189)
Host is up (0.019s latency).
rDNS record for 5.196.66.189: ns330237.ip-5-196-66.eu
PORT   STATE    SERVICE
25/tcp filtered smtp

Nmap done: 1 IP address (1 host up) scanned in 0.72 seconds

我還檢查了郵件垃圾郵件列表,以查看我的 ip 是否在其中之一中,但事實並非如此。

我該如何接受來自外部的 telnet 25?我現在不知道,已經在 SF 上看到了所有關於它的問題,而且在網際網路的其他地方也看到了很多。

根據 nmap 文件:

filtered

Nmap cannot determine whether the port is open because packet filtering prevents
its probes from reaching the port. The filtering could be from a dedicated
firewall device, router rules, or host-based firewall software. These ports
frustrate attackers because they provide so little information. Sometimes they
respond with ICMP error messages such as type 3 code 13 (destination unreachable:
communication administratively prohibited), but filters that simply drop probes
without responding are far more common. This forces Nmap to retry several times
just in case the probe was dropped due to network congestion rather than
filtering. This slows down the scan dramatically.

所以看起來你的埠只是被某處的防火牆阻止了。也許您當地的ISP?因為當我嘗試連接它時,我得到了一個連接:

$ telnet whys.fr 25
Trying 5.196.66.189...
Connected to whys.fr.
Escape character is '^]'.
220 whys.fr ESMTP Postfix (Debian/GNU)

遺憾的是,ISP 阻止直接連接到他們自己網路之外的埠 25 的情況並不少見,以防止客戶端電腦上的機器人直接發送垃圾郵件。

引用自:https://serverfault.com/questions/670175