Ubuntu

安裝 postfix 後無法關閉 25 埠

  • February 19, 2014

在 Ubuntu 12.04 上安裝logwatch(安裝postfix)之前,埠 25 被iptables/阻止csf

PORT   STATE    SERVICE
25/tcp filtered smtp

安裝 logwatch(安裝 postfix)後,現在打開 25 埠

PORT   STATE SERVICE
25/tcp open  smtp

使用重新啟動 CSF,csf -r但埠保持打開狀態。TCP_ON除了, TCP_OUT, UDP_IN,中定義的埠之外,不是所有埠都預設被阻止UDP_OUT嗎?為什麼 25 埠仍然開放?

csf.conf

TCP_IN = "22,27017,27018,27019"
TCP_OUT = "53,27017,27018,27019"

UDP_IN = ""
UDP_OUT = "53,123"

sudo netstat -tnlp | 抓地力:25

tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      7641/master     
tcp6       0      0 :::25                   :::*                    LISTEN      7641/master   

iptables -L -n -v --line-numbers

Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     tcp  --  !lo    *       209.244.0.3          0.0.0.0/0            tcp dpt:53
2        0     0 ACCEPT     udp  --  !lo    *       209.244.0.3          0.0.0.0/0            udp dpt:53
3        0     0 ACCEPT     tcp  --  !lo    *       209.244.0.3          0.0.0.0/0            tcp spt:53
4        0     0 ACCEPT     udp  --  !lo    *       209.244.0.3          0.0.0.0/0            udp spt:53
5        0     0 ACCEPT     tcp  --  !lo    *       8.8.8.8              0.0.0.0/0            tcp dpt:53
6        0     0 ACCEPT     udp  --  !lo    *       8.8.8.8              0.0.0.0/0            udp dpt:53
7        0     0 ACCEPT     tcp  --  !lo    *       8.8.8.8              0.0.0.0/0            tcp spt:53
8        0     0 ACCEPT     udp  --  !lo    *       8.8.8.8              0.0.0.0/0            udp spt:53
9        0     0 ACCEPT     tcp  --  !lo    *       8.8.4.4              0.0.0.0/0            tcp dpt:53
10       0     0 ACCEPT     udp  --  !lo    *       8.8.4.4              0.0.0.0/0            udp dpt:53
11       0     0 ACCEPT     tcp  --  !lo    *       8.8.4.4              0.0.0.0/0            tcp spt:53
12      52  6331 ACCEPT     udp  --  !lo    *       8.8.4.4              0.0.0.0/0            udp spt:53
13   10491  986K LOCALINPUT  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
14      51  3795 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
15   10278  968K INVALID    tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
16   10226  965K ACCEPT     all  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
17       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:22
18      44  2640 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:27017
19       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:27018
20       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:27019
21       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
22       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 0 limit: avg 1/sec burst 5
23       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 11
24       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 3
25       8   452 LOGDROPIN  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            209.244.0.3          tcp dpt:53
2        0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            209.244.0.3          udp dpt:53
3        0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            209.244.0.3          tcp spt:53
4        0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            209.244.0.3          udp spt:53
5        0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            8.8.8.8              tcp dpt:53
6        0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            8.8.8.8              udp dpt:53
7        0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            8.8.8.8              tcp spt:53
8        0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            8.8.8.8              udp spt:53
9        0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            8.8.4.4              tcp dpt:53
10      52  3614 ACCEPT     udp  --  *      !lo     0.0.0.0/0            8.8.4.4              udp dpt:53
11       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            8.8.4.4              tcp spt:53
12       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            8.8.4.4              udp spt:53
13    7286 1342K LOCALOUTPUT  all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           
14       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            tcp dpt:53
15       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            udp dpt:53
16       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            tcp spt:53
17       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            udp spt:53
18      51  3795 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
19    7127 1288K INVALID    tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           
20    7127 1288K ACCEPT     all  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
21       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:53
22       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:80
23       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:27017
24       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:27018
25       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:27019
26       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:53
27       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:123
28       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 0
29       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 8
30       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 11
31       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 3
32       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           

Chain ALLOWIN (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  !lo    *       162.158.0.0/15       0.0.0.0/0           
2        0     0 ACCEPT     all  --  !lo    *       198.41.128.0/17      0.0.0.0/0           
3        0     0 ACCEPT     all  --  !lo    *       197.234.240.0/22     0.0.0.0/0           
4        0     0 ACCEPT     all  --  !lo    *       188.114.96.0/20      0.0.0.0/0           
5        0     0 ACCEPT     all  --  !lo    *       190.93.240.0/20      0.0.0.0/0           
6        0     0 ACCEPT     all  --  !lo    *       108.162.192.0/18     0.0.0.0/0           
7        0     0 ACCEPT     all  --  !lo    *       141.101.64.0/18      0.0.0.0/0           
8        0     0 ACCEPT     all  --  !lo    *       103.31.4.0/22        0.0.0.0/0           
9        0     0 ACCEPT     all  --  !lo    *       103.22.200.0/22      0.0.0.0/0           
10       0     0 ACCEPT     all  --  !lo    *       103.21.244.0/22      0.0.0.0/0           
11       0     0 ACCEPT     all  --  !lo    *       173.245.48.0/20      0.0.0.0/0           
12       0     0 ACCEPT     all  --  !lo    *       199.27.128.0/21      0.0.0.0/0           
13     213 17445 ACCEPT     all  --  !lo    *       59.189.154.164       0.0.0.0/0           

Chain ALLOWOUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  *      !lo     0.0.0.0/0            162.158.0.0/15      
2        0     0 ACCEPT     all  --  *      !lo     0.0.0.0/0            198.41.128.0/17     
3        0     0 ACCEPT     all  --  *      !lo     0.0.0.0/0            197.234.240.0/22    
4        0     0 ACCEPT     all  --  *      !lo     0.0.0.0/0            188.114.96.0/20     
5        0     0 ACCEPT     all  --  *      !lo     0.0.0.0/0            190.93.240.0/20     
6        0     0 ACCEPT     all  --  *      !lo     0.0.0.0/0            108.162.192.0/18    
7        0     0 ACCEPT     all  --  *      !lo     0.0.0.0/0            141.101.64.0/18     
8        0     0 ACCEPT     all  --  *      !lo     0.0.0.0/0            103.31.4.0/22       
9        0     0 ACCEPT     all  --  *      !lo     0.0.0.0/0            103.22.200.0/22     
10       0     0 ACCEPT     all  --  *      !lo     0.0.0.0/0            103.21.244.0/22     
11       0     0 ACCEPT     all  --  *      !lo     0.0.0.0/0            173.245.48.0/20     
12       0     0 ACCEPT     all  --  *      !lo     0.0.0.0/0            199.27.128.0/21     
13     159 53077 ACCEPT     all  --  *      !lo     0.0.0.0/0            59.189.154.164      

Chain DENYIN (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain DENYOUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain INVALID (2 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 INVDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
2        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x00
3        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x3F
4        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x03/0x03
5        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x06
6        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x05/0x05
7        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x11/0x01
8        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x18/0x08
9        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x30/0x20
10       0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags:! 0x17/0x02 ctstate NEW

Chain INVDROP (10 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOCALINPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1    10491  986K ALLOWIN    all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
2    10278  968K DENYIN     all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           

Chain LOCALOUTPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1     7286 1342K ALLOWOUT   all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           
2     7127 1288K DENYOUT    all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           

Chain LOGDROPIN (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
2        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
3        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:68
4        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
5        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:111
6        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:111
7        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:113
8        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:113
9        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:135:139
10       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:135:139
11       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
12       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:445
13       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:500
14       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500
15       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:513
16       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:513
17       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:520
18       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:520
19       8   452 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
20       0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
21       0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
22       8   452 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOGDROPOUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
2        0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
3        0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
4        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

恭喜,在緩慢而耐心的提問的影響下,您已經解決了自己的問題。ALLOWIN 鏈中的規則 13 允許來自測試客戶端的 IP 地址的所有流量( TCP 重置)打開(您可以到達埠,並且有人準備與您交談)。59.189.154.164``nmap

這是一個相當複雜的規則集,許多規則的數據包計數為零,因此對您無濟於事。您可能會發現,針對您的業務需求對防火牆規則進行全面檢查是對您時間的一項很好的投資,以免它們再次絆倒您。

引用自:https://serverfault.com/questions/576380