Ubuntu
安裝 postfix 後無法關閉 25 埠
在 Ubuntu 12.04 上安裝
logwatch
(安裝postfix
)之前,埠 25 被iptables
/阻止csf
PORT STATE SERVICE 25/tcp filtered smtp
安裝 logwatch(安裝 postfix)後,現在打開 25 埠
PORT STATE SERVICE 25/tcp open smtp
使用重新啟動 CSF,
csf -r
但埠保持打開狀態。TCP_ON
除了,TCP_OUT
,UDP_IN
,中定義的埠之外,不是所有埠都預設被阻止UDP_OUT
嗎?為什麼 25 埠仍然開放?csf.conf
TCP_IN = "22,27017,27018,27019" TCP_OUT = "53,27017,27018,27019" UDP_IN = "" UDP_OUT = "53,123"
sudo netstat -tnlp | 抓地力:25
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 7641/master tcp6 0 0 :::25 :::* LISTEN 7641/master
iptables -L -n -v --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT tcp -- !lo * 209.244.0.3 0.0.0.0/0 tcp dpt:53 2 0 0 ACCEPT udp -- !lo * 209.244.0.3 0.0.0.0/0 udp dpt:53 3 0 0 ACCEPT tcp -- !lo * 209.244.0.3 0.0.0.0/0 tcp spt:53 4 0 0 ACCEPT udp -- !lo * 209.244.0.3 0.0.0.0/0 udp spt:53 5 0 0 ACCEPT tcp -- !lo * 8.8.8.8 0.0.0.0/0 tcp dpt:53 6 0 0 ACCEPT udp -- !lo * 8.8.8.8 0.0.0.0/0 udp dpt:53 7 0 0 ACCEPT tcp -- !lo * 8.8.8.8 0.0.0.0/0 tcp spt:53 8 0 0 ACCEPT udp -- !lo * 8.8.8.8 0.0.0.0/0 udp spt:53 9 0 0 ACCEPT tcp -- !lo * 8.8.4.4 0.0.0.0/0 tcp dpt:53 10 0 0 ACCEPT udp -- !lo * 8.8.4.4 0.0.0.0/0 udp dpt:53 11 0 0 ACCEPT tcp -- !lo * 8.8.4.4 0.0.0.0/0 tcp spt:53 12 52 6331 ACCEPT udp -- !lo * 8.8.4.4 0.0.0.0/0 udp spt:53 13 10491 986K LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 14 51 3795 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 15 10278 968K INVALID tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 16 10226 965K ACCEPT all -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 17 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22 18 44 2640 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:27017 19 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:27018 20 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:27019 21 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5 22 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 0 limit: avg 1/sec burst 5 23 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 11 24 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 3 25 8 452 LOGDROPIN all -- !lo * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 209.244.0.3 tcp dpt:53 2 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 209.244.0.3 udp dpt:53 3 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 209.244.0.3 tcp spt:53 4 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 209.244.0.3 udp spt:53 5 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 8.8.8.8 tcp dpt:53 6 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 8.8.8.8 udp dpt:53 7 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 8.8.8.8 tcp spt:53 8 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 8.8.8.8 udp spt:53 9 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 8.8.4.4 tcp dpt:53 10 52 3614 ACCEPT udp -- * !lo 0.0.0.0/0 8.8.4.4 udp dpt:53 11 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 8.8.4.4 tcp spt:53 12 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 8.8.4.4 udp spt:53 13 7286 1342K LOCALOUTPUT all -- * !lo 0.0.0.0/0 0.0.0.0/0 14 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 15 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 udp dpt:53 16 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 tcp spt:53 17 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 udp spt:53 18 51 3795 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 19 7127 1288K INVALID tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 20 7127 1288K ACCEPT all -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 21 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53 22 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80 23 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:27017 24 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:27018 25 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:27019 26 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:53 27 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:123 28 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmptype 0 29 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmptype 8 30 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmptype 11 31 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmptype 3 32 0 0 LOGDROPOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0 Chain ALLOWIN (1 references) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- !lo * 162.158.0.0/15 0.0.0.0/0 2 0 0 ACCEPT all -- !lo * 198.41.128.0/17 0.0.0.0/0 3 0 0 ACCEPT all -- !lo * 197.234.240.0/22 0.0.0.0/0 4 0 0 ACCEPT all -- !lo * 188.114.96.0/20 0.0.0.0/0 5 0 0 ACCEPT all -- !lo * 190.93.240.0/20 0.0.0.0/0 6 0 0 ACCEPT all -- !lo * 108.162.192.0/18 0.0.0.0/0 7 0 0 ACCEPT all -- !lo * 141.101.64.0/18 0.0.0.0/0 8 0 0 ACCEPT all -- !lo * 103.31.4.0/22 0.0.0.0/0 9 0 0 ACCEPT all -- !lo * 103.22.200.0/22 0.0.0.0/0 10 0 0 ACCEPT all -- !lo * 103.21.244.0/22 0.0.0.0/0 11 0 0 ACCEPT all -- !lo * 173.245.48.0/20 0.0.0.0/0 12 0 0 ACCEPT all -- !lo * 199.27.128.0/21 0.0.0.0/0 13 213 17445 ACCEPT all -- !lo * 59.189.154.164 0.0.0.0/0 Chain ALLOWOUT (1 references) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- * !lo 0.0.0.0/0 162.158.0.0/15 2 0 0 ACCEPT all -- * !lo 0.0.0.0/0 198.41.128.0/17 3 0 0 ACCEPT all -- * !lo 0.0.0.0/0 197.234.240.0/22 4 0 0 ACCEPT all -- * !lo 0.0.0.0/0 188.114.96.0/20 5 0 0 ACCEPT all -- * !lo 0.0.0.0/0 190.93.240.0/20 6 0 0 ACCEPT all -- * !lo 0.0.0.0/0 108.162.192.0/18 7 0 0 ACCEPT all -- * !lo 0.0.0.0/0 141.101.64.0/18 8 0 0 ACCEPT all -- * !lo 0.0.0.0/0 103.31.4.0/22 9 0 0 ACCEPT all -- * !lo 0.0.0.0/0 103.22.200.0/22 10 0 0 ACCEPT all -- * !lo 0.0.0.0/0 103.21.244.0/22 11 0 0 ACCEPT all -- * !lo 0.0.0.0/0 173.245.48.0/20 12 0 0 ACCEPT all -- * !lo 0.0.0.0/0 199.27.128.0/21 13 159 53077 ACCEPT all -- * !lo 0.0.0.0/0 59.189.154.164 Chain DENYIN (1 references) num pkts bytes target prot opt in out source destination Chain DENYOUT (1 references) num pkts bytes target prot opt in out source destination Chain INVALID (2 references) num pkts bytes target prot opt in out source destination 1 0 0 INVDROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 2 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x00 3 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x3F 4 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x03/0x03 5 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x06 6 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x05/0x05 7 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x11/0x01 8 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x18/0x08 9 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x30/0x20 10 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags:! 0x17/0x02 ctstate NEW Chain INVDROP (10 references) num pkts bytes target prot opt in out source destination 1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain LOCALINPUT (1 references) num pkts bytes target prot opt in out source destination 1 10491 986K ALLOWIN all -- !lo * 0.0.0.0/0 0.0.0.0/0 2 10278 968K DENYIN all -- !lo * 0.0.0.0/0 0.0.0.0/0 Chain LOCALOUTPUT (1 references) num pkts bytes target prot opt in out source destination 1 7286 1342K ALLOWOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0 2 7127 1288K DENYOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0 Chain LOGDROPIN (1 references) num pkts bytes target prot opt in out source destination 1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 2 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 3 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:68 4 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 5 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:111 6 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:111 7 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 8 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:113 9 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139 10 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139 11 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 12 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 13 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:500 14 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 15 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:513 16 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:513 17 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:520 18 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520 19 8 452 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* " 20 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* " 21 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* " 22 8 452 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain LOGDROPOUT (1 references) num pkts bytes target prot opt in out source destination 1 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* " 2 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* " 3 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* " 4 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
恭喜,在緩慢而耐心的提問的影響下,您已經解決了自己的問題。ALLOWIN 鏈中的規則 13 允許來自測試客戶端的 IP 地址的所有流量( TCP 重置)打開(您可以到達埠,並且有人準備與您交談)。
59.189.154.164``nmap
這是一個相當複雜的規則集,許多規則的數據包計數為零,因此對您無濟於事。您可能會發現,針對您的業務需求對防火牆規則進行全面檢查是對您時間的一項很好的投資,以免它們再次絆倒您。