Ubuntu
即使在 iptables 中打開埠 993 和 995 也未打開
嗨,我對電子郵件客戶端對郵件伺服器的 imap 和 pop 訪問有問題(postfix/dovecot)
從伺服器外殼(ubuntu 12.04、postfix、dovecot、spamassassin、amavis)遠端登錄到埠 587、25、110 465 有效,但 995 和 993 超時
當我嘗試將 Outlook 電子郵件客戶端配置為 995 並嘗試發送測試電子郵件時,我在 syslog 中得到以下資訊:
Nov 30 08:17:41 kernel: iptables denied: IN=eth0 OUT= MAC=[MAC] SRC=[MYIP] DST=212.71.232.217 LEN=60 TOS=0x00 PREC=0x00 TTL=113 ID=21862 DF PROTO=TCP SPT=50534 DPT=995 WINDOW=8192 RES=0x00 SYN URGP=0
(用佔位符替換 MAC 和 src ip)
Chain INPUT (policy DROP) target prot opt source destination fail2ban-ssh-ddos tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 982 fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 982 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 REJECT all -- 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8069 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:8080:8090 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:60000:61000 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:982 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: " REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:993 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0 ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0 ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0 ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0 ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0 ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:995 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:993 Chain FORWARD (policy DROP) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0 ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0 ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0 ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0 ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0 ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0 ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0 ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0 ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0 ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-ssh-ddos (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68 ufw-skip-to-policy-input all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination ufw-user-forward all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-before-input (1 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 state INVALID DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 ufw-not-local all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900 ufw-user-input all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ufw-user-output all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-logging-allow (0 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 state INVALID limit: avg 3/min burst 10 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-skip-to-policy-output (0 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:993 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:995 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:587 Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] " REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination
Netstat -ntlp 顯示:
netstat -ntlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:4190 0.0.0.0:* LISTEN 29580/dovecot tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 29580/dovecot tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 29580/dovecot tcp 0 0 0.0.0.0:8069 0.0.0.0:* LISTEN 5961/python tcp 0 0 127.0.0.1:10023 0.0.0.0:* LISTEN 2991/postgrey.pid - tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 2932/amavisd (maste tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 4667/smtpd tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2714/mysqld tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 4647/smtpd tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 6304/redis-server tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 5885/memcached tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 29580/dovecot tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 29580/dovecot tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN 29522/spamd.pid tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 2310/apache2 tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5923/nginx tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 25761/master tcp 0 0 0.0.0.0:982 0.0.0.0:* LISTEN 2554/sshd tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 2951/postgres tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 25761/master tcp 0 0 127.0.0.1:45019 0.0.0.0:* LISTEN 29461/current tcp 0 0 127.0.0.1:8891 0.0.0.0:* LISTEN 5951/opendkim tcp6 0 0 :::587 :::* LISTEN 4647/smtpd tcp6 0 0 :::465 :::* LISTEN 25761/master tcp6 0 0 :::21 :::* LISTEN 6483/proftpd: (acce tcp6 0 0 :::982 :::* LISTEN 2554/sshd tcp6 0 0 :::25 :::* LISTEN 25761/master tcp6 0 0 :::443 :::* LISTEN 2310/apache2
我不知道什麼可能被阻止 - 在我看來 iptables 顯示相應的埠/服務是打開的……
我如何調試/找出問題所在?我只是看到,自從安裝了 ufw,993 和 995 有多個條目 - 希望那不是問題……?
我不是專業人士,但仍在學習中,所以請原諒任何明顯的錯誤。
提前致謝!
防火牆規則的排序很重要。您需要移動規則以接受日誌上方 993 和 995 的流量並拒絕規則。
保羅霍爾丹所說的。上圖:REJECT all – 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable