Ubuntu

即使在 iptables 中打開埠 993 和 995 也未打開

  • November 30, 2014

嗨,我對電子郵件客戶端對郵件伺服器的 imap 和 pop 訪問有問題(postfix/dovecot)

從伺服器外殼(ubuntu 12.04、postfix、dovecot、spamassassin、amavis)遠端登錄到埠 587、25、110 465 有效,但 995 和 993 超時

當我嘗試將 Outlook 電子郵件客戶端配置為 995 並嘗試發送測試電子郵件時,我在 syslog 中得到以下資訊:

Nov 30 08:17:41 kernel: iptables denied: IN=eth0 OUT= MAC=[MAC] SRC=[MYIP] DST=212.71.232.217 LEN=60 TOS=0x00 PREC=0x00 TTL=113 ID=21862 DF PROTO=TCP SPT=50534 DPT=995 WINDOW=8192 RES=0x00 SYN URGP=0

(用佔位符替換 MAC 和 src ip)

Chain INPUT (policy DROP)
target     prot opt source               destination
fail2ban-ssh-ddos  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 982
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 982
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
REJECT     all  --  0.0.0.0/0            127.0.0.0/8          reject-with icmp-port-unreachable
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:20
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8069
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:8080:8090
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:60000:61000
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:982
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993
ufw-before-logging-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-before-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-logging-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-reject-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-track-input  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:995
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:995
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:993

Chain FORWARD (policy DROP)
target     prot opt source               destination
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
ufw-before-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-before-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-reject-forward  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ufw-before-logging-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-before-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-logging-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-reject-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-track-output  all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-ssh-ddos (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain ufw-after-forward (1 references)
target     prot opt source               destination

Chain ufw-after-input (1 references)
target     prot opt source               destination
ufw-skip-to-policy-input  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:137
ufw-skip-to-policy-input  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:138
ufw-skip-to-policy-input  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:139
ufw-skip-to-policy-input  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:445
ufw-skip-to-policy-input  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
ufw-skip-to-policy-input  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:68
ufw-skip-to-policy-input  all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination

Chain ufw-after-output (1 references)
target     prot opt source               destination

Chain ufw-before-forward (1 references)
target     prot opt source               destination
ufw-user-forward  all  --  0.0.0.0/0            0.0.0.0/0

Chain ufw-before-input (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ufw-logging-deny  all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 4
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 11
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 12
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
ufw-not-local  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251          udp dpt:5353
ACCEPT     udp  --  0.0.0.0/0            239.255.255.250      udp dpt:1900
ufw-user-input  all  --  0.0.0.0/0            0.0.0.0/0

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination

Chain ufw-before-output (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ufw-user-output  all  --  0.0.0.0/0            0.0.0.0/0

Chain ufw-logging-allow (0 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            state INVALID limit: avg 3/min burst 10
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ufw-reject-forward (1 references)
target     prot opt source               destination

Chain ufw-reject-input (1 references)
target     prot opt source               destination

Chain ufw-reject-output (1 references)
target     prot opt source               destination

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain ufw-track-input (1 references)
target     prot opt source               destination

Chain ufw-track-output (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination

Chain ufw-user-input (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:995
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:587
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:587

Chain ufw-user-limit (0 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination

Chain ufw-user-output (1 references)
target     prot opt source               destination

Netstat -ntlp 顯示:

netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:4190            0.0.0.0:*               LISTEN      29580/dovecot
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      29580/dovecot
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      29580/dovecot
tcp        0      0 0.0.0.0:8069            0.0.0.0:*               LISTEN      5961/python
tcp        0      0 127.0.0.1:10023         0.0.0.0:*               LISTEN      2991/postgrey.pid -
tcp        0      0 127.0.0.1:10024         0.0.0.0:*               LISTEN      2932/amavisd (maste
tcp        0      0 127.0.0.1:10025         0.0.0.0:*               LISTEN      4667/smtpd
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      2714/mysqld
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      4647/smtpd
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      6304/redis-server
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      5885/memcached
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      29580/dovecot
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      29580/dovecot
tcp        0      0 127.0.0.1:783           0.0.0.0:*               LISTEN      29522/spamd.pid
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      2310/apache2
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      5923/nginx
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      25761/master
tcp        0      0 0.0.0.0:982             0.0.0.0:*               LISTEN      2554/sshd
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      2951/postgres
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      25761/master
tcp        0      0 127.0.0.1:45019         0.0.0.0:*               LISTEN      29461/current
tcp        0      0 127.0.0.1:8891          0.0.0.0:*               LISTEN      5951/opendkim
tcp6       0      0 :::587                  :::*                    LISTEN      4647/smtpd
tcp6       0      0 :::465                  :::*                    LISTEN      25761/master
tcp6       0      0 :::21                   :::*                    LISTEN      6483/proftpd: (acce
tcp6       0      0 :::982                  :::*                    LISTEN      2554/sshd
tcp6       0      0 :::25                   :::*                    LISTEN      25761/master
tcp6       0      0 :::443                  :::*                    LISTEN      2310/apache2

我不知道什麼可能被阻止 - 在我看來 iptables 顯示相應的埠/服務是打開的……

我如何調試/找出問題所在?我只是看到,自從安裝了 ufw,993 和 995 有多個條目 - 希望那不是問題……?

我不是專業人士,但仍在學習中,所以請原諒任何明顯的錯誤。

提前致謝!

防火牆規則的排序很重要。您需要移動規則以接受日誌上方 993 和 995 的流量並拒絕規則。

保羅霍爾丹所說的。上圖:REJECT all – 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

引用自:https://serverfault.com/questions/648037