端口993和995虽然在iptables中打开,但仍未打开
端口993和995虽然在iptables中打开,但仍未打开
提问于 2014-11-30 09:03:35
嗨,我对imaps和pops的邮件客户端访问邮件服务器(postfix/dovecot)有问题。
telnet从服务器外壳(ubuntu 12.04,postfix,dovecot,spamassassin,amavis)到端口587,25,110 465工作,但995和993超时
当我尝试将outlook电子邮件客户端配置为995并尝试发送测试邮件时,我在syslog中得到如下信息:
Nov 30 08:17:41 kernel: iptables denied: IN=eth0 OUT= MAC=[MAC] SRC=[MYIP] DST=212.71.232.217 LEN=60 TOS=0x00 PREC=0x00 TTL=113 ID=21862 DF PROTO=TCP SPT=50534 DPT=995 WINDOW=8192 RES=0x00 SYN URGP=0(将MAC和src ip替换为占位符)
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-ssh-ddos tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 982
fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 982
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
REJECT all -- 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8069
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:8080:8090
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:60000:61000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:982
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:995
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:993
Chain FORWARD (policy DROP)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ssh-ddos (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138
ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68
ufw-skip-to-policy-input all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ufw-user-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
ufw-not-local all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900
ufw-user-input all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ufw-user-output all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 state INVALID limit: avg 3/min burst 10
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:587
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destinationNetstat -ntlp显示:
netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:4190 0.0.0.0:* LISTEN 29580/dovecot
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 29580/dovecot
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 29580/dovecot
tcp 0 0 0.0.0.0:8069 0.0.0.0:* LISTEN 5961/python
tcp 0 0 127.0.0.1:10023 0.0.0.0:* LISTEN 2991/postgrey.pid -
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 2932/amavisd (maste
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 4667/smtpd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2714/mysqld
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 4647/smtpd
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 6304/redis-server
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 5885/memcached
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 29580/dovecot
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 29580/dovecot
tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN 29522/spamd.pid
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 2310/apache2
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5923/nginx
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 25761/master
tcp 0 0 0.0.0.0:982 0.0.0.0:* LISTEN 2554/sshd
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 2951/postgres
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 25761/master
tcp 0 0 127.0.0.1:45019 0.0.0.0:* LISTEN 29461/current
tcp 0 0 127.0.0.1:8891 0.0.0.0:* LISTEN 5951/opendkim
tcp6 0 0 :::587 :::* LISTEN 4647/smtpd
tcp6 0 0 :::465 :::* LISTEN 25761/master
tcp6 0 0 :::21 :::* LISTEN 6483/proftpd: (acce
tcp6 0 0 :::982 :::* LISTEN 2554/sshd
tcp6 0 0 :::25 :::* LISTEN 25761/master
tcp6 0 0 :::443 :::* LISTEN 2310/apache2我不知道什么是阻塞-在我看来iptables显示了相应的端口/服务是开放的.
我如何调试/找出出了什么问题?我只是看到,自从ufw安装,有993和995的多个条目-希望这不是一个问题.?
我不是一个专业的,但仍在学习,所以请原谅任何明显的错误。
提前谢谢!
回答 2
Server Fault用户
回答已采纳
发布于 2014-11-30 09:48:07
防火墙规则的排序非常重要。您需要移动您的规则以接受在日志上的993和995的通信量,并拒绝规则。
Server Fault用户
发布于 2014-11-30 10:16:46
保罗·霍尔丹说的。以上:拒绝所有- 0.0.0.0/0 0.0.0.0/0拒绝-带有icmp-端口-不可达
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/648037
复制相关文章
相似问题
腾讯云开发者
