大家好,我的 iptables 配置出了问题。当我允许所有数据包时,ruby 中的邮件程序可以正常工作。当我拒绝所有数据包并设置规则时,我在发送邮件时遇到了问题。
系统日志的输出
Jun 21 20:00:41 JJD-PRODUCTION-WEBSITE kernel: [ 1450.576269] IPTables Packet Dropped: IN=eth0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=40128 PROTO=TCP SPT=587 DPT=37296 WINDOW=14180 RES=0x00 ACK SYN URGP=0
Jun 21 20:00:41 JJD-PRODUCTION-WEBSITE kernel: [ 1450.979805] IPTables Packet Dropped: IN=eth0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=40129 PROTO=TCP SPT=587 DPT=37296 WINDOW=14180 RES=0x00 ACK SYN URGP=0
Jun 21 20:00:42 JJD-PRODUCTION-WEBSITE kernel: [ 1451.574917] IPTables Packet Dropped: IN=eth0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=40130 PROTO=TCP SPT=587 DPT=37296 WINDOW=14180 RES=0x00 ACK SYN URGP=0
Jun 21 20:00:42 JJD-PRODUCTION-WEBSITE kernel: [ 1451.579830] IPTables Packet Dropped: IN=eth0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=40131 PROTO=TCP SPT=587 DPT=37296 WINDOW=14180 RES=0x00 ACK SYN URGP=0
Jun 21 20:00:43 JJD-PRODUCTION-WEBSITE kernel: [ 1452.779869] IPTables Packet Dropped: IN=eth0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=40132 PROTO=TCP SPT=587 DPT=37296 WINDOW=14180 RES=0x00 ACK SYN URGP=0
我已经删除了源端口、目标端口和 mac 地址/
这也是我的 iptables -L 输出。
root@JJD-PRODUCTION-WEBSITE:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:submission state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http limit: avg 25/min burst 100
LOGGING all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp state NEW,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:submission state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssmtp state ESTABLISHED
Chain LOGGING (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level debug prefix "IPTables Packet Dropped: "
DROP all -- anywhere anywhere
root@JJD-PRODUCTION-WEBSITE:~#
有人知道为什么这不起作用吗?
我制定了规则,允许 587 和 465 进出
答案1
你的规则看起来有点混乱,你在后面有一堆规则
ACCEPT anywhere,这没有意义。使用此确切的
iptables -L,您允许所有数据包进出,因此我怀疑您的问题与防火墙有关。请向我们提供iptables -nvL电子邮件传递中断时的输出(-n使网络人员更容易阅读,我们管理员喜欢端口号)。