我正在通过 Linode VPS 运行 Debian 7 服务器,并且最近使用 Postfix 和 Dovecot 安装/配置了邮件服务器。完成此操作的最后一步是打开端口 993、995、465 和 587。我通过在 iptables 中正确添加允许这些端口的规则来实现这一点。
但是当我使用 telnet 和 nmap 测试它们是否打开时,端口 465 和 587 并未打开。我还从 nmap 扫描中注意到 https 端口 443 也未打开,而根据我的规则它应该是打开的。
我在 linode 上也有一个 Ubuntu 服务器,具有相同的邮件设置和相同的防火墙规则,并且运行良好(https 端口除外)。
发生了什么事?我不明白为什么会发生这种情况。
这是我的 iptables 规则:
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows SMTP access
#-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 465 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
# Allows pop and pops connections
#-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT
# Allows imap and imaps connections
#-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections
#
# The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
以下是输出iptables -L:
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
这是我的 nmap 端口扫描:
Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-04 21:09 EST
Nmap scan report for ******.com (***.**.***.**)
Host is up (0.11s latency).
Not shown: 93 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp closed https
465/tcp closed smtps
587/tcp closed submission
993/tcp open imaps
995/tcp open pop3s
Nmap done: 1 IP address (1 host up) scanned in 2.64 seconds
任何帮助都将不胜感激。谢谢!
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode
tcp 0 0 *:imaps *:* LISTEN root 5002
tcp 0 0 *:pop3s *:* LISTEN root 4983
tcp 0 0 localhost:mysql *:* LISTEN mysql 4947
tcp 0 0 *:ssh *:* LISTEN root 3648
tcp 0 0 *:smtp *:* LISTEN root 5531
tcp6 0 0 [::]:imaps [::]:* LISTEN root 5003
tcp6 0 0 [::]:pop3s [::]:* LISTEN root 4984
tcp6 0 0 [::]:http [::]:* LISTEN root 7548
tcp6 0 0 [::]:ssh [::]:* LISTEN root 3650
tcp6 0 0 [::]:smtp [::]:* LISTEN root 5533
答案1
您确定您的应用程序确实在监听这些端口(甚至正在运行)吗?如果没有任何程序在监听该端口,则端口不会在 nmap 扫描或 telnet 中显示为打开。我猜您还没有启动邮件服务器,或者它没有配置为监听这些端口。您可以使用它netstat来查看系统上的哪些服务正在监听哪些端口。
答案2
您的netstat输出显示您没有监听端口 465 和 587 的 SMTP 服务器。请重新配置 SMTP 服务器并重试。
这同样适用于您的 Web 服务器和端口 443。