端口 993 和 995 未打开,尽管已在 iptables 中打开

端口 993 和 995 未打开,尽管已在 iptables 中打开

你好,我遇到了电子邮件客户端 imaps 和 pops 访问邮件服务器 (postfix/dovecot) 的问题

从服务器 shell(ubuntu 12.04、postfix、dovecot、spamassassin、amavis)telnet 到端口 587、25、110 465 有效,但 995 和 993 超时

当我尝试将 Outlook 电子邮件客户端配置为 995 并尝试发送测试电子邮件时,我在系统日志中收到以下内容:

Nov 30 08:17:41 kernel: iptables denied: IN=eth0 OUT= MAC=[MAC] SRC=[MYIP] DST=212.71.232.217 LEN=60 TOS=0x00 PREC=0x00 TTL=113 ID=21862 DF PROTO=TCP SPT=50534 DPT=995 WINDOW=8192 RES=0x00 SYN URGP=0

(用占位符替换 MAC 和 src ip)

Chain INPUT (policy DROP)
target     prot opt source               destination
fail2ban-ssh-ddos  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 982
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 982
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
REJECT     all  --  0.0.0.0/0            127.0.0.0/8          reject-with icmp-port-unreachable
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:20
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8069
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:8080:8090
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:60000:61000
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:982
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993
ufw-before-logging-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-before-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-logging-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-reject-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-track-input  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:995
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:995
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:993

Chain FORWARD (policy DROP)
target     prot opt source               destination
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
ufw-before-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-before-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-reject-forward  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ufw-before-logging-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-before-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-logging-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-reject-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-track-output  all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-ssh-ddos (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain ufw-after-forward (1 references)
target     prot opt source               destination

Chain ufw-after-input (1 references)
target     prot opt source               destination
ufw-skip-to-policy-input  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:137
ufw-skip-to-policy-input  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:138
ufw-skip-to-policy-input  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:139
ufw-skip-to-policy-input  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:445
ufw-skip-to-policy-input  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
ufw-skip-to-policy-input  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:68
ufw-skip-to-policy-input  all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination

Chain ufw-after-output (1 references)
target     prot opt source               destination

Chain ufw-before-forward (1 references)
target     prot opt source               destination
ufw-user-forward  all  --  0.0.0.0/0            0.0.0.0/0

Chain ufw-before-input (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ufw-logging-deny  all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 4
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 11
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 12
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
ufw-not-local  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251          udp dpt:5353
ACCEPT     udp  --  0.0.0.0/0            239.255.255.250      udp dpt:1900
ufw-user-input  all  --  0.0.0.0/0            0.0.0.0/0

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination

Chain ufw-before-output (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ufw-user-output  all  --  0.0.0.0/0            0.0.0.0/0

Chain ufw-logging-allow (0 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            state INVALID limit: avg 3/min burst 10
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ufw-reject-forward (1 references)
target     prot opt source               destination

Chain ufw-reject-input (1 references)
target     prot opt source               destination

Chain ufw-reject-output (1 references)
target     prot opt source               destination

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain ufw-track-input (1 references)
target     prot opt source               destination

Chain ufw-track-output (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination

Chain ufw-user-input (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:995
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:587
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:587

Chain ufw-user-limit (0 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination

Chain ufw-user-output (1 references)
target     prot opt source               destination

Netstat -ntlp 显示:

 netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:4190            0.0.0.0:*               LISTEN      29580/dovecot
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      29580/dovecot
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      29580/dovecot
tcp        0      0 0.0.0.0:8069            0.0.0.0:*               LISTEN      5961/python
tcp        0      0 127.0.0.1:10023         0.0.0.0:*               LISTEN      2991/postgrey.pid -
tcp        0      0 127.0.0.1:10024         0.0.0.0:*               LISTEN      2932/amavisd (maste
tcp        0      0 127.0.0.1:10025         0.0.0.0:*               LISTEN      4667/smtpd
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      2714/mysqld
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      4647/smtpd
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      6304/redis-server
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      5885/memcached
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      29580/dovecot
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      29580/dovecot
tcp        0      0 127.0.0.1:783           0.0.0.0:*               LISTEN      29522/spamd.pid
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      2310/apache2
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      5923/nginx
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      25761/master
tcp        0      0 0.0.0.0:982             0.0.0.0:*               LISTEN      2554/sshd
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      2951/postgres
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      25761/master
tcp        0      0 127.0.0.1:45019         0.0.0.0:*               LISTEN      29461/current
tcp        0      0 127.0.0.1:8891          0.0.0.0:*               LISTEN      5951/opendkim
tcp6       0      0 :::587                  :::*                    LISTEN      4647/smtpd
tcp6       0      0 :::465                  :::*                    LISTEN      25761/master
tcp6       0      0 :::21                   :::*                    LISTEN      6483/proftpd: (acce
tcp6       0      0 :::982                  :::*                    LISTEN      2554/sshd
tcp6       0      0 :::25                   :::*                    LISTEN      25761/master
tcp6       0      0 :::443                  :::*                    LISTEN      2310/apache2

我不知道是什么阻碍了它——在我看来,iptables 显示相应的端口/服务是开放的......

我该如何调试/找出错误?我刚刚看到,自从安装了 ufw 以来,993 和 995 有多个条目 - 希望这不是问题……?

我不是专业人士,但仍在学习,所以请原谅任何明显的错误。

提前致谢!

答案1

防火墙规则的排序很重要。您需要将规则移至接受 993 和 995 上的流量,而不是日志和拒绝规则。

答案2

Paul Haldane 说过。以上:拒绝所有 -- 0.0.0.0/0 0.0.0.0/0 拒绝 icmp-port-unreachable

相关内容