我在 kimsufi VPS 上运行了一个 postfix 服务器,我在上面安装了 roundcube,一切正常。问题是,当我尝试从另一台服务器连接时,出现了超时:
telnet whys.fr 25
Trying 5.196.66.189...
telnet: Unable to connect to remote host: Connection timed out
这是我的 netstat 输出:
netstat -ntpul | grep 25
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 17643/master
tcp6 0 0 :::25 :::* LISTEN 17643/master
当前的 iptables 规则:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
从本地主机进行的 telnet 运行良好:
telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 whys.fr ESMTP Postfix (Debian/GNU)
ehlo whys.fr
250-whys.fr
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
该服务器托管在 OVH 的数据中心,并且端口 25 未被阻止:
nmap -p 25 whys.fr
Starting Nmap 6.47 ( http://nmap.org ) at 2015-02-20 15:16 CET
Nmap scan report for whys.fr (5.196.66.189)
Host is up (0.019s latency).
rDNS record for 5.196.66.189: ns330237.ip-5-196-66.eu
PORT STATE SERVICE
25/tcp filtered smtp
Nmap done: 1 IP address (1 host up) scanned in 0.72 seconds
我还检查了垃圾邮件列表,看看我的 IP 是否在其中,但事实并非如此。
我怎样才能接受来自外部的 telnet 25?我现在不知道,已经在 SF 上看到了关于它的所有问题,互联网上其他地方也有很多这样的问题。
答案1
根据 nmap 文档:
filtered
Nmap cannot determine whether the port is open because packet filtering prevents
its probes from reaching the port. The filtering could be from a dedicated
firewall device, router rules, or host-based firewall software. These ports
frustrate attackers because they provide so little information. Sometimes they
respond with ICMP error messages such as type 3 code 13 (destination unreachable:
communication administratively prohibited), but filters that simply drop probes
without responding are far more common. This forces Nmap to retry several times
just in case the probe was dropped due to network congestion rather than
filtering. This slows down the scan dramatically.
因此,看起来您的端口只是被某处的防火墙阻止了。也许是您当地的 ISP?因为当我尝试连接到它时,我得到了一个连接:
$ telnet whys.fr 25
Trying 5.196.66.189...
Connected to whys.fr.
Escape character is '^]'.
220 whys.fr ESMTP Postfix (Debian/GNU)
遗憾的是,ISP 通常会阻止与其自身网络之外的端口 25 的直接连接,以防止客户端机器上的机器人直接发送垃圾邮件。
答案2
在继续进行之前,我要做的第一件事是使用类似以下工具对端口 25 进行端到端测试网猫。
该工具是大多数 Linux 发行版的标准配置。例如,在 CentOS 上,我将停止 postfix 以释放端口 25。然后我将像这样启动 netcat:
# nc -l 25
然后在远程客户端上我将像这样启动它:
# nc {ip of remote server} 25
然后,您在任一端输入的任何内容都应该反映/显示在屏幕上。如果没有,则说明您的端口在传输过程中被阻止了。