我的端口 21 (ftp) 莫名其妙地被堵塞了。
要点
- 禁用 ufw什么也不改变,端口持续被阻塞
- 问题在于任何新港口,而不仅仅是 21 个
- 我尝试卸载/重新安装 ufw 并重置 iptables
从本地进行 telnet
telnet 127.0.0.1 21
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 ProFTPD Server (ProFTPD Default Installation) [::ffff:127.0.0.1]
远程 telnet
telnet: Unable to connect to remote host: Connection timed out
proftpd 配置(未编辑)
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30
# Set the user and group under which the server will run.
User nobody
Group nogroup
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~
# Normally, we want files to be overwriteable.
<Directory />
AllowOverwrite on
</Directory>
# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous ~ftp>
User ftp
Group ftp
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
#DisplayFirstChdir .message
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
lsof
sudo lsof -i :21
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
proftpd 20611 nobody 0u IPv6 15922523 0t0 TCP *:ftp (LISTEN)
ufw 状态
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
21 ALLOW Anywhere
80 ALLOW Anywhere
25 ALLOW Anywhere
143 ALLOW Anywhere
993 ALLOW Anywhere
443 ALLOW Anywhere
110 ALLOW Anywhere
995 ALLOW Anywhere
nmap(远程)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
993/tcp open imaps
995/tcp open pop3s
iptables 目录
Chain INPUT (policy DROP 11888 packets, 618090 bytes)
pkts bytes target prot opt in out source destination
471121 37446294 f2b-wordpress-admin tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
118 4839 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
16520344 3080320177 ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
16520344 3080320177 ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
307430 16096817 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
268530 14088467 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
268530 14088467 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
268530 14088467 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- -d * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED helper match "ftp"
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 10.8.0.0/24 0.0.0.0/0
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
16344512 4396207242 ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
16344512 4396207242 ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
242395 16206787 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
242395 16206787 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
242395 16206787 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
242395 16206787 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
1337 564957 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2531 126728 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
24 2100 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
24 2100 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
184 6296 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
11880 617882 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
11867 617206 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
1337 564957 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
1495 6600805 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
7 503 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
11 560 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
30 1544 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
7 503 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain f2b-wordpress-admin (1 references)
pkts bytes target prot opt in out source destination
470930 37411229 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
41 2104 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
11880 617882 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
24 1432 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22
25 1300 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:21
10 464 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80
1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:143
12 712 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:25
12 644 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443
1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:110
1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:995
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
编辑:
tcp转储
tcpdump -ni any port 21
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
23:52:14.486431 IP ip.address.64155 > ip.address.21: Flags [S], seq 207845152, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:52:15.487331 IP ip.address.64155 > ip.address.21: Flags [S], seq 207845152, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:52:17.486879 IP ip.address.64155 > ip.address.21: Flags [S], seq 207845152, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:52:21.486947 IP ip.address.64155 > ip.address.21: Flags [S], seq 207845152, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:52:29.488538 IP ip.address.64155 > ip.address.21: Flags [S], seq 207845152, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
[ ... ]
15 packets captured
15 packets received by filter
0 packets dropped by kernel
答案1
lsof 输出显示您仅监听 IPv6,而不是端口 21 的 IPv4。
看http://proftpd.org/docs/howto/IPv6.html有关重新配置的详细信息。