Windows 和 Ubuntu 位于同一 VLAN,但只有 Windows 连接到 telnet smtp.gmail.com 587

tag-icon tag-icon networking firewall smtp ubuntu-22.04
Windows 和 Ubuntu 位于同一 VLAN,但只有 Windows 连接到 telnet smtp.gmail.com 587

587我在尝试与 Ubuntu上的端口进行通信时遇到了问题smtp.gmail.com,但网络和防火墙团队(我认为是 FortiGuard)说这不是网络或防火墙相关的问题。

我在同一个 VLAN 上有 2 个虚拟服务器(独立的 VMWare ESXi 机器):一个是Windows 服务器 2016另一个是Ubuntu 服务器 22.04

ufw在 Ubuntu 上已禁用 (sudo ufw status回复Status: inactive)

只有 Windows 服务器能够连接到smtp.gmail.com端口587

有什么方法可以找到587Ubuntu 上阻止此端口的原因吗?此外,Ubuntu Server 22.04 默认安装中是否有防火墙或阻止应用程序ufw

在 Ubuntu 上测试

telnet smtp.gmail.com 587

Trying 142.251.0.108...
Trying 2800:3f0:4003:c08::6c...
telnet: Unable to connect to remote host: Network is unreachable

telnet -4 smtp.gmail.com 587

Trying 142.251.0.108...
telnet: Unable to connect to remote host: Connection timed out

sudo nmap smtp.gmail.com

Starting Nmap 7.80 ( https://nmap.org ) at 2023-07-12 18:09 -03
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.30 seconds

sudo nmap -Pn smtp.gmail.com

Starting Nmap 7.80 ( https://nmap.org ) at 2023-07-12 18:10 -03
Nmap scan report for smtp.gmail.com (142.251.0.109)
Host is up (0.0027s latency).
Other addresses for smtp.gmail.com (not scanned): 2800:3f0:4003:c08::6d
rDNS record for 142.251.0.109: cj-in-f109.1e100.net
Not shown: 997 filtered ports
PORT     STATE  SERVICE
21/tcp   open   ftp
113/tcp  closed ident
8010/tcp open   xmpp

sudo nmap -p 587 -Pn --traceroute smtp.gmail.com

Starting Nmap 7.80 ( https://nmap.org ) at 2023-07-12 13:50 -03
Nmap scan report for smtp.gmail.com (142.251.0.108)
Host is up.
Other addresses for smtp.gmail.com (not scanned): 2800:3f0:4003:c08::6d
rDNS record for 142.251.0.108: cj-in-f108.1e100.net

PORT    STATE    SERVICE
587/tcp filtered submission

TRACEROUTE (using proto 1/icmp)
HOP RTT    ADDRESS
1   ... 30

Nmap done: 1 IP address (1 host up) scanned in 11.21 seconds

netstat -an

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN
tcp        0      0 10.2.40.38:43550        91.189.91.38:80         ESTABLISHED
tcp        0      0 10.2.40.38:56474        185.125.190.75:443      TIME_WAIT
tcp        0      0 10.2.40.38:41044        10.2.40.88:445          ESTABLISHED
tcp        1      0 10.2.40.38:55294        185.125.190.52:443      CLOSE_WAIT
tcp        0      0 127.0.0.1:9000          127.0.0.1:47832         TIME_WAIT
tcp        0      0 10.2.40.38:41222        54.217.10.153:443       TIME_WAIT
tcp        0      0 10.2.40.38:22           10.2.40.66:27284        ESTABLISHED
tcp6       0      0 :::3306                 :::*                    LISTEN
tcp6       0      0 :::80                   :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 :::443                  :::*                    LISTEN
tcp6       0      0 10.2.40.38:443          10.2.40.67:55043        ESTABLISHED
tcp6       0      0 10.2.40.38:443          10.2.40.67:55046        ESTABLISHED
tcp6       0      0 10.2.40.38:443          10.2.40.67:55044        ESTABLISHED
tcp6       0      0 10.2.40.38:443          10.2.40.67:55042        ESTABLISHED
tcp6       0      0 10.2.40.38:443          10.2.40.67:55047        ESTABLISHED
tcp6       0      0 10.2.40.38:443          10.2.40.67:55045        ESTABLISHED
udp        0      0 127.0.0.53:53           0.0.0.0:*
raw6       0      0 :::58                   :::*                    7

cat /etc/netplan/00-installer-config.yaml

# This is the network config written by 'subiquity'
network:
  version: 2
  ethernets:
    ens160:
      addresses:
      - 10.2.40.38/27
      routes:
      - to: default
        via: 10.2.40.33
      nameservers:
        addresses:
        - 10.2.40.62
        - 10.2.40.36
        search:
        - company.local

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:29:46:0c:7f:a4 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 10.2.40.38/27 brd 10.2.40.63 scope global ens160
       valid_lft forever preferred_lft forever
    inet6 fe80::29ff:fe46:20c:7fa4/64 scope link
       valid_lft forever preferred_lft forever

(编辑添加)还测试了我能想到的所有防火墙状态:

sudo ufw status

Status: inactive

sudo iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

sudo nft list ruleset

table ip filter {
        chain INPUT {
                type filter hook input priority filter; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority filter; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority filter; policy accept;
        }
}

sudo firewall-cmd --version

sudo: firewall-cmd: command not found

在 Windows 上测试

telnet smtp.gmail.com 587

220 smtp.gmail.com ESMTP n11-20020a0568080a0b00b003a1f444307esm2174022oij.58 - gsmtp

nmap smtp.gmail.com(使用Nmap Zenmap 图形界面):

Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-12 18:15
Nmap scan report for smtp.gmail.com (142.251.0.109)
Host is up (0.029s latency).
rDNS record for 142.251.0.109: cj-in-f109.1e100.net
Not shown: 991 filtered tcp ports (no-response)
PORT     STATE  SERVICE
21/tcp   open   ftp
25/tcp   open   smtp
113/tcp  closed ident
465/tcp  open   smtps
587/tcp  open   submission
993/tcp  open   imaps
995/tcp  open   pop3s
8008/tcp open   http
8010/tcp open   xmpp

Nmap done: 1 IP address (1 host up) scanned in 6.72 seconds

nmap -p 587 -Pn --traceroute smtp.gmail.com(使用Nmap Zenmap 图形界面):

Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-12 13:57
Nmap scan report for smtp.gmail.com (142.251.0.108)
Host is up (0.058s latency).
rDNS record for 142.251.0.108: cj-in-f108.1e100.net

PORT    STATE SERVICE
587/tcp open  submission

TRACEROUTE (using port 587/tcp)
HOP RTT      ADDRESS
1   1.00 ms  10.2.40.61
2   3.00 ms  10.2.40.6
3   13.00 ms 186.238.173.105
4   15.00 ms 186.201.241.153
5   14.00 ms 192.168.5.2
6   14.00 ms 192.168.5.2
7   14.00 ms 192.168.40.2
8   13.00 ms 192.168.40.2
9   14.00 ms 192.168.40.4
10  15.00 ms 187-51-216-237.customer.tdatabrasil.net.br (187.51.216.237)
11  ... 13
14  22.00 ms 108.170.245.141
15  21.00 ms 108.170.245.173
16  51.00 ms 209.85.251.92
17  50.00 ms 209.85.251.92
18  91.00 ms 172.253.64.37
19  70.00 ms 172.253.51.250
20  ... 26
27  15.00 ms cj-in-f108.1e100.net (142.251.0.108)

Nmap done: 1 IP address (1 host up) scanned in 3.51 seconds

ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : WP-SERVER
   Primary Dns Suffix  . . . . . . . : company.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : company.local

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-00-85-70
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e044:c9c3:a574:7f39%2(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.2.40.52(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   Default Gateway . . . . . . . . . : 10.2.40.33
   DHCPv6 IAID . . . . . . . . . . . : 520228888
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-1C-CC-CF-00-1F-29-00-85-C9
   DNS Servers . . . . . . . . . . . : 10.2.40.62
                                       10.2.40.36
   NetBIOS over Tcpip. . . . . . . . : Enabled

答案1

所以……是防火墙的问题。结果发现防火墙团队“忘记”了:

  1. 服务器有一条规则,只允许几个端口(如 80、443、21),而端口 587 不在其中;
  2. Windows 服务器不在这个防火墙组内,所以这个 587 端口没有被封锁。他们在防火墙上的服务器组上打开了 587 端口,一切正常!

相关内容