在 Ubuntu 12.04 上安装logwatch(安装postfix)之前,端口 25 被iptables/阻止csf
PORT STATE SERVICE
25/tcp filtered smtp
安装 logwatch(安装 postfix)后,现在打开 25 端口
PORT STATE SERVICE
25/tcp open smtp
使用重新启动 CSF,csf -r但端口保持打开状态。TCP_ON除了, TCP_OUT, UDP_IN,中定义的端口之外,不是所有端口都默认被阻止UDP_OUT吗?为什么 25 端口仍然开放?
csf.conf
TCP_IN = "22,27017,27018,27019"
TCP_OUT = "53,27017,27018,27019"
UDP_IN = ""
UDP_OUT = "53,123"
sudo netstat -tnlp | grep:25
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 7641/master
tcp6 0 0 :::25 :::* LISTEN 7641/master
iptables -L -n -v --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- !lo * 209.244.0.3 0.0.0.0/0 tcp dpt:53
2 0 0 ACCEPT udp -- !lo * 209.244.0.3 0.0.0.0/0 udp dpt:53
3 0 0 ACCEPT tcp -- !lo * 209.244.0.3 0.0.0.0/0 tcp spt:53
4 0 0 ACCEPT udp -- !lo * 209.244.0.3 0.0.0.0/0 udp spt:53
5 0 0 ACCEPT tcp -- !lo * 8.8.8.8 0.0.0.0/0 tcp dpt:53
6 0 0 ACCEPT udp -- !lo * 8.8.8.8 0.0.0.0/0 udp dpt:53
7 0 0 ACCEPT tcp -- !lo * 8.8.8.8 0.0.0.0/0 tcp spt:53
8 0 0 ACCEPT udp -- !lo * 8.8.8.8 0.0.0.0/0 udp spt:53
9 0 0 ACCEPT tcp -- !lo * 8.8.4.4 0.0.0.0/0 tcp dpt:53
10 0 0 ACCEPT udp -- !lo * 8.8.4.4 0.0.0.0/0 udp dpt:53
11 0 0 ACCEPT tcp -- !lo * 8.8.4.4 0.0.0.0/0 tcp spt:53
12 52 6331 ACCEPT udp -- !lo * 8.8.4.4 0.0.0.0/0 udp spt:53
13 10491 986K LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0
14 51 3795 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
15 10278 968K INVALID tcp -- !lo * 0.0.0.0/0 0.0.0.0/0
16 10226 965K ACCEPT all -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
17 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22
18 44 2640 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:27017
19 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:27018
20 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:27019
21 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
22 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 0 limit: avg 1/sec burst 5
23 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 11
24 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 3
25 8 452 LOGDROPIN all -- !lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 209.244.0.3 tcp dpt:53
2 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 209.244.0.3 udp dpt:53
3 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 209.244.0.3 tcp spt:53
4 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 209.244.0.3 udp spt:53
5 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 8.8.8.8 tcp dpt:53
6 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 8.8.8.8 udp dpt:53
7 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 8.8.8.8 tcp spt:53
8 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 8.8.8.8 udp spt:53
9 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 8.8.4.4 tcp dpt:53
10 52 3614 ACCEPT udp -- * !lo 0.0.0.0/0 8.8.4.4 udp dpt:53
11 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 8.8.4.4 tcp spt:53
12 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 8.8.4.4 udp spt:53
13 7286 1342K LOCALOUTPUT all -- * !lo 0.0.0.0/0 0.0.0.0/0
14 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
15 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 udp dpt:53
16 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 tcp spt:53
17 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 udp spt:53
18 51 3795 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
19 7127 1288K INVALID tcp -- * !lo 0.0.0.0/0 0.0.0.0/0
20 7127 1288K ACCEPT all -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
21 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53
22 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80
23 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:27017
24 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:27018
25 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:27019
26 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:53
27 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:123
28 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmptype 0
29 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmptype 8
30 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmptype 11
31 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmptype 3
32 0 0 LOGDROPOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0
Chain ALLOWIN (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- !lo * 162.158.0.0/15 0.0.0.0/0
2 0 0 ACCEPT all -- !lo * 198.41.128.0/17 0.0.0.0/0
3 0 0 ACCEPT all -- !lo * 197.234.240.0/22 0.0.0.0/0
4 0 0 ACCEPT all -- !lo * 188.114.96.0/20 0.0.0.0/0
5 0 0 ACCEPT all -- !lo * 190.93.240.0/20 0.0.0.0/0
6 0 0 ACCEPT all -- !lo * 108.162.192.0/18 0.0.0.0/0
7 0 0 ACCEPT all -- !lo * 141.101.64.0/18 0.0.0.0/0
8 0 0 ACCEPT all -- !lo * 103.31.4.0/22 0.0.0.0/0
9 0 0 ACCEPT all -- !lo * 103.22.200.0/22 0.0.0.0/0
10 0 0 ACCEPT all -- !lo * 103.21.244.0/22 0.0.0.0/0
11 0 0 ACCEPT all -- !lo * 173.245.48.0/20 0.0.0.0/0
12 0 0 ACCEPT all -- !lo * 199.27.128.0/21 0.0.0.0/0
13 213 17445 ACCEPT all -- !lo * 59.189.154.164 0.0.0.0/0
Chain ALLOWOUT (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * !lo 0.0.0.0/0 162.158.0.0/15
2 0 0 ACCEPT all -- * !lo 0.0.0.0/0 198.41.128.0/17
3 0 0 ACCEPT all -- * !lo 0.0.0.0/0 197.234.240.0/22
4 0 0 ACCEPT all -- * !lo 0.0.0.0/0 188.114.96.0/20
5 0 0 ACCEPT all -- * !lo 0.0.0.0/0 190.93.240.0/20
6 0 0 ACCEPT all -- * !lo 0.0.0.0/0 108.162.192.0/18
7 0 0 ACCEPT all -- * !lo 0.0.0.0/0 141.101.64.0/18
8 0 0 ACCEPT all -- * !lo 0.0.0.0/0 103.31.4.0/22
9 0 0 ACCEPT all -- * !lo 0.0.0.0/0 103.22.200.0/22
10 0 0 ACCEPT all -- * !lo 0.0.0.0/0 103.21.244.0/22
11 0 0 ACCEPT all -- * !lo 0.0.0.0/0 173.245.48.0/20
12 0 0 ACCEPT all -- * !lo 0.0.0.0/0 199.27.128.0/21
13 159 53077 ACCEPT all -- * !lo 0.0.0.0/0 59.189.154.164
Chain DENYIN (1 references)
num pkts bytes target prot opt in out source destination
Chain DENYOUT (1 references)
num pkts bytes target prot opt in out source destination
Chain INVALID (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 INVDROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
2 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x00
3 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x3F
4 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x03/0x03
5 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x06
6 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x05/0x05
7 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x11/0x01
8 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x18/0x08
9 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x30/0x20
10 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags:! 0x17/0x02 ctstate NEW
Chain INVDROP (10 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOCALINPUT (1 references)
num pkts bytes target prot opt in out source destination
1 10491 986K ALLOWIN all -- !lo * 0.0.0.0/0 0.0.0.0/0
2 10278 968K DENYIN all -- !lo * 0.0.0.0/0 0.0.0.0/0
Chain LOCALOUTPUT (1 references)
num pkts bytes target prot opt in out source destination
1 7286 1342K ALLOWOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0
2 7127 1288K DENYOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0
Chain LOGDROPIN (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
2 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
3 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
4 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
5 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:111
6 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:111
7 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
8 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:113
9 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139
10 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139
11 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
12 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445
13 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:500
14 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500
15 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:513
16 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:513
17 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:520
18 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
19 8 452 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
20 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
21 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
22 8 452 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOGDROPOUT (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
2 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
3 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
4 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
恭喜,在缓慢而耐心的提问的影响下,您已经解决了自己的问题。ALLOWIN 链中的规则 13 允许来自测试客户端的 IP 地址的所有流量( TCP 重置)打开(您可以到达端口,并且有人准备与您交谈)。
59.189.154.164nmap这是一个相当复杂的规则集,许多规则的数据包计数为零,因此对您无济于事。您可能会发现,针对您的业务需求对防火墙规则进行全面检查是一项很好的时间投资,以免它们再次绊倒您。