IPtables丢弃所有，但后缀仍然发送电子邮件

我的iptables规则：

# delete all current rules and user chains iptables -F iptables -X # global policy (target by default) iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # localhost iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # dns -> udp iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT # http iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT # ssh iptables -A INPUT -i eth0 -p tcp --dport 29415 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 29415 -m state --state ESTABLISHED -j ACCEPT # final LOG iptables -A INPUT -i eth0 -m limit -j LOG --log-prefix "[fortress:unrule_input] " iptables -A OUTPUT -o eth0 -m limit -j LOG --log-prefix "[fortress:unrule_output] " # --log-ip-options --log-tcp-options # final DROP iptables -A INPUT -i eth0 -j DROP iptables -A OUTPUT -o eth0 -j DROP 

端口25未打开。 政策默认 – DROP。
只有通过udp协议才有可能从服务器发出新的数据包并build立连接。
但Postfix仍然发送邮件…
为了testing我在命令行中使用这个：

 php -a mail('[email protected]', 'subject', 'body'); 

输出iptables -vL

 Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 48089 1119M ACCEPT all -- lo any anywhere anywhere 1518 165K ACCEPT udp -- eth0 any anywhere anywhere udp spt:domain state ESTABLISHED 86211 5672K ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:http state NEW,ESTABLISHED 2498 184K ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:29415 state NEW,ESTABLISHED 18 840 LOG all -- eth0 any anywhere anywhere limit: avg 3/hour burst 5 LOG level warning prefix "[fortress:unrule_input] " 1430 75592 DROP all -- eth0 any anywhere anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 48089 1119M ACCEPT all -- any lo anywhere anywhere 1524 112K ACCEPT udp -- any eth0 anywhere anywhere udp dpt:domain state NEW,ESTABLISHED 181K 253M ACCEPT tcp -- any eth0 anywhere anywhere tcp spt:http state ESTABLISHED 1781 627K ACCEPT tcp -- any eth0 anywhere anywhere tcp spt:29415 state ESTABLISHED 18 948 LOG all -- any eth0 anywhere anywhere limit: avg 3/hour burst 5 LOG level warning prefix "[fortress:unrule_output] " 346 20488 DROP all -- any eth0 anywhere anywhere 

在/ var /日志/ maillog的

• 如何使用monit监视postfix邮件队列？
• Postfix：根据用于访问服务器的域（相同的IP）设置自定义的SMTP Banner
• 如何检查邮件服务器是否被GMail标记为垃圾邮件？
• Postfix可以发送邮件到除gmail之外的所有域
• postfix虚拟域是否接受通配符？

 May 21 14:50:44 CentOS-70-64-minimal postfix/qmgr[5169]: B79F311800AB: removed May 21 14:50:44 CentOS-70-64-minimal postfix/smtp[5484]: B79F311800AB: to=<[email protected]>, relay=mx.domen.tl[2a02:6b8::89]:25, delay=121, delays=0.14/0.01/120/0.85, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued on mxfront10j.mail.yandex.net as 1432212643-e6gErcsB7d-ohqGfFN0) May 21 14:50:42 CentOS-70-64-minimal postfix/smtp[5484]: connect to mx.domen.tl[213.180.204.89]:25: Connection timed out May 21 14:50:12 CentOS-70-64-minimal postfix/smtp[5484]: connect to mx.domen.tl[93.158.134.89]:25: Connection timed out May 21 14:49:42 CentOS-70-64-minimal postfix/smtp[5484]: connect to mx.domen.tl[213.180.193.89]:25: Connection timed out May 21 14:49:12 CentOS-70-64-minimal postfix/smtp[5484]: connect to mx.domen.tl[77.88.21.89]:25: Connection timed out May 21 14:48:43 CentOS-70-64-minimal postfix/qmgr[5169]: CA04D11800A6: removed May 21 14:48:43 CentOS-70-64-minimal postfix/smtp[5485]: CA04D11800A6: to=<[email protected]>, orig_to=<[email protected]>, relay=gmail-smtp-in.l.google.com[2a00:1450:4013:c01::1b]:25, delay=0.27, delays=0.08/0.01/0.1/0.09, dsn=2.0.0, status=sent (250 2.0.0 OK 1432212522 t8si3023064wjr.69 - gsmtp) May 21 14:48:42 CentOS-70-64-minimal postfix/local[5483]: B79F311800AB: to=<[email protected]>, relay=local, delay=0.23, delays=0.14/0.01/0/0.08, dsn=2.0.0, status=sent (forwarded as CA04D11800A6) May 21 14:48:42 CentOS-70-64-minimal postfix/qmgr[5169]: CA04D11800A6: from=<[email protected]>, size=571, nrcpt=1 (queue active) May 21 14:48:42 CentOS-70-64-minimal postfix/cleanup[5481]: CA04D11800A6: message-id=<[email protected]> May 21 14:48:42 CentOS-70-64-minimal postfix/qmgr[5169]: B79F311800AB: from=<[email protected]>, size=403, nrcpt=2 (queue active) May 21 14:48:42 CentOS-70-64-minimal postfix/cleanup[5481]: B79F311800AB: message-id=<[email protected]> May 21 14:48:42 CentOS-70-64-minimal postfix/pickup[5376]: B79F311800AB: uid=0 from=<root> 

猫规则

 # Generated by iptables-save v1.4.21 on Thu May 21 15:18:19 2015 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 29415 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -m limit --limit 3/hour -j LOG --log-prefix "[fortress:unrule_input] " -A INPUT -i eth0 -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -p tcp -m tcp --sport 29415 -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -m limit --limit 3/hour -j LOG --log-prefix "[fortress:unrule_output] " -A OUTPUT -o eth0 -j DROP COMMIT # Completed on Thu May 21 15:18:19 2015 

 May 21 14:50:12 CentOS-70-64-minimal postfix/smtp[5484]: connect to mx.domen.tl[93.158.134.89]:25: Connection timed out 

 May 21 14:48:43 CentOS-70-64-minimal postfix/smtp[5485]: CA04D11800A6: to=<[email protected]>, orig_to=<[email protected]>, relay=gmail-smtp-in.l.google.com[2a00:1450:4013:c01::1b]:25, delay=0.27, delays=0.08/0.01/0.1/0.09, dsn=2.0.0, status=sent (250 2.0.0 OK 1432212522 t8si3023064wjr.69 - gsmtp)