我试图设置iptables来允许SMTP连接,而且似乎没有工作。
这是iptables -L的输出:
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT all -- anywhere anywhere REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:afs3-callback ACCEPT tcp -- anywhere anywhere tcp dpt:3980 ACCEPT tcp -- anywhere anywhere tcp dpt:irdmi ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds ACCEPT tcp -- anywhere anywhere tcp dpt:hbci ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT icmp -- anywhere anywhere icmp echo-request REJECT all -- anywhere anywhere reject-with icmp-port-unreachable ACCEPT tcp -- anywhere anywhere tcp dpt:hbci ACCEPT tcp -- anywhere anywhere tcp dpt:irdmi Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:smtp Chain RH-Firewall-1-INPUT (0 references) target prot opt source destination
当我尝试做telnet host.address.com 25 ,它说Connection refused 。 连接其他端口(例如,80)工作得很好。 我怎么知道这里发生了什么?
编辑:
尝试在机器上连接到自己工作:
[root@machine user]# telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 host.address.com ESMTP Postfix
编辑2:
以下是iptables-save的输出:
# Generated by iptables-save v1.3.5 on Wed Oct 13 22:50:11 2010 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 7001 -j ACCEPT -A INPUT -p udp -m multiport --dports 137,138 -j ACCEPT -A INPUT -p tcp -m tcp --dport 7002 -j ACCEPT -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p udp -m udp --dport 25 -j ACCEPT -A INPUT -p tcp -m multiport --dports 139,445 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable -A INPUT -p udp -m udp --dport 137 -j ACCEPT -A INPUT -p udp -m udp --dport 138 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -j ACCEPT COMMIT # Completed on Wed Oct 13 22:50:11 2010 # Generated by iptables-save v1.3.5 on Wed Oct 13 22:50:11 2010 *raw :PREROUTING ACCEPT [3267:2601193] :OUTPUT ACCEPT [1984:334831] COMMIT # Completed on Wed Oct 13 22:50:11 2010
呃,真是个愚蠢的错误。 在我的main.cf文件中有一个问题。 我需要设置inet_interfaces = all 。 之前它只从localhost接受。