IPtables는 모두 삭제하지만 postfix는 여전히 이메일을 보냅니다.

tag-icon tag-icon security iptables postfix
IPtables는 모두 삭제하지만 postfix는 여전히 이메일을 보냅니다.

내 iptables 규칙:

# delete all current rules and user chains
iptables -F
iptables -X

# global policy (target by default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# dns -> udp
iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

# http
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# ssh
iptables -A INPUT -i eth0 -p tcp --dport 29415 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 29415 -m state --state ESTABLISHED -j ACCEPT

# final LOG
iptables -A INPUT -i eth0  -m limit -j LOG --log-prefix "[fortress:unrule_input] "
iptables -A OUTPUT -o eth0  -m limit -j LOG --log-prefix "[fortress:unrule_output] "
#  --log-ip-options --log-tcp-options

# final DROP
iptables -A INPUT -i eth0 -j DROP
iptables -A OUTPUT -o eth0 -j DROP

포트 25가 열려 있지 않습니다. 기본적으로 정책 - DROP.
UDP 프로토콜을 통해서만 서버에서 새로운 패킷을 보내고 연결을 설정할 수 있습니다.
하지만 Postfix는 여전히 메일을 보냅니다...
테스트를 위해 명령줄에서 다음을 사용합니다.

php -a
mail('[email protected]', 'subject', 'body');

산출iptables -vL

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
48089 1119M ACCEPT     all  --  lo     any     anywhere             anywhere            
 1518  165K ACCEPT     udp  --  eth0   any     anywhere             anywhere             udp spt:domain state ESTABLISHED
86211 5672K ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:http state NEW,ESTABLISHED
 2498  184K ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:29415 state NEW,ESTABLISHED
   18   840 LOG        all  --  eth0   any     anywhere             anywhere             limit: avg 3/hour burst 5 LOG level warning prefix "[fortress:unrule_input] "
 1430 75592 DROP       all  --  eth0   any     anywhere             anywhere            

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
48089 1119M ACCEPT     all  --  any    lo      anywhere             anywhere            
 1524  112K ACCEPT     udp  --  any    eth0    anywhere             anywhere             udp dpt:domain state NEW,ESTABLISHED
 181K  253M ACCEPT     tcp  --  any    eth0    anywhere             anywhere             tcp spt:http state ESTABLISHED
 1781  627K ACCEPT     tcp  --  any    eth0    anywhere             anywhere             tcp spt:29415 state ESTABLISHED
   18   948 LOG        all  --  any    eth0    anywhere             anywhere             limit: avg 3/hour burst 5 LOG level warning prefix "[fortress:unrule_output] "
  346 20488 DROP       all  --  any    eth0    anywhere             anywhere

/var/log/maillog

May 21 14:50:44 CentOS-70-64-minimal postfix/qmgr[5169]: B79F311800AB: removed
May 21 14:50:44 CentOS-70-64-minimal postfix/smtp[5484]: B79F311800AB: to=<[email protected]>, relay=mx.domen.tl[2a02:6b8::89]:25, delay=121, delays=0.14/0.01/120/0.85, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued on mxfront10j.mail.yandex.net as 1432212643-e6gErcsB7d-ohqGfFN0)
May 21 14:50:42 CentOS-70-64-minimal postfix/smtp[5484]: connect to mx.domen.tl[213.180.204.89]:25: Connection timed out
May 21 14:50:12 CentOS-70-64-minimal postfix/smtp[5484]: connect to mx.domen.tl[93.158.134.89]:25: Connection timed out
May 21 14:49:42 CentOS-70-64-minimal postfix/smtp[5484]: connect to mx.domen.tl[213.180.193.89]:25: Connection timed out
May 21 14:49:12 CentOS-70-64-minimal postfix/smtp[5484]: connect to mx.domen.tl[77.88.21.89]:25: Connection timed out
May 21 14:48:43 CentOS-70-64-minimal postfix/qmgr[5169]: CA04D11800A6: removed
May 21 14:48:43 CentOS-70-64-minimal postfix/smtp[5485]: CA04D11800A6: to=<[email protected]>, orig_to=<[email protected]>, relay=gmail-smtp-in.l.google.com[2a00:1450:4013:c01::1b]:25, delay=0.27, delays=0.08/0.01/0.1/0.09, dsn=2.0.0, status=sent (250 2.0.0 OK 1432212522 t8si3023064wjr.69 - gsmtp)
May 21 14:48:42 CentOS-70-64-minimal postfix/local[5483]: B79F311800AB: to=<[email protected]>, relay=local, delay=0.23, delays=0.14/0.01/0/0.08, dsn=2.0.0, status=sent (forwarded as CA04D11800A6)
May 21 14:48:42 CentOS-70-64-minimal postfix/qmgr[5169]: CA04D11800A6: from=<[email protected]>, size=571, nrcpt=1 (queue active)
May 21 14:48:42 CentOS-70-64-minimal postfix/cleanup[5481]: CA04D11800A6: message-id=<[email protected]>
May 21 14:48:42 CentOS-70-64-minimal postfix/qmgr[5169]: B79F311800AB: from=<[email protected]>, size=403, nrcpt=2 (queue active)
May 21 14:48:42 CentOS-70-64-minimal postfix/cleanup[5481]: B79F311800AB: message-id=<[email protected]>
May 21 14:48:42 CentOS-70-64-minimal postfix/pickup[5376]: B79F311800AB: uid=0 from=<root>

고양이 규칙

# Generated by iptables-save v1.4.21 on Thu May 21 15:18:19 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 29415 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -m limit --limit 3/hour -j LOG --log-prefix "[fortress:unrule_input] "
-A INPUT -i eth0 -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 29415 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -m limit --limit 3/hour -j LOG --log-prefix "[fortress:unrule_output] "
-A OUTPUT -o eth0 -j DROP
COMMIT
# Completed on Thu May 21 15:18:19 2015

답변1

규칙 이 iptables정확히 원하는 대로 수행되고 있습니다. 즉, 아웃바운드 포트 25 연결을 차단하고 있습니다.

May 21 14:50:12 CentOS-70-64-minimal postfix/smtp[5484]: connect to mx.domen.tl[93.158.134.89]:25: Connection timed out

불행하게도 귀하의 서버에는 유효한 ipv6 주소가 있는 것으로 보입니다(최신 VPS인 것 같습니다. 요즘에는 대부분 v6을 지원하는 것으로 나타났습니다). 요즘 많은 제공업체가 v6 메일 서버를 광고하므로 잘 작동하고 있습니다.

May 21 14:48:43 CentOS-70-64-minimal postfix/smtp[5485]: CA04D11800A6: to=<[email protected]>, orig_to=<[email protected]>, relay=gmail-smtp-in.l.google.com[2a00:1450:4013:c01::1b]:25, delay=0.27, delays=0.08/0.01/0.1/0.09, dsn=2.0.0, status=sent (250 2.0.0 OK 1432212522 t8si3023064wjr.69 - gsmtp)

주소 2a00:1450:4013:c01::1b는 v4 주소가 아닙니다. IPv6 규칙이 다음과 같은지 확인해야 합니다.또한원하는 만큼 엄격하게 ip6tables -L -n -v. 21세기에 오신 것을 환영합니다!

편집하다: 어떤 규칙을 가져야 하는지는 말할 수 없지만 ip6tables구문은 대체로 동일합니다. 그리고 규칙 세트를 복제하도록 선택할 수도 있고 선택하지 않을 수도 있지만동일하게 세심하게 설계된 IPv6 규칙 세트가 없으면 보안에 구멍이 생길 수 있습니다.

관련 정보