折腾2天.都想不明白iptables esmtp不能发邮件.附规则

root0

不行.
大家帮我写下吧.我有点糊涂了。
EXT=ppp0
INF=eth2

INPUT DROP
OUTPUT DROP
FORWARD DROP

在这种情况下怎样允许只能收发邮件.
不用state,或者用state只针对邮件端口

我搞不明白forward里,-i ,-o 到底是改指那块网卡
forward同时提供这个2个选项

[ 本帖最后由 root0 于 2008-10-20 16:23 编辑 ]

a_la_lei

1、我想您说的ppp0和eth2哪个是-i哪个是-o，应该这样理解：
一个端口，即可以接收数据包，也可以发送数据包，所以它即可以被-i，也可以被-o

2、如果想实现局域网能够访问收发邮件，应该有以下几个策略：
1）准许内网访问公网的tcp和udp的53端口（因为如果tcp53不成，程序会试图访问udp53端口，他们是用来请求域名解析的）
2）准许内网访问公网的tcp和udp的25端口（用来发邮件）
3）准许内网访问公网的tcp和udp的110端口（用来收邮件）
4）准许以上三个3种由内网发起的请求包所对应的回复包进入内网

3、因为我对iptables不太熟悉，下面是对着网上的这篇文章配的：
http://linux.ccidnet.com/pub/html/tech/iptables/index.htm

iptables -t filter -A FORWARD -i eth2 -o ppp0 -p tcp,udp -m multiport --dports 53,25,110 -j ACCEPT
iptables -t filter -A FORWARD -i ppp0 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT

[ 本帖最后由 a_la_lei 于 2008-10-20 19:47 编辑 ]

ssffzz1

1）准许内网访问公网的tcp和udp的53端口（因为如果tcp53不成，程序会试图访问udp53端口，他们是用来请求域名解析的）
##  TCP 53 是用于主从DNS间同步用的。客户端不会用到TCP 53。 只会用UDP 53


2）准许内网访问公网的tcp和udp的25端口（用来发邮件）
## 只有TCP 25 没有UDP

3）准许内网访问公网的tcp和udp的110端口（用来收邮件）
## 同上，没有UDP。

ssffzz1

我想问LZ的是，你后面已经Accept过的主机也不能收发吗？

a_la_lei

ssffzz1您可以看看这篇文章哦～
http://www.5dmail.net/html/2007-3-14/2007314191552.htm
tcp53端口不但如您说的可以用来同步，同样可以用来响应大于512字节的解析报文。

rfc1035
http://www.ietf.org/rfc/rfc1035.txt

ssffzz1

知道。 不过还是忽略了。

但是DNS查询报文不可能大于512字节。

a_la_lei

原帖由 ssffzz1 于 2008-10-20 18:10 发表
知道。 不过还是忽略了。

但是DNS查询报文不可能大于512字节。

不要那么肯定呀～ .~

root0

原帖由 ssffzz1 于 2008-10-20 17:44 发表
我想问LZ的是，你后面已经Accept过的主机也不能收发吗？

*filter
:FORWARD DROP [1540:563450]
-A FORWARD -i ppp0 -p tcp -m multiport --ports 25,465,993,110,995 -j ACCEPT
-A FORWARD -i ppp0 -p udp -m multiport --ports 53 -j ACCEPT

不对，收发邮件不会匹配到accept主机那里。
之前放在最上面。收发操作是按那里的匹配，不会走到下面accept主机的规则，所以问题应该出在那里。
forward里我不做state匹配。主要考虑一些客户端软件。比如qq。在规定时间后不会退出。这样我还得让非accept主机在1分钟断开，加大iptables匹配负载。而且不在forward表里放state我觉得更严谨些。

原帖由 a_la_lei 于 2008-10-20 17:29 发表
1、我想您说的ppp0和eth2哪个是-i哪个是-o，应该这样理解：
一个端口，即可以接收数据包，也可以发送数据包，所以它即可以被-i，也可以被-o

2、如果想实现局域网能够访问收发邮件，应该有以下几个策略：
1 ...

我明天试试a_la_lei的策略。再回来报告

root0

## outlook 出错提示
您的服务器意外终止了连接。其可能原因包括服务器出错、网络出错或长时间处于非活动状态。 主题 'Fw: Your free conference call number is: 1-605-475-8515', 帐户: 'zhangchuan.mail@gmail.com', 服务器: 'smtp.gmail.com', 协议: SMTP, 端口: 465, 安全(SSL): 是, 套接字错误: 10053, 错误号: 0x800CCC0F
##
还是不行,邮件到中间卡住,tcpdump跑到最后停住
$IPT -A FORWARD -i $INF -o $EXT -p tcp -m multiport --ports $DNS_PORT,$SMTP_PORT,$SSMTP_PORT,$IMAPS_PORT,$POP3_PORT,$POP3S_POR
T -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -i $EXT -o $INF -p tcp -m multiport --ports $DNS_PORT,$SMTP_PORT,$SSMTP_PORT,$IMAPS_PORT,$POP3_PORT,$POP3S_POR
T -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -i $INF -o $EXT -p udp -m multiport --ports $DNS_PORT,$SMTP_PORT,$SSMTP_PORT,$IMAPS_PORT,$POP3_PORT,$POP3S_POR
T -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -i $EXT -o $INF -p udp -m multiport --ports $DNS_PORT,$SMTP_PORT,$SSMTP_PORT,$IMAPS_PORT,$POP3_PORT,$POP3S_POR
T -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


09:34:54.918892 IP (tos 0x0, ttl 64, id 33136, offset 0, flags [DF], proto TCP (6), length 52) 192.168.123.30.1728 > 220.181.12.101.pop3: S, cksum 0x0d48 (correct), 2784595909:2784595909(0) win 65535 <mss 1460,nop,wscale 2,nop,nop,sackOK>
09:34:54.963040 IP (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 52) 220.181.12.101.pop3 > 192.168.123.30.1728: S, cksum 0x39f7 (correct), 2843087609:2843087609(0) ack 2784595910 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 2>
09:34:54.963360 IP (tos 0x0, ttl 64, id 33137, offset 0, flags [DF], proto TCP (6), length 40) 192.168.123.30.1728 > 220.181.12.101.pop3: ., cksum 0x9803 (correct), 1:1(0) ack 1 win 63888
09:34:55.007836 IP (tos 0x0, ttl 53, id 55074, offset 0, flags [DF], proto TCP (6), length 127) 220.181.12.101.pop3 > 192.168.123.30.1728: P 1:88(87) ack 1 win 1460
09:34:55.008418 IP (tos 0x0, ttl 64, id 33138, offset 0, flags [DF], proto TCP (6), length 56) 192.168.123.30.1728 > 220.181.12.101.pop3: P 1:17(16) ack 88 win 63866
09:34:55.052953 IP (tos 0x0, ttl 53, id 55076, offset 0, flags [DF], proto TCP (6), length 40) 220.181.12.101.pop3 > 192.168.123.30.1728: ., cksum 0x8b79 (correct), 88:88(0) ack 17 win 1460
09:34:55.053426 IP (tos 0x0, ttl 53, id 55078, offset 0, flags [DF], proto TCP (6), length 55) 220.181.12.101.pop3 > 192.168.123.30.1728: P 88:103(15) ack 17 win 1460
09:34:55.053880 IP (tos 0x0, ttl 64, id 33139, offset 0, flags [DF], proto TCP (6), length 55) 192.168.123.30.1728 > 220.181.12.101.pop3: P 17:32(15) ack 103 win 63862
09:34:55.113287 IP (tos 0x0, ttl 53, id 55080, offset 0, flags [DF], proto TCP (6), length 70) 220.181.12.101.pop3 > 192.168.123.30.1728: P 103:133(30) ack 32 win 1460
09:34:55.113798 IP (tos 0x0, ttl 64, id 33141, offset 0, flags [DF], proto TCP (6), length 46) 192.168.123.30.1728 > 220.181.12.101.pop3: P, cksum 0xf5c0 (correct), 32:38(6) ack 133 win 63855
09:34:55.158381 IP (tos 0x0, ttl 53, id 55082, offset 0, flags [DF], proto TCP (6), length 49) 220.181.12.101.pop3 > 192.168.123.30.1728: P, cksum 0xaa89 (correct), 133:142(9) ack 38 win 1460
09:34:55.159751 IP (tos 0x0, ttl 64, id 33144, offset 0, flags [DF], proto TCP (6), length 46) 192.168.123.30.1728 > 220.181.12.101.pop3: P, cksum 0xefb3 (correct), 38:44(6) ack 142 win 63852
09:34:55.205681 IP (tos 0x0, ttl 53, id 55084, offset 0, flags [DF], proto TCP (6), length 55) 220.181.12.101.pop3 > 192.168.123.30.1728: P 142:157(15) ack 44 win 1460
09:34:55.205924 IP (tos 0x0, ttl 64, id 33145, offset 0, flags [DF], proto TCP (6), length 40) 192.168.123.30.1728 > 220.181.12.101.pop3: F, cksum 0x9762 (correct), 44:44(0) ack 157 win 63849
09:34:55.206198 IP (tos 0x0, ttl 53, id 55086, offset 0, flags [DF], proto TCP (6), length 40) 220.181.12.101.pop3 > 192.168.123.30.1728: F, cksum 0x8b18 (correct), 157:157(0) ack 44 win 1460
09:34:55.206390 IP (tos 0x0, ttl 64, id 33146, offset 0, flags [DF], proto TCP (6), length 40) 192.168.123.30.1728 > 220.181.12.101.pop3: ., cksum 0x9761 (correct), 45:45(0) ack 158 win 63849
09:34:55.210201 IP (tos 0x0, ttl 64, id 33147, offset 0, flags [DF], proto TCP (6), length 52) 192.168.123.30.1729 > 209.85.143.109.urd: S, cksum 0xd9b9 (correct), 1786283464:1786283464(0) win 65535 <mss 1460,nop,wscale 2,nop,nop,sackOK>
09:34:55.250040 IP (tos 0x0, ttl 53, id 55088, offset 0, flags [DF], proto TCP (6), length 40) 220.181.12.101.pop3 > 192.168.123.30.1728: ., cksum 0x8b17 (correct), 158:158(0) ack 45 win 1460
09:34:55.303256 IP (tos 0x0, ttl 241, id 45859, offset 0, flags [none], proto TCP (6), length 44) 209.85.143.109.urd > 192.168.123.30.1729: S, cksum 0x3a9e (correct), 3883384996:3883384996(0) ack 1786283465 win 8190 <mss 1460>
09:34:55.303463 IP (tos 0x0, ttl 64, id 33149, offset 0, flags [DF], proto TCP (6), length 40) 192.168.123.30.1729 > 209.85.143.109.urd: ., cksum 0x7259 (correct), 1:1(0) ack 1 win 65535
09:34:55.304263 IP (tos 0x0, ttl 64, id 33150, offset 0, flags [DF], proto TCP (6), length 142) 192.168.123.30.1729 > 209.85.143.109.urd: P 1:103(102) ack 1 win 65535
09:34:55.400789 IP (tos 0x0, ttl 50, id 15285, offset 0, flags [none], proto TCP (6), length 40) 209.85.143.109.urd > 192.168.123.30.1729: ., cksum 0x5b9b (correct), 1:1(0) ack 103 win 5720
09:34:55.405026 IP (tos 0x0, ttl 50, id 15286, offset 0, flags [none], proto TCP (6), length 1014) 209.85.143.109.urd > 192.168.123.30.1729: P 1:975(974) ack 103 win 5720
09:34:55.406602 IP (tos 0x0, ttl 64, id 33153, offset 0, flags [DF], proto TCP (6), length 222) 192.168.123.30.1729 > 209.85.143.109.urd: P 103:285(182) ack 975 win 64561
09:34:55.506943 IP (tos 0x0, ttl 50, id 15287, offset 0, flags [none], proto TCP (6), length 83) 209.85.143.109.urd > 192.168.123.30.1729: P 975:1018(43) ack 285 win 6432
09:34:55.507641 IP (tos 0x0, ttl 50, id 15288, offset 0, flags [none], proto TCP (6), length 106) 209.85.143.109.urd > 192.168.123.30.1729: P 1018:1084(66) ack 285 win 6432
09:34:55.507784 IP (tos 0x0, ttl 64, id 33154, offset 0, flags [DF], proto TCP (6), length 40) 192.168.123.30.1729 > 209.85.143.109.urd: ., cksum 0x713d (correct), 285:285(0) ack 1084 win 64452
09:34:55.508390 IP (tos 0x0, ttl 64, id 33155, offset 0, flags [DF], proto TCP (6), length 75) 192.168.123.30.1729 > 209.85.143.109.urd: P 285:320(35) ack 1084 win 64452
09:34:55.605987 IP (tos 0x0, ttl 50, id 15289, offset 0, flags [none], proto TCP (6), length 195) 209.85.143.109.urd > 192.168.123.30.1729: P 1084:1239(155) ack 320 win 6432
09:34:55.606569 IP (tos 0x0, ttl 64, id 33159, offset 0, flags [DF], proto TCP (6), length 73) 192.168.123.30.1729 > 209.85.143.109.urd: P 320:353(33) ack 1239 win 64297
09:34:55.703025 IP (tos 0x0, ttl 50, id 15290, offset 0, flags [none], proto TCP (6), length 79) 209.85.143.109.urd > 192.168.123.30.1729: P 1239:1278(39) ack 353 win 6432
09:34:55.703306 IP (tos 0x0, ttl 64, id 33160, offset 0, flags [DF], proto TCP (6), length 99) 192.168.123.30.1729 > 209.85.143.109.urd: P 353:412(59) ack 1278 win 64258
09:34:55.797862 IP (tos 0x0, ttl 50, id 15291, offset 0, flags [none], proto TCP (6), length 79) 209.85.143.109.urd > 192.168.123.30.1729: P 1278:1317(39) ack 412 win 6432
09:34:55.798121 IP (tos 0x0, ttl 64, id 33161, offset 0, flags [DF], proto TCP (6), length 79) 192.168.123.30.1729 > 209.85.143.109.urd: P 412:451(39) ack 1317 win 64219
09:34:55.932158 IP (tos 0x0, ttl 50, id 15292, offset 0, flags [none], proto TCP (6), length 40) 209.85.143.109.urd > 192.168.123.30.1729: ., cksum 0x5253 (correct), 1317:1317(0) ack 451 win 6432
09:34:57.067529 IP (tos 0x0, ttl 50, id 15293, offset 0, flags [none], proto TCP (6), length 81) 209.85.143.109.urd > 192.168.123.30.1729: P 1317:1358(41) ack 451 win 6432
09:34:57.069984 IP (tos 0x0, ttl 64, id 33166, offset 0, flags [DF], proto TCP (6), length 101) 192.168.123.30.1729 > 209.85.143.109.urd: P 451:512(61) ack 1358 win 64178
09:34:57.164094 IP (tos 0x0, ttl 50, id 15294, offset 0, flags [none], proto TCP (6), length 40) 209.85.143.109.urd > 192.168.123.30.1729: ., cksum 0x51ed (correct), 1358:1358(0) ack 512 win 6432
09:34:57.164778 IP (tos 0x0, ttl 50, id 15295, offset 0, flags [none], proto TCP (6), length 95) 209.85.143.109.urd > 192.168.123.30.1729: P 1358:1413(55) ack 512 win 6432
09:34:57.165047 IP (tos 0x0, ttl 64, id 33167, offset 0, flags [DF], proto TCP (6), length 91) 192.168.123.30.1729 > 209.85.143.109.urd: P 512:563(51) ack 1413 win 64123
09:34:57.260203 IP (tos 0x0, ttl 50, id 15296, offset 0, flags [none], proto TCP (6), length 95) 209.85.143.109.urd > 192.168.123.30.1729: P 1413:1468(55) ack 563 win 6432
09:34:57.260499 IP (tos 0x0, ttl 64, id 33169, offset 0, flags [DF], proto TCP (6), length 67) 192.168.123.30.1729 > 209.85.143.109.urd: P 563:590(27) ack 1468 win 65535
09:34:57.395664 IP (tos 0x0, ttl 50, id 15297, offset 0, flags [none], proto TCP (6), length 40) 209.85.143.109.urd > 192.168.123.30.1729: ., cksum 0x5131 (correct), 1468:1468(0) ack 590 win 6432
09:34:57.826749 IP (tos 0x0, ttl 50, id 15298, offset 0, flags [none], proto TCP (6), length 96) 209.85.143.109.urd > 192.168.123.30.1729: P 1468:1524(56) ack 590 win 6432
09:34:57.827749 IP (tos 0x0, ttl 64, id 33171, offset 0, flags [DF], proto TCP (6), length 1500) 192.168.123.30.1729 > 209.85.143.109.urd: . 590:2050(1460) ack 1524 win 65479
09:34:57.827867 IP (tos 0x0, ttl 64, id 34631, offset 0, flags [DF], proto TCP (6), length 1500) 192.168.123.30.1729 > 209.85.143.109.urd: . 2050:3510(1460) ack 1524 win 65479
09:34:57.827990 IP (tos 0x0, ttl 64, id 36091, offset 0, flags [DF], proto TCP (6), length 1500) 192.168.123.30.1729 > 209.85.143.109.urd: . 3510:4970(1460) ack 1524 win 65479
09:34:57.828122 IP (tos 0x0, ttl 64, id 37551, offset 0, flags [DF], proto TCP (6), length 1500) 192.168.123.30.1729 > 209.85.143.109.urd: . 4970:6430(1460) ack 1524 win 65479
09:34:57.957407 IP (tos 0x0, ttl 64, id 33177, offset 0, flags [DF], proto TCP (6), length 40) 192.168.123.30.1729 > 209.85.143.109.urd: ., cksum 0x5381 (correct), 6430:6430(0) ack 1524 win 65479
09:34:58.460776 IP (tos 0x0, ttl 64, id 33179, offset 0, flags [DF], proto TCP (6), length 1500) 192.168.123.30.1729 > 209.85.143.109.urd: . 590:2050(1460) ack 1524 win 65479
09:35:00.069926 IP (tos 0x0, ttl 64, id 33180, offset 0,

[ 本帖最后由 root0 于 2008-10-21 09:53 编辑 ]

ssffzz1

哦，是吗。举个例子看看。

一时还真想不出来 A 记录查询怎么会哪么大。