Estou executando um pequeno servidor apache2 / iRedMail, mas estou tendo um problema com o iptables. Depois de um tempo trabalhando corretamente (horas) meu servidor está inacessível edit: da minha conexão de internet em casa em algumas portas (portas 80, 443 testadas, edit: apache?) Até reiniciar o serviço iptables (% código%). Fazer isso faz tudo funcionar de novo! Eu não sei o que poderia causar esse problema, especialmente porque ocorre horas depois de reiniciar o serviço iptables.
Quais arquivos de log eu posso pesquisar? O arquivo sudo service iptables restart
não mostra nada óbvio (eu li que contém informações sobre o iptables).
Todas as regras do iptables são configuradas no arquivo padrão usado no iRedMail, que é kern.log
.
Obrigado antecipadamente!
edit1: saída de /etc/default/iptables
user@server:~$ sudo iptables -L -n -v
Chain INPUT (policy DROP 102 packets, 19966 bytes)
pkts bytes target prot opt in out source destination
9500 2164K fail2ban-dovecot tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,25,587,110,9
95,143,993,4190
18543 6112K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
229 13256 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
33 1628 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8888
109 6520 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
14 808 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
18 1104 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:17655
1 60 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 16026 packets, 9143K bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-dovecot (1 references)
pkts bytes target prot opt in out source destination
9500 2164K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
edit2: parece que meu arquivo iptables foi alterado em 15 de dezembro:
Isto é o que é agora:
# Generated by iptables-save v1.4.14 on Mon Dec 15 23:35:36 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [137:211520]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8888 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 17655 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
COMMIT
# Completed on Mon Dec 15 23:35:36 2014
Isso é o que era antes, extraído de um backup mais antigo:
Existem diferenças além dos comentários.
#---------------------------------------------------------------------
# This file is part of iRedMail, which is an open source mail server
# solution for Red Hat(R) Enterprise Linux, CentOS, Debian and Ubuntu.
#
# iRedMail is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# iRedMail is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with iRedMail. If not, see <http://www.gnu.org/licenses/>.
#---------------------------------------------------------------------
#
# Sample iptables rules. It should be localted at:
# /etc/sysconfig/iptables
#
# Shipped within iRedMail project:
# * http://iRedMail.googlecode.com/
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Keep state.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Loop device.
-A INPUT -i lo -j ACCEPT
# http, https
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 8888 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# smtp, submission
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
# pop3, pop3s
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT
# imap, imaps
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
# ssh
-A INPUT -p tcp --dport 17655 -j ACCEPT
#-A INPUT -p tcp --dport 9999 -j ACCEPT
# Allow PING from remote hosts.
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# ejabberd
#-A INPUT -p tcp --dport 5222 -j ACCEPT
#-A INPUT -p tcp --dport 5223 -j ACCEPT
#-A INPUT -p tcp --dport 5280 -j ACCEPT
# ldap/ldaps
#-A INPUT -p tcp --dport 389 -j ACCEPT
#-A INPUT -p tcp --dport 636 -j ACCEPT
# ftp.
#-A INPUT -p tcp --dport 20 -j ACCEPT
#-A INPUT -p tcp --dport 21 -j ACCEPT
COMMIT
nova saída de iptables -L -n -v
user@server:~$ sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 1879 packets, 840K bytes)
pkts bytes target prot opt in out source destination
694 227K fail2ban-postfix tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,25,587,110,9
95,143,993,4190
694 227K fail2ban-dovecot tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,25,587,110,9
95,143,993,4190
694 227K fail2ban-roundcube tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,25,587,110
,995,143,993,4190
0 0 fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1706 packets, 707K bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-dovecot (1 references)
pkts bytes target prot opt in out source destination
694 227K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-postfix (1 references)
pkts bytes target prot opt in out source destination
694 227K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-roundcube (1 references)
pkts bytes target prot opt in out source destination
694 227K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
edit3: saída de iptables -L -n -v
, ip do servidor substituído. Parece ser bem curto.
ipv4 2 udp 17 145 src=<SERVERIP> dst=213.239.239.166 sport=123 dport=123 src=213.239.239.166 dst=<SERVERIP> sport=123 dport=123 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 429127 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=39571 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=39571 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 100 TIME_WAIT src=92.121.32.40 dst=<SERVERIP> sport=4707 dport=443 src=<SERVERIP> dst=92.121.32.40 sport=443 dport=4707 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431999 ESTABLISHED src=92.121.32.40 dst=<SERVERIP> sport=4709 dport=443 src=<SERVERIP> dst=92.121.32.40 sport=443 dport=4709 [ASSURED] mark=0 zone=0
use=2
ipv4 2 tcp 6 431291 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=46386 dport=389 src=127.0.0.1 dst=127.0.0.1 sport=389 dport=46386 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 429127 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=39572 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=39572 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431999 ESTABLISHED src=92.121.32.40 dst=<SERVERIP> sport=4705 dport=443 src=<SERVERIP> dst=92.121.32.40 sport=443 dport=4705 [ASSURED] mark=0 zone=0
use=2
ipv4 2 tcp 6 431975 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=50519 dport=4200 src=127.0.0.1 dst=127.0.0.1 sport=4200 dport=50519 [ASSURED] mark=0 zone=0 use=2
ipv4 2 udp 17 112 src=<SERVERIP> dst=213.239.239.164 sport=123 dport=123 src=213.239.239.164 dst=<SERVERIP> sport=123 dport=123 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431999 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=50515 dport=4200 src=127.0.0.1 dst=127.0.0.1 sport=4200 dport=50515 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 100 TIME_WAIT src=92.121.32.40 dst=<SERVERIP> sport=4704 dport=443 src=<SERVERIP> dst=92.121.32.40 sport=443 dport=4704 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431999 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=50517 dport=4200 src=127.0.0.1 dst=127.0.0.1 sport=4200 dport=50517 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 429127 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=39573 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=39573 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431975 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=50523 dport=4200 src=127.0.0.1 dst=127.0.0.1 sport=4200 dport=50523 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431975 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=50521 dport=4200 src=127.0.0.1 dst=127.0.0.1 sport=4200 dport=50521 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 100 TIME_WAIT src=92.121.32.40 dst=<SERVERIP> sport=4701 dport=443 src=<SERVERIP> dst=92.121.32.40 sport=443 dport=4701 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431975 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=50525 dport=4200 src=127.0.0.1 dst=127.0.0.1 sport=4200 dport=50525 [ASSURED] mark=0 zone=0 use=2
ipv4 2 udp 17 113 src=<SERVERIP> dst=213.239.239.165 sport=123 dport=123 src=213.239.239.165 dst=<SERVERIP> sport=123 dport=123 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 100 TIME_WAIT src=92.121.32.40 dst=<SERVERIP> sport=4706 dport=443 src=<SERVERIP> dst=92.121.32.40 sport=443 dport=4706 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 429127 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=39570 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=39570 [ASSURED] mark=0 zone=0 use=2