postfix+mariadb 空壳邮件 iptables
####################postfix+mariadb###################1.准备工作[root@westos-mail ~]# yum install mariadb php php-mysql httpd dovecot dovecot-mysql -y安装有关软件2.配置文件[root@westos-mail ~]# vim /etc/dovecot/dovecot.conf 24 protocols = imap pop3 lmtp 48 login_trusted_networks = 0.0.0.0/0 49 disable_plaintext_auth = no[root@westos-mail ~]# vim /etc/dovecot/conf.d/10-auth.conf 123 !include auth-sql.conf.ext[root@westos-mail ~]# cd /etc/dovecot/conf.d[root@westos-mail conf.d]# ls10-auth.conf 20-imap.conf auth-dict.conf.ext10-director.conf 20-lmtp.conf auth-ldap.conf.ext10-logging.conf 20-pop3.conf auth-master.conf.ext10-mail.conf 90-acl.conf auth-passwdfile.conf.ext10-master.conf 90-plugin.conf auth-sql.conf.ext10-ssl.conf 90-quota.conf auth-static.conf.ext15-lda.conf auth-checkpassword.conf.ext auth-system.conf.ext15-mailboxes.conf auth-deny.conf.ext auth-vpopmail.conf.ext[root@westos-mail conf.d]# cp /usr/share/doc/dovecot-2.2.10/example-config/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext[root@westos-mail conf.d]# vim /etc/dovecot/dovecot-sql.conf.ext 32 driver = mysql 71 connect = host=localhost dbname=email user=postuser password=postuser 78 default_pass_scheme = PLAIN 107 password_query = \ 108 SELECT username, domain, password \ 109 FROM emailuser WHERE username = '%u' AND domain = '%d' 125 user_query = SELECT maildir, 666 AS uid, 666 AS gid FROM emailuser WHER E username = '%u'[root@westos-mail conf.d]# vim 10-mail.conf 30 mail_location = maildir:/home/vmail/%d/%n 168 first_valid_uid = 666 175 first_valid_gid = 666[root@westos-mail conf.d]# yum install -y telnet[root@westos-mail conf.d]# systemctl restart dovecot测试[root@westos-mail conf.d]# telnet 172.25.254.101 110Trying 172.25.254.101...Connected to 172.25.254.101.Escape character is '^]'.+OK [XCLIENT] Dovecot ready.user lee@lee.com +OKpass lee+OK Logged in.quit+OK Logging out.Connection closed by foreign host.附图
#################空壳邮件####################1.先重置空壳端2.配置[root@localhost ~]# vim /etc/postfix/main.cf75 myhostname = nullmail.example.com ##主机名83 mydomain = example.com ##域名99 myorigin = westos.com ##要与真实主机的域名相同113 inet_interfaces = all 164 mydestination = ##空壳实际不接收邮件,所以不写316 relayhost = 172.25.254.101 ##真实主机ip[[root@nullmail ~]# systemctl restart postfix.service 测试#空壳端[root@nullmail ~]# mail rootSubject: qeqeqe.EOT[root@nullmail ~]# mailqMail queue is empty#真接收端[root@westos-mail named]# mailHeirloom Mail version 12.5 7/5/10. Type ? for help."/var/spool/mail/root": 1 message 1 new>N 1 root Thu Jun 1 08:01 22/742 "qe"& q###################################################iptables#######################################################1.准备工作查看火墙状态,如果是running,将其关闭打开iptables2.iptablesiptables是一个工作与用户之间的防火墙应用软件三表:filter ##不经过内核 mangel nat ##经过内核五链:INPUT OUTPUT FORWARD PREROUTING POSTROUTING -t ##指出表的名称 -n ##不作解析 -L ##列出指定表的策略 -F ##刷掉filter表中的所有策略 -A ##增加策略 -s ##数据来源 -j ##动作 ACCEPT ##允许 REJECT ##拒绝 --dport ##端口 -D ##删除指定策略 -I ##插入策略 -R ##修改策略 -P ##修改默认策略service iptables save ##保存当前策略[root@localhost ~]# iptables -A INPUT -i lo -j ACCEPT ##允许lo[root@localhost ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT ##允许访问22 端口[root@localhost ~]# iptables -A INPUT -s 172.25.254.75 -j ACCEPT ##只允许75主机访问[root@localhost ~]# iptables -A INPUT -j REJECT ##其它全部拒绝[root@localhost ~]# iptables -nL ##查看filter表当前策略Chain INPUT (policy ACCEPT)target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22ACCEPT all -- 172.25.254.95 0.0.0.0/0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachableChain FORWARD (policy ACCEPT)target prot opt source destination Chain OUTPUT (policy ACCEPT)target prot opt source destination [root@localhost ~]# iptables -N redhat ##增加redhat链[root@localhost ~]# iptables -nLChain INPUT (policy ACCEPT)target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22ACCEPT all -- 172.25.254.95 0.0.0.0/0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachableChain FORWARD (policy ACCEPT)target prot opt source destination Chain OUTPUT (policy ACCEPT)target prot opt source destination Chain redhat (0 references)target prot opt source destination [root@localhost ~]# iptables -E redhat westos ##将redhat链名称改为westos[root@localhost ~]# iptables -nLChain INPUT (policy ACCEPT)target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22ACCEPT all -- 172.25.254.95 0.0.0.0/0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachableChain FORWARD (policy ACCEPT)target prot opt source destination Chain OUTPUT (policy ACCEPT)target prot opt source destination Chain westos (0 references)target prot opt source destination [root@localhost ~]# iptables -X westos ##删除westos链[root@localhost ~]# iptables -nLChain INPUT (policy ACCEPT)target prot opt source destinationACCEPT all -- 0.0.0.0/0 0.0.0.0/0ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22ACCEPT all -- 172.25.254.95 0.0.0.0/0REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachableChain FORWARD (policy ACCEPT)target prot opt source destinationChain OUTPUT (policy ACCEPT)target prot opt source destination[root@localhost ~]# iptables -I INPUT -p tcp --dport 80 -j REJECT ##插入策略到INPUT中的第一条iptables -P INPUT DROP ###修改默认策略[root@localhost ~]# iptables -nLChain INPUT (policy ACCEPT)target prot opt source destination REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachableACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22ACCEPT all -- 172.25.254.75 0.0.0.0/0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icm[root@localhost ~]# iptables -R INPUT 1 -p tcp --dport 80 -j ACCEPT ##修改第一条策略####提高访问速度,缓解访问压力[root@localhost ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ##建立过的策略再次读的话直接看这个[root@localhost ~]# iptables -A INPUT -i lo -m state --state NEW -j ACCEPT ##再次读lo策略时候直接读这个[root@localhost ~]# iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ##再次读22端口策略时直接读这个,不需要全部读[root@localhost ~]# iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT ##再次读80端口策略时直接读这个,不需要全部读[root@localhost ~]# iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT ##再次读443端口策略时直接读这个,不需要全部读[root@localhost ~]# iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT ##再次读53端口策略时直接读这个,不需要全部读[root@localhost ~]# iptables -A INPUT -j REJECT ##其它主机数据全部拒绝[root@localhost ~]# iptables -nLChain INPUT (policy ACCEPT)target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHEDACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEWACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEWACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEWACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEWACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEWREJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachableChain FORWARD (policy ACCEPT)target prot opt source destination Chain OUTPUT (policy ACCEPT)target prot opt source destination [root@localhost ~]# service iptable save ##保存当前策略##############路由###################[root@localhost ~]# iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 172.25.254.101 ####出路由[root@localhost ~]# sysctl -a | grep forwardnet.ipv4.conf.all.forwarding = 0net.ipv4.conf.all.mc_forwarding = 0net.ipv4.conf.default.forwarding = 0net.ipv4.conf.default.mc_forwarding = 0net.ipv4.conf.eth0.forwarding = 0net.ipv4.conf.eth0.mc_forwarding = 0net.ipv4.conf.eth2.forwarding = 0net.ipv4.conf.eth2.mc_forwarding = 0net.ipv4.conf.lo.forwarding = 0net.ipv4.conf.lo.mc_forwarding = 0net.ipv4.ip_forward = 0net.ipv6.conf.all.forwarding = 0net.ipv6.conf.all.mc_forwarding = 0net.ipv6.conf.default.forwarding = 0net.ipv6.conf.default.mc_forwarding = 0net.ipv6.conf.eth0.forwarding = 0net.ipv6.conf.eth0.mc_forwarding = 0net.ipv6.conf.eth2.forwarding = 0net.ipv6.conf.eth2.mc_forwarding = 0net.ipv6.conf.lo.forwarding = 0net.ipv6.conf.lo.mc_forwarding = 0[root@localhost ~]# vim /etc/sysctl.conf 5 net.ipv4.ip_forward = 1[root@localhost ~]# sysctl -p net.ipv4.ip_forward = 1[root@localhost ~]# iptables -t nat -A PREROUTING -i eth2 -j DNAT --to-dest 172.25.0.11 #####进路由[root@localhost ~]# iptables -t nat -nL ####查看当前策略Chain PREROUTING (policy ACCEPT)target prot opt source destination DNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.0.11Chain INPUT (policy ACCEPT)target prot opt source destination Chain OUTPUT (policy ACCEPT)target prot opt source destination Chain POSTROUTING (policy ACCEPT)target prot opt source destination SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.254.101测试[root@localhost ~]# ping 172.25.0.11PING 172.25.0.11 (172.25.0.11) 56(84) bytes of data.64 bytes from 172.25.0.11: icmp_seq=1 ttl=64 time=0.527 ms64 bytes from 172.25.0.11: icmp_seq=2 ttl=64 time=0.384 ms64 bytes from 172.25.0.11: icmp_seq=3 ttl=64 time=0.448 ms
您或许对下面这些文章有兴趣: 本月吐槽辛苦排行榜
黔ICP备2023000050号-1 | 本站使用 Dickey’s Blog主题 | 