首页 > 代码库 > postfix+mariadb 空壳邮件 iptables
postfix+mariadb 空壳邮件 iptables
####################postfix+mariadb###################
1.准备工作
[root@westos-mail ~]# yum install mariadb php php-mysql httpd dovecot dovecot-mysql -y
安装有关软件
2.配置文件
[root@westos-mail ~]# vim /etc/dovecot/dovecot.conf
24 protocols = imap pop3 lmtp
48 login_trusted_networks = 0.0.0.0/0
49 disable_plaintext_auth = no
[root@westos-mail ~]# vim /etc/dovecot/conf.d/10-auth.conf
123 !include auth-sql.conf.ext
[root@westos-mail ~]# cd /etc/dovecot/conf.d
[root@westos-mail conf.d]# ls
10-auth.conf 20-imap.conf auth-dict.conf.ext
10-director.conf 20-lmtp.conf auth-ldap.conf.ext
10-logging.conf 20-pop3.conf auth-master.conf.ext
10-mail.conf 90-acl.conf auth-passwdfile.conf.ext
10-master.conf 90-plugin.conf auth-sql.conf.ext
10-ssl.conf 90-quota.conf auth-static.conf.ext
15-lda.conf auth-checkpassword.conf.ext auth-system.conf.ext
15-mailboxes.conf auth-deny.conf.ext auth-vpopmail.conf.ext
[root@westos-mail conf.d]# cp /usr/share/doc/dovecot-2.2.10/example-config/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext
[root@westos-mail conf.d]# vim /etc/dovecot/dovecot-sql.conf.ext
32 driver = mysql
71 connect = host=localhost dbname=email user=postuser password=postuser
78 default_pass_scheme = PLAIN
107 password_query = \
108 SELECT username, domain, password \
109 FROM emailuser WHERE username = ‘%u‘ AND domain = ‘%d‘
125 user_query = SELECT maildir, 666 AS uid, 666 AS gid FROM emailuser WHER E username = ‘%u‘
[root@westos-mail conf.d]# vim 10-mail.conf
30 mail_location = maildir:/home/vmail/%d/%n
168 first_valid_uid = 666
175 first_valid_gid = 666
[root@westos-mail conf.d]# yum install -y telnet
[root@westos-mail conf.d]# systemctl restart dovecot
测试
[root@westos-mail conf.d]# telnet 172.25.254.101 110
Trying 172.25.254.101...
Connected to 172.25.254.101.
Escape character is ‘^]‘.
+OK [XCLIENT] Dovecot ready.
user lee@lee.com
+OK
pass lee
+OK Logged in.
quit
+OK Logging out.
Connection closed by foreign host.
#################空壳邮件####################
1.先重置空壳端
2.配置
[root@localhost ~]# vim /etc/postfix/main.cf
75 myhostname = nullmail.example.com ##主机名
83 mydomain = example.com ##域名
99 myorigin = westos.com ##要与真实主机的域名相同
113 inet_interfaces = all
164 mydestination = ##空壳实际不接收邮件,所以不写
316 relayhost = 172.25.254.101 ##真实主机ip
[[root@nullmail ~]# systemctl restart postfix.service
测试
#空壳端
[root@nullmail ~]# mail root
Subject: qe
qe
qe
.
EOT
[root@nullmail ~]# mailq
Mail queue is empty
#真接收端
[root@westos-mail named]# mail
Heirloom Mail version 12.5 7/5/10. Type ? for help.
"/var/spool/mail/root": 1 message 1 new
>N 1 root Thu Jun 1 08:01 22/742 "qe"
& q
######################################
#############iptables#################
######################################
1.准备工作
查看火墙状态,如果是running,将其关闭
打开iptables
2.iptables
iptables是一个工作与用户之间的防火墙应用软件
三表:filter ##不经过内核
mangel
nat ##经过内核
五链:INPUT OUTPUT FORWARD PREROUTING POSTROUTING
-t ##指出表的名称
-n ##不作解析
-L ##列出指定表的策略
-F ##刷掉filter表中的所有策略
-A ##增加策略
-s ##数据来源
-j ##动作
ACCEPT ##允许
REJECT ##拒绝
--dport ##端口
-D ##删除指定策略
-I ##插入策略
-R ##修改策略
-P ##修改默认策略
service iptables save ##保存当前策略
[root@localhost ~]# iptables -A INPUT -i lo -j ACCEPT ##允许lo
[root@localhost ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT ##允许访问22 端口
[root@localhost ~]# iptables -A INPUT -s 172.25.254.75 -j ACCEPT ##只允许75主机访问
[root@localhost ~]# iptables -A INPUT -j REJECT ##其它全部拒绝
[root@localhost ~]# iptables -nL ##查看filter表当前策略
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT all -- 172.25.254.95 0.0.0.0/0
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# iptables -N redhat ##增加redhat链
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT all -- 172.25.254.95 0.0.0.0/0
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain redhat (0 references)
target prot opt source destination
[root@localhost ~]# iptables -E redhat westos ##将redhat链名称改为westos
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT all -- 172.25.254.95 0.0.0.0/0
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain westos (0 references)
target prot opt source destination
[root@localhost ~]# iptables -X westos ##删除westos链
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT all -- 172.25.254.95 0.0.0.0/0
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# iptables -I INPUT -p tcp --dport 80 -j REJECT ##插入策略到INPUT中的第一条
iptables -P INPUT DROP ###修改默认策略
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT all -- 172.25.254.75 0.0.0.0/0
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icm[root@localhost ~]# iptables -R INPUT 1 -p tcp --dport 80 -j ACCEPT ##修改第一条策略
####提高访问速度,缓解访问压力
[root@localhost ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ##建立过的策略再次读的话直接看这个
[root@localhost ~]# iptables -A INPUT -i lo -m state --state NEW -j ACCEPT ##再次读lo策略时候直接读这个
[root@localhost ~]# iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ##再次读22端口策略时直接读这个,不需要全部读
[root@localhost ~]# iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT ##再次读80端口策略时直接读这个,不需要全部读
[root@localhost ~]# iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT ##再次读443端口策略时直接读这个,不需要全部读
[root@localhost ~]# iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT ##再次读53端口策略时直接读这个,不需要全部读
[root@localhost ~]# iptables -A INPUT -j REJECT ##其它主机数据全部拒绝
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# service iptable save ##保存当前策略
##############路由###################
[root@localhost ~]# iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 172.25.254.101 ####出路由
[root@localhost ~]# sysctl -a | grep forward
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 0
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth1.forwarding = 0
net.ipv6.conf.eth1.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.mc_forwarding = 0
[root@localhost ~]# vim /etc/sysctl.conf
5 net.ipv4.ip_forward = 1
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@localhost ~]# iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-dest 172.25.0.11 #####进路由
[root@localhost ~]# iptables -t nat -nL ####查看当前策略
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.0.11
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.254.101
测试
[root@localhost ~]# ping 172.25.0.11
PING 172.25.0.11 (172.25.0.11) 56(84) bytes of data.
64 bytes from 172.25.0.11: icmp_seq=1 ttl=64 time=0.527 ms
64 bytes from 172.25.0.11: icmp_seq=2 ttl=64 time=0.384 ms
64 bytes from 172.25.0.11: icmp_seq=3 ttl=64 time=0.448 ms
postfix+mariadb 空壳邮件 iptables