因此,在与防火墙进行一些斗争和挣扎之后,我发现我可能正在做一些事情或者防火墙没有正确响应,有一个端口过滤器正在阻止某些端口。
好的,这就是我所做的:
我对 iptables 文件做了一些修改,结果出现了无数问题,所以我恢复了 iptables.old 文件
iptables.old的内容:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
iptables.old 恢复(恢复为库存)后,nmap 扫描显示:
nmap [server ip]
Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 13:54 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.014s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
113/tcp closed ident
8008/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 4.95 seconds
如果我附加规则:(接受接口 eth0 上传入服务器的所有 tcp 端口)
iptables -A INPUT -i eth0 -m tcp -j ACCEPT
nmap 输出:
nmap [server ip]
Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 13:58 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.017s latency).
Not shown: 858 filtered ports, 139 closed ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
8008/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 3.77 seconds
*注意它允许并打开端口 443 但不允许打开其他端口,并且删除了端口 113......?
删除先前的规则,如果我附加规则:(允许并打开接口 eth0 上传入服务器的端口 80)
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 80 -j ACCEPT
nmap 输出:
nmap [server ip]
Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 14:01 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.014s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
113/tcp closed ident
8008/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 5.12 seconds
*请注意,它删除了端口 443 并允许 80,但已关闭
不删除前一条规则,如果我附加规则:(允许并打开接口 eth0 上进入服务器的端口 1723)
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 1723 -j ACCEPT
nmap 输出:
nmap [server ip]
Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 14:05 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.015s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
113/tcp closed ident
8008/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 5.16 seconds
*注意到打开或关闭的端口没有变化吗?
删除规则后:
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 1723 -j ACCEPT
nmap 输出:
nmap [server ip]
Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 14:07 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.015s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
113/tcp closed ident
Nmap done: 1 IP address (1 host up) scanned in 5.15 seconds
并返回规则:(接受接口 eth0 上进入服务器的所有 tcp 端口)
iptables -A INPUT -i eth0 -m tcp -j ACCEPT
nmap 输出:
nmap [server ip]
Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 14:07 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.017s latency).
Not shown: 858 filtered ports, 139 closed ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
8008/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 3.87 seconds
注意 eth0 将 999 个过滤端口更改为 858 个过滤端口和 139 个关闭端口
问题:
为什么我不能允许和/或打开特定端口,例如我想允许和打开端口 443,但它不允许,甚至 pptp 的 1723 也不允许,为什么我不能这样做???
抱歉,布局有问题,编辑器也出了问题(唉)
答案1
甚至 1723 适用于 pptp
PPTP 使用的不仅仅是端口 tcp/1723。它还使用协议 GRE。为 PPTP 打开单个 TCP 端口或所有端口将不允许 PPTP 工作。您还需要允许 GRE。
最好的结果是使用状态规则并将 pptp 连接跟踪模块加载到内核中。
iptables -A 输入...
您的防火墙包含一条如下所示的规则-A INPUT -j REJECT
。也就是说,您有一条明确丢弃 FILTER 表的 INPUT 链上的流量的规则。如果您使用,iptables -A INPUT
那么您追加INPUT 链的规则。 规则按顺序处理,第一个匹配的获胜。由于您有拒绝声明,并且您追加在其之后的新规则,附加规则允许流量之前,您的拒绝将会被评估。