我希望你能帮忙。我们的 DevOps 人员不在我们机构的办公室,我们的合作伙伴需要访问我们的 FTP。我们将其锁定在我们的办公室内,但需要将其打开,以便我们办公室以外的人员可以连接数周,同时我们的合作伙伴的开发工作也能完成。
不幸的是,我对服务器端知识的了解有限并且仍在学习中。
我们正在运行 centos 7 和 iptables..以下是我们当前的规则:
sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
60692 98M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
138 8258 ACCEPT all -- lo any anywhere anywhere
1943 90860 INPUT_direct all -- any any anywhere anywhere
1943 90860 INPUT_ZONES_SOURCE all -- any any anywhere any where
1943 90860 INPUT_ZONES all -- any any anywhere anywhere
465 18696 DROP all -- any any anywhere anywhere ctstate INVALID
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 FORWARD_direct all -- any any anywhere anywher e
0 0 FORWARD_IN_ZONES_SOURCE all -- any any anywhere anywhere
0 0 FORWARD_IN_ZONES all -- any any anywhere anywh ere
0 0 FORWARD_OUT_ZONES_SOURCE all -- any any anywhere anywhere
0 0 FORWARD_OUT_ZONES all -- any any anywhere anyw here
0 0 DROP all -- any any anywhere anywhere ctstate INVALID
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 60733 packets, 193M bytes)
pkts bytes target prot opt in out source destination
60757 193M OUTPUT_direct all -- any any anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- eth0 any anywhere anywhere [goto]
0 0 FWDI_public all -- + any anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- any eth0 anywhere anywhere [goto]
0 0 FWDO_public all -- any + anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- any any anywhere anywhe re
0 0 FWDI_public_deny all -- any any anywhere anywh ere
0 0 FWDI_public_allow all -- any any anywhere anyw here
0 0 ACCEPT icmp -- any any anywhere anywhere
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- any any anywhere anywhe re
0 0 FWDO_public_deny all -- any any anywhere anywh ere
0 0 FWDO_public_allow all -- any any anywhere anyw here
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
1943 90860 IN_public all -- eth0 any anywhere anywhere [goto]
0 0 IN_public all -- + any anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (2 references)
pkts bytes target prot opt in out source destination
1943 90860 IN_public_log all -- any any anywhere anywhere
1943 90860 IN_public_deny all -- any any anywhere anywher e
1943 90860 IN_public_allow all -- any any anywhere anywhe re
0 0 ACCEPT icmp -- any any anywhere anywhere
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
1 52 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh ctstate NEW
498 22176 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http ctstate NEW
979 49936 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https ctstate NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp ctstate NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:webcache ctstate NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpts:ndmps:50000 ctstate NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp ctstate NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp-data ctstate NEW
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
24 1224 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp
答案1
您的 CentOS 系统正在使用 Firewalld,因此您需要使用它来更新防火墙配置。你可以使用该firewall-cmd命令修改规则。例如,要允许公共区域上的 FTP 服务,您可以使用:
# firewall-cmd --add-service=ftp --zone=public
您可以看到在命令的输出中已经使用firewalld定义了规则iptables,这就是为什么您会看到所有名称中带有“_public”的表。