我在虚拟服务器上安装了一些 docker 应用程序,但我从未修改过 iptables 策略。当我对虚拟服务器运行完整的 nmap 时,我得到了:
Host is up (0.044s latency).
Not shown: 65521 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open https
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
2022/tcp open down
4444/tcp filtered krb524
5554/tcp filtered sgi-esphttp
8000/tcp open http-alt
8005/tcp open mxi
8006/tcp open wpl-analytics
9996/tcp filtered palace-5
iptables -L在我获得的虚拟服务器上运行,
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8496
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8495
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8490
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8386
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8486
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8485
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8480
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8476
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8475
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8470
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8466
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8465
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8460
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8456
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8455
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8445
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8430
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8426
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8450
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8446
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8440
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8436
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8435
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8425
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8420
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8416
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8415
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8410
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8406
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8405
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8400
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8396
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8395
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8390
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8385
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8380
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8376
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8375
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8370
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8366
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8365
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8360
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8356
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8355
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8350
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8346
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8345
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8340
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8336
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8335
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8330
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8326
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8325
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8320
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8316
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8315
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8310
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8306
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8305
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8300
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8296
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8295
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8276
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8290
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8286
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8285
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8280
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8275
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8270
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8266
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8265
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8260
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8256
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8255
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8250
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8246
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8245
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8240
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8236
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8235
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8230
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8226
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8225
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8220
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8216
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8215
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8205
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8210
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8206
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8200
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8196
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8195
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8190
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8186
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8185
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8180
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8176
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8175
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8170
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8166
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8165
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8160
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8156
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8155
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8145
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8150
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8146
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:puppet
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8116
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8136
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8135
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8130
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8126
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8125
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8120
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8115
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8110
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8106
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8105
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8100
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8096
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8095
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8090
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8065
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8076
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8075
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8070
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8066
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8060
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8056
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8055
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8050
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8046
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8045
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8040
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8036
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8035
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8030
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8026
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8025
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8020
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8016
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8015
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8010
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8006
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8005
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:8000
ACCEPT tcp -- anywhere 172.18.0.6 tcp dpt:2022
ACCEPT tcp -- anywhere 172.18.0.6 tcp dpt:https
ACCEPT tcp -- anywhere 172.18.0.6 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
现在我安装了一个使用端口 60000 作为源和目标的服务,但如果我打开端口,
iptables -A INPUT -p udp --dport 60000 -j ACCEPT
iptables -A INPUT -p udp --sport 60000 -j ACCEPT
iptables -A INPUT -p tcp --dport 60000 -j ACCEPT
iptables -A INPUT -p tcp --sport 60000 -j ACCEPT
端口未打开。
Host is up (0.039s latency).
PORT STATE SERVICE
60000/tcp closed unknown
我该如何解决?谢谢。
伊万