iptables拒绝本地主机上的连接,我找不到导致它的原因。有人给我一个 centos 7 服务器来为一个项目配置,它配置了大约 500 条规则,现在在端口上运行我的服务后,18081我得到了
[amir@serverhXJopV70D1 ~]$ curl -v http://127.0.0.1:18081
* Trying 127.0.0.1:18081...
* Connected to 127.0.0.1 (127.0.0.1) port 18081 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:18081
> User-Agent: curl/7.70.0
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
即使我尝试通过服务器的 IP 地址连接到服务,一切也都正常。
关注此关联以找出哪条规则导致了这个问题,但结果对我来说仍然难以理解
[amir@serverhXJopV70D1 ~]$ sudo iptables -L -v -n > Sample1 && curl 127.0.0.1:18081; sudo iptables -L -v -n > Sample2 && diff Samp*
curl: (56) Recv failure: Connection reset by peer
14,16c14,16
< 28665 8728K LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0
< 4321 256K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
< 27722 8645K INVALID tcp -- !lo * 0.0.0.0/0 0.0.0.0/0
---
> 28668 8728K LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0
> 4329 256K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
> 27725 8645K INVALID tcp -- !lo * 0.0.0.0/0 0.0.0.0/0
20c20
< 23598 8470K ACCEPT all -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
---
> 23601 8470K ACCEPT all -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
87c87
< 18511 10M LOCALOUTPUT all -- * !lo 0.0.0.0/0 0.0.0.0/0
---
> 18516 10M LOCALOUTPUT all -- * !lo 0.0.0.0/0 0.0.0.0/0
92,94c92,94
< 22969 10M SMTPOUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
< 4629 277K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
< 17545 9985K INVALID tcp -- * !lo 0.0.0.0/0 0.0.0.0/0
---
> 22982 10M SMTPOUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
> 4637 277K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
> 17550 9986K INVALID tcp -- * !lo 0.0.0.0/0 0.0.0.0/0
96c96
< 17770 10M ACCEPT all -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
---
> 17773 10M ACCEPT all -- * !lo 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
117c117
< 33 2113 LOGDROPOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0
---
> 35 2233 LOGDROPOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0
342,343c342,343
< 28665 8728K ALLOWIN all -- !lo * 0.0.0.0/0 0.0.0.0/0
< 28665 8728K DENYIN all -- !lo * 0.0.0.0/0 0.0.0.0/0
---
> 28668 8728K ALLOWIN all -- !lo * 0.0.0.0/0 0.0.0.0/0
> 28668 8728K DENYIN all -- !lo * 0.0.0.0/0 0.0.0.0/0
347,348c347,348
< 18511 10M ALLOWOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0
< 18511 10M DENYOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0
---
> 18516 10M ALLOWOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0
> 18516 10M DENYOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0
379c379
< 32 1920 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
---
> 34 2040 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
382c382
< 33 2113 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
---
> 35 2233 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
我在 stackoverflow 上的问题进一步解释有关该服务的信息。起初我以为是 docker 导致了这个问题
更新:输出sudo iptables -L -n | grep tcp | grep -v ACCEPT
INVALID tcp -- 0.0.0.0/0 0.0.0.0/0
INVALID tcp -- 0.0.0.0/0 0.0.0.0/0
DROP tcp -- 193.169.254.105 0.0.0.0/0 tcp dpt:25
DROP tcp -- 193.169.254.105 0.0.0.0/0 tcp dpt:465
DROP tcp -- 193.169.254.105 0.0.0.0/0 tcp dpt:587
LOGDROPOUT tcp -- 0.0.0.0/0 193.169.254.105 tcp dpt:25
LOGDROPOUT tcp -- 0.0.0.0/0 193.169.254.105 tcp dpt:465
LOGDROPOUT tcp -- 0.0.0.0/0 193.169.254.105 tcp dpt:587
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 ctstate NEW
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:111
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:500
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:513
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:520
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
LOGDROPOUT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587
ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22