首先,感谢任何人可以提供的帮助,我非常感激!
我已经设置了一个用于测试的基本网络。它有 pfSense 作为网关/DHCP/DNS 主机,后面有两台 Linux 机器。其中一台 Linux 机器托管着 Apache Web 服务器,我在从另一台 Linux 机器加载网页时遇到问题。
我认为这与 httpd 绑定到环回 IP 地址有关,但我似乎已经解决了这个问题,并且问题仍然存在。查看最后一个 nmap,看起来 Web 服务器没有开放端口 80 或 443 供外部访问。
这是netstat网络服务器上的输出:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1502/mariadbd
tcp 0 0 127.0.0.1:44321 0.0.0.0:* LISTEN 1570/pmcd
tcp 0 0 127.0.0.1:60999 0.0.0.0:* LISTEN 809/glance-apiuWSGI
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 760/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1199/sshd: /usr/sbi
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1247/httpd
tcp 0 0 0.0.0.0:8775 0.0.0.0:* LISTEN 811/nova-api-metauW
tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 1190/beam.smp
tcp 0 0 0.0.0.0:9696 0.0.0.0:* LISTEN 820/ml2_conf.ini
tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN 760/systemd-resolve
tcp 0 0 127.0.0.1:6640 0.0.0.0:* LISTEN 1013/ovsdb-server
tcp 0 0 0.0.0.0:6642 0.0.0.0:* LISTEN 937/ovsdb-server
tcp 0 0 0.0.0.0:6641 0.0.0.0:* LISTEN 909/ovsdb-server
tcp 0 0 127.0.0.1:39711 0.0.0.0:* LISTEN 811/nova-api-metauW
tcp 0 0 20.20.20.11:2379 0.0.0.0:* LISTEN 1169/etcd
tcp 0 0 127.0.0.1:4330 0.0.0.0:* LISTEN 2234/pmlogger
tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 760/systemd-resolve
tcp 0 0 0.0.0.0:6080 0.0.0.0:* LISTEN 815/python3.11
tcp6 0 0 :::2380 :::* LISTEN 1169/etcd
tcp6 0 0 ::1:4330 :::* LISTEN 2234/pmlogger
tcp6 0 0 :::22 :::* LISTEN 1199/sshd: /usr/sbi
tcp6 0 0 :::443 :::* LISTEN 1247/httpd
tcp6 0 0 :::9090 :::* LISTEN 1/systemd
tcp6 0 0 :::4369 :::* LISTEN 1/systemd
tcp6 0 0 ::1:44321 :::* LISTEN 1570/pmcd
tcp6 0 0 :::5355 :::* LISTEN 760/systemd-resolve
tcp6 0 0 :::5672 :::* LISTEN 1190/beam.smp
这是我在网络服务器上的 IP 表:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination type here
这是nmap网络服务器本身:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-09 19:18 CDT
Nmap scan report for opendevhost.testing.prox (20.20.20.11)
Host is up (0.0000080s latency).
Not shown: 995 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp open mysql
9090/tcp open zeus-admin
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
这是nmapLAN 上另一个 Linux 机器上的网络服务器:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-09 19:17 CDT
Nmap scan report for opendevhost.testing.prox (20.20.20.11)
Host is up (0.00041s latency).
Not shown: 988 filtered tcp ports (no-response), 10 filtered tcp ports (admin-prohibited)
PORT STATE SERVICE
22/tcp open ssh
9090/tcp open zeus-admin
MAC Address: 46:0E:A2:7D:12:1A (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 5.20 seconds
I added http and https services through the firewall by logging into the server via the web console.
答案1
您在始终匹配的通用 REJECT 规则之后添加了启用规则:您的附加规则永远不会被遍历,因此毫无用处。终端规则始终是立即的:一旦 REJECT 被评估,此钩子(INPUT)中将不再评估任何规则。
解决此问题的一种方法是删除(无论它在哪里)并放回(最后)REJECT 规则。在此期间,在 REJECT 规则之前添加一条丢弃 INVALID 状态的规则,以避免 REJECT 在涉及延迟数据包的极少数情况下拒绝已建立的流(如拒绝新版本中的警告)。
iptables -D INPUT -j REJECT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -j REJECT
最好从已知的良好来源重建规则集,无论是使用脚本还是一对iptables-save将其保存在文件中/iptables-restore从该文件或防火墙框架(例如防火墙或者超细纤维束。