iptables - 为什么 stun、turn 端口无法正常工作以允许端点访问服务器?

tag-icon tag-icon networking centos security iptables firewall
iptables - 为什么 stun、turn 端口无法正常工作以允许端点访问服务器?

我有这个 iptables,除了 tcp/udp 端口​​ 3478 和 5349 之外,其他所有功能都可以工作。

$ cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Thu Nov 21 10:21:41 2013
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 3478 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5349 -j ACCEPT
-A INPUT -p udp -m udp --dport 5349 -j ACCEPT
-A INPUT -p udp -m udp --dport 3478 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5269 -j ACCEPT
-A INPUT -p udp -m udp -m string --dport 5080 -j DROP  --string "friendly-scanner" --algo bm --to 65535 
-A INPUT -p udp -m udp -m string --dport 5060 -j DROP  --string "friendly-scanner" --algo bm --to 65535 
-A INPUT -p tcp -m tcp --dport 5081 -j ACCEPT
-A INPUT -p udp -m udp --dport 5081 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5080 -j ACCEPT
-A INPUT -p udp -m udp --dport 5080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5061 -j ACCEPT
-A INPUT -p udp -m udp --dport 5061 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5060 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -p udp -m udp --dport 16000:42000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7007 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 178.162.205.224/32 -j DROP
-A INPUT -s 65.55.44.100/32 -j DROP
-A INPUT -s 178.162.205.224/32 -j DROP
-A INPUT -s 91.218.247.162/32 -j DROP
-A INPUT -s 85.25.78.58/32 -j DROP
-A INPUT -s 91.218.247.162/32 -j DROP

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

-A INPUT -j ACCEPT

COMMIT
# Completed on Thu Nov 21 10:21:41 2013
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed

答案1

这些规则对我来说看起来很开放。我将验证这些是当前在机器上生效的规则。

如果您刷新表并将所有策略设置为接受,客户端是否可以连接?

我认为客户不是其中之一......

-A INPUT -s 178.162.205.224/32 -j DROP
-A INPUT -s 65.55.44.100/32 -j DROP
-A INPUT -s 178.162.205.224/32 -j DROP
-A INPUT -s 91.218.247.162/32 -j DROP
-A INPUT -s 85.25.78.58/32 -j DROP
-A INPUT -s 91.218.247.162/32 -j DROP

相关内容