以下是我在ubuntu云服务器上的iptable规则:
猫/etc/iptables.rules:
*filter
:INPUT DROP [598:41912]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [456:35354]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -s mycompany.dyndns.com -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s mycompany.dyndns.com -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s mycompany.dyndns.com -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -j DROP
COMMIT
我没有在上述 iptable 规则中打开 ftp 端口 21,但我可以通过 ftp 连接到服务器。怎么办?
nmap 服务器 IP
Not shown: 987 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
389/tcp open ldap
445/tcp filtered microsoft-ds
10000/tcp open java-or-OTGfileshare
2401/tcp open cvspserver
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 17.46 seconds
为什么这么多端口显示为打开。我很清楚这些服务正在服务器上运行,但是当它没有包含在 iptable 规则中时,它如何列出或连接(ftp)这些端口?
需要帮忙...
The following script will be running at every 5 mins on cloud servers to update their iptables for the dyndns domain name:
#!/bin/bash
#
# A script to update iptable records for dynamic dns hosts.
# Written by: Dave Horner (http://dave.thehorners.com)
# Released into public domain.
#
# Run this script in your cron table to update ips.
#
# You might want to put all your dynamic hosts in a sep. chain.
# That way you can easily see what dynamic hosts are trusted.
#
# create the chain in iptables.
/sbin/iptables -N dynamichosts
# insert the chain into the input chain @ the head of the list.
/sbin/iptables -I INPUT 1 -j dynamichosts
# flush all the rules in the chain
/sbin/iptables -F dynamichosts
HOST=$1
HOSTFILE="/root/host-$HOST"
CHAIN="dynamichosts" # change this to whatever chain you want.
IPTABLES="/sbin/iptables"
# check to make sure we have enough args passed.
if [ "${#@}" -ne "1" ]; then
echo "$0 hostname"
echo "You must supply a hostname to update in iptables."
exit
fi
# lookup host name from dns tables
IP=`/usr/bin/dig +short $HOST | /usr/bin/tail -n 1`
if [ "${#IP}" = "0" ]; then
echo "Couldn't lookup hostname for $HOST, failed."
exit
fi
OLDIP=""
if [ -a $HOSTFILE ]; then
OLDIP=`cat $HOSTFILE`
# echo "CAT returned: $?"
fi
# save off new ip.
echo $IP>$HOSTFILE
echo "Updating $HOST in iptables."
if [ "${#OLDIP}" != "0" ]; then
echo "Removing old rule ($OLDIP)"
`$IPTABLES -D $CHAIN -s $OLDIP/32 -j ACCEPT`
fi
echo "Inserting new rule ($IP)"
`$IPTABLES -A $CHAIN -s $IP/32 -j ACCEPT`
这是云服务器上“ipables -L”的输出。
dynamichosts all -- anywhere anywhere
dynamichosts all -- anywhere anywhere
dynamichosts all -- anywhere anywhere
dynamichosts all -- anywhere anywhere
dynamichosts all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- APKGS-AP-dynamic-145.136.165.59.airtelbroadband.in anywhere tcp dpt:ssh
ACCEPT tcp -- APKGS-AP-dynamic-145.136.165.59.airtelbroadband.in anywhere tcp dpt:10000
ACCEPT tcp -- APKGS-AP-dynamic-145.136.165.59.airtelbroadband.in anywhere tcp dpt:mysql
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain dynamichosts (937 references)
target prot opt source destination
ACCEPT all -- Telemedia-AP-dynamic-145.86.175.59.airtelbroadband.in anywhere
这里的 airtelbroadband 是我的(dyndns 域名)。我认为之前发布的脚本创建了新的链,并且从这个域开始一切都是允许的 - 是这样吗?可能允许的端口 ssh、webmin、mysql 和 www 是无用的条目。但我希望这个域只允许使用这些端口,当我从我的 dyndns 域系统检查时,我可以让 nmap 只列出云服务器上允许的端口。还有其他帮助吗……?
答案1
扫描到远程主机。“-A INPUT -i lo -j ACCEPT”允许从服务器 IP 到服务器 IP 的流量。