下面是我的 IP 列表输出。应发出哪些 IP 表命令来启用 tcp 端口 444 的添加,我将其用于非标准 SSL。我尝试了“iptables -A INPUT -p tcp --dport 444 -j ACCEPT”,而不是“service iptables save”,但不起作用?!?1?! 在我的 httpd.conf 中,我正在监听端口 444。
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:30000
ACCEPT icmp -- anywhere anywhere icmp echo-request
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
SSH_CHECK tcp -- anywhere anywhere tcp dpt:ssh state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:snpp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data
Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination
Chain SSH_CHECK (1 references)
target prot opt source destination
all -- anywhere anywhere recent: SET name: SSH side: source
DROP all -- anywhere anywhere recent: UPDATE seconds: 180 hit_count: 3 name: SSH side: source
答案1
在您当前的规则集中,使用 -A 添加的规则将不起作用,因为您有一个 REJECT 规则。使用 -I 而不是 -A 作为规则,该规则首先插入。或者“-I INPUT 2”更好,因为它将规则插入第二个位置。出于性能原因,ESBLISHED,RELATED 应该放在第一位。
答案2
snpp 这个名字不是问题。您的方法应该有效。如果您将 iptables 配置为允许目标端口 444,并将 httpd 配置为侦听 444,则您的客户端应该能够通过端口 444 访问 https,就像 一样https://your.ip.addr.ess:444/。
但是,如果您希望客户端使用默认端口访问 https URL https://your.ip.addr.ess/,则需要添加如下 NAT 规则:
iptables -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 444