我所在的公司(Softlayer)要求我为他们的监控服务开放 48000 到 48020 的端口范围。
从 ifconfig 来看,这些是我的接口:
eth0 Link encap:Ethernet HWaddr 06:3F:74:F6:7F:0C
inet addr:10.54.12.130
...
eth1 Link encap:Ethernet HWaddr 06:0C:1E:65:0E:A8
inet addr:50.23.75.242
....
这些是我当前的 iptables 规则:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
2 REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable
3 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
4 ACCEPT tcp -- anywhere anywhere tcp dpt:http
5 ACCEPT tcp -- anywhere anywhere tcp dpt:https
6 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ici
7 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
我已经尝试过这个 iptables 命令:
iptables -I INPUT 7 -i eth0 -p tcp -s 10.54.12.130 --dport 48000:48020 -j ACCEPT
结果是:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
2 REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable
3 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
4 ACCEPT tcp -- anywhere anywhere tcp dpt:http
5 ACCEPT tcp -- anywhere anywhere tcp dpt:https
6 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ici
7 ACCEPT tcp -- 10.54.12.130 anywhere tcp dpts:nimcontroller:48020
8 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
但是Softlayer提供的Nimsoft-monitor-testing工具显示无法连接。
我究竟做错了什么?
答案1
10.54.12.130 是你的内部 IP 地址,而不是 Softlayer 的 Nimsoft 服务器的内部 IP 地址。您只允许从您自己的 IP 连接到这些端口!这就是它不起作用的原因。
要解决该问题,请将源 IP 地址更改为 Softlayer 提供给您的 Nimsoft 服务器 IP 地址,或者如果它是受信任的管理网络,您可以完全省略源 IP。Softlayer自己推荐您使用 10.0.0.0/8 源。因此规则如下:
-A INPUT -i eth0 -s 10.0.0.0/8 -p tcp -m state --state NEW --dports 48000:48020 -j ACCEPT