iptables 规则允许通过内部接口进行 Nimsoft 连接

tag-icon tag-icon iptables centos6
iptables 规则允许通过内部接口进行 Nimsoft 连接

我所在的公司(Softlayer)要求我为他们的监控服务开放 48000 到 48020 的端口范围。

从 ifconfig 来看,这些是我的接口:

eth0      Link encap:Ethernet  HWaddr 06:3F:74:F6:7F:0C
          inet addr:10.54.12.130
          ...

eth1      Link encap:Ethernet  HWaddr 06:0C:1E:65:0E:A8
          inet addr:50.23.75.242
          ....

这些是我当前的 iptables 规则:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere
2    REJECT     all  --  anywhere             loopback/8          reject-with icmp-port-unreachable
3    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
4    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
5    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
6    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ici
7    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere

我已经尝试过这个 iptables 命令: iptables -I INPUT 7 -i eth0 -p tcp -s 10.54.12.130 --dport 48000:48020 -j ACCEPT

结果是:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere
2    REJECT     all  --  anywhere             loopback/8          reject-with icmp-port-unreachable
3    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
4    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
5    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
6    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ici
7    ACCEPT     tcp  --  10.54.12.130         anywhere            tcp dpts:nimcontroller:48020
8    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere

但是Softlayer提供的Nimsoft-monitor-testing工具显示无法连接。

我究竟做错了什么?

答案1

10.54.12.130 是你的内部 IP 地址,而不是 Softlayer 的 Nimsoft 服务器的内部 IP 地址。您只允许从您自己的 IP 连接到这些端口!这就是它不起作用的原因。

要解决该问题,请将源 IP 地址更改为 Softlayer 提供给您的 Nimsoft 服务器 IP 地址,或者如果它是受信任的管理网络,您可以完全省略源 IP。Softlayer自己推荐您使用 10.0.0.0/8 源。因此规则如下:

-A INPUT -i eth0 -s 10.0.0.0/8 -p tcp -m state --state NEW --dports 48000:48020 -j ACCEPT

相关内容