我正在尝试在我的 CentOS 服务器上打开一个端口...我尝试使用 iptables,添加“-A INPUT -p udp -m udp --dport portnum -j ACCEPT”,但没有成功。我尝试安装 CSF,添加端口并禁用测试模式。同样没有成功...
知道我可能做错了什么吗?
我当前的 iptables 配置:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11:1608]
:acctboth - [0:0]
-A INPUT -j acctboth
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A INPUT -p udp -m udp --dport 43 -j ACCEPT
-I INPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A OUTPUT -j acctboth
-A acctboth -s myIP ! -i lo -p tcp -m tcp --dport 80
-A acctboth -d myIP ! -i lo -p tcp -m tcp --sport 80
-A acctboth -s myIP ! -i lo -p tcp -m tcp --dport 25
-A acctboth -d myIP ! -i lo -p tcp -m tcp --sport 25
-A acctboth -s myIP ! -i lo -p tcp -m tcp --dport 110
-A acctboth -d myIP ! -i lo -p tcp -m tcp --sport 110
-A acctboth -s myIP ! -i lo -p icmp
-A acctboth -d myIP ! -i lo -p icmp
-A acctboth -s myIP ! -i lo -p tcp
-A acctboth -d myIP ! -i lo -p tcp
-A acctboth -s myIP ! -i lo -p udp
-A acctboth -d myIP ! -i lo -p udp
-A acctboth -s myIP ! -i lo
-A acctboth -d myIP ! -i lo
-A acctboth ! -i lo
-A acctboth -d myIP ! -i lo -p tcp -m tcp --sport 43
COMMIT
但是我同时安装了 CSF 来尝试查看是否是我太笨而无法使用 iptables(更容易理解的 cfg 文件),所以......可能不是在这里,我现在需要改变一些东西。
::: 编辑
经过进一步的处理后,似乎问题扩展到我尝试打开的任何新端口......有什么想法吗?
答案1
首先,列出你当前的规则:
iptables -L -v
例如
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
38M 26G ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
489 47582 ACCEPT icmp -- any any anywhere anywhere
147K 8842K ACCEPT all -- lo any anywhere anywhere
884 50328 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
108K 6441K ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http
40094 2382K ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:https
110K 27M REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 36M packets, 20G bytes)
pkts bytes target prot opt in out source destination
您会注意到REJECT链末尾的规则INPUT。您需要将要允许流量从前该规则,否则将被拒绝,因为规则是按顺序处理的。您可以REJECT使用 在该规则之前插入一条规则-I INPUT 7,其中7是要插入规则的行号。
例如
iptables -I INPUT 7 -m state --state NEW -m tcp -p tcp --dport 43 -j ACCEPT
再次运行iptables -L -v,您现在应该会看到该规则。
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
38M 26G ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
489 47582 ACCEPT icmp -- any any anywhere anywhere
147K 8843K ACCEPT all -- lo any anywhere anywhere
884 50328 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
108K 6443K ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http
40099 2382K ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:https
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:nicname
110K 27M REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 184 packets, 19752 bytes)
pkts bytes target prot opt in out source destination
现在您需要保存规则,以便在重新启动后应用相同的规则。
运行/sbin/service iptables save,它将保存您当前的规则到/etc/sysconfig/iptables。
答案2
-A INPUT -p udp -m udp --dport portno -j ACCEPT应该可以工作。您可以尝试netstat -tpln |grep portno粘贴输出吗?