尽管我对 Linux 很有经验,但我对 还是个新手iptables
,我是按照 Rackspace 虚拟服务器设置指南进行设置的。
使用端口扫描和检查偏僻的访问所需的端口,我可以看到除了我专门打开的端口之外,所有流量都被阻止了。
然而我无法访问本地打开的端口(例如w3m http://localhost:4848
)。
以下是我的iptables
规则:
# Generated by iptables-save v1.4.12 on Tue Oct 7 20:06:11 2014
*filter
:INPUT DROP [44:3960]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [184:19472]
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4848 -j ACCEPT
COMMIT
# Completed on Tue Oct 7 20:06:11 2014
被抛弃sudo iptables -L -n -v
Chain INPUT (policy DROP 45 packets, 4050 bytes)
pkts bytes target prot opt in out source destination
106 10697 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 64 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4848
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 77 packets, 9149 bytes)
pkts bytes target prot opt in out source destination
根据评论的要求,提供更多输出:
$ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
$ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
inet XXX.XXX.XXX.XXX/24 brd XXX.XXX.XXX.255 scope global eth0
inet6 XXXX::XXXX:XXXX:XXXX:XX/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
inet XXX.XXX.XXX.XXX/19 brd XXX.XXX.XXX.255 scope global eth1
inet6 XXXX::XXXX:XXXXX:XXXX:XXXX/64 scope link
valid_lft forever preferred_lft forever
我怀疑缺乏对这些端口的本地访问是导致glassfish
无法正常工作的根本原因。
我的问题是:
- 如何在不损害远程安全的情况下打开这些端口的本地访问?
- 您是否建议采取其他任何变更来提高安全性?
答案1
为了找出您缺少的规则,可以在链末尾设置日志记录规则以方便使用。
iptables -A INPUT -j LOG
您将在输出中看到dmesg
所有到达 INPUT 链末尾的数据包,然后由于您的 DROP 策略而被丢弃。正如我在评论中所说,您可能缺少环回设备的规则:
iptables -I INPUT -i lo -j ACCEPT
但尝试添加日志记录规则来找出 iptables 的更具体的标准。