iptables 阻止本地端口访问

iptables 阻止本地端口访问

尽管我对 Linux 很有经验,但我对 还是个新手iptables,我是按照 Rackspace 虚拟服务器设置指南进行设置的。

使用端口扫描和检查偏僻的访问所需的端口,我可以看到除了我专门打开的端口之外,所有流量都被阻止了。

然而我无法访问本地打开的端口(例如w3m http://localhost:4848)。

以下是我的iptables规则:

# Generated by iptables-save v1.4.12 on Tue Oct  7 20:06:11 2014
*filter
:INPUT DROP [44:3960]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [184:19472]
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4848 -j ACCEPT
COMMIT
# Completed on Tue Oct  7 20:06:11 2014

被抛弃sudo iptables -L -n -v

Chain INPUT (policy DROP 45 packets, 4050 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  106 10697 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    1    64 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4848
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 77 packets, 9149 bytes)
 pkts bytes target     prot opt in     out     source               destination   

根据评论的要求,提供更多输出:

$ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

$ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet XXX.XXX.XXX.XXX/24 brd XXX.XXX.XXX.255 scope global eth0
    inet6 XXXX::XXXX:XXXX:XXXX:XX/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet XXX.XXX.XXX.XXX/19 brd XXX.XXX.XXX.255 scope global eth1
    inet6 XXXX::XXXX:XXXXX:XXXX:XXXX/64 scope link 
       valid_lft forever preferred_lft forever

我怀疑缺乏对这些端口的本地访问是导致glassfish无法正常工作的根本原因。

我的问题是:

  • 如何在不损害远程安全的情况下打开这些端口的本地访问?
  • 您是否建议采取其他任何变更来提高安全性?

答案1

为了找出您缺少的规则,可以在链末尾设置日志记录规则以方便使用。

iptables -A INPUT -j LOG 

您将在输出中看到dmesg所有到达 INPUT 链末尾的数据包,然后由于您的 DROP 策略而被丢弃。正如我在评论中所说,您可能缺少环回设备的规则:

iptables -I INPUT -i lo -j ACCEPT

但尝试添加日志记录规则来找出 iptables 的更具体的标准。

相关内容