我在 Centos 6.6 上运行 Apache/2.2.15。
我有一个 Verizon 路由器,检查了端口转发,发现
WorkstationName 192.168.1.6 HTTPS TCP Any -> 443 All Broadband Devices Active
我进入命令行并输入
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 443 -j ACCEPT
我也进入了
sudo netstat -anltp | grep LISTEN
并得到
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1462/mysqld
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2297/sshd
tcp 0 0 :::443 :::* LISTEN 2340/httpd
tcp 0 0 :::80 :::* LISTEN 2340/httpd
tcp 0 0 :::22 :::* LISTEN 2297/sshd
但是,当我输入我的网站名称(使用 http 可以正常工作)时,如下所示
https://websitename.com
它只是挂了。然后我去http://www.mynetworktest.com/ports.php并点击
测试 https - 端口 443
并得到
Port 443 is not open on my.ip.addre.ess
sudo iptables -L -n
给出
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 192.168.1.1 0.0.0.0/0 tcp flags:!0x17/0x02
ACCEPT udp -- 192.168.1.1 0.0.0.0/0
ACCEPT tcp -- 151.198.0.38 0.0.0.0/0 tcp flags:!0x17/0x02
ACCEPT udp -- 151.198.0.38 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
DROP all -- 0.0.0.0/0 255.255.255.255
DROP all -- 0.0.0.0/0 192.168.1.255
DROP all -- 224.0.0.0/8 0.0.0.0/0
DROP all -- 0.0.0.0/0 224.0.0.0/8
DROP all -- 255.255.255.255 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
LSI all -f 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
INBOUND all -- 0.0.0.0/0 0.0.0.0/0
LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Input'
DROP all -- 69.84.207.246 0.0.0.0/0
DROP all -- 69.84.207.246 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Forward'
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.1.4 192.168.1.1 tcp dpt:53
ACCEPT udp -- 192.168.1.4 192.168.1.1 udp dpt:53
ACCEPT tcp -- 192.168.1.4 151.198.0.38 tcp dpt:53
ACCEPT udp -- 192.168.1.4 151.198.0.38 udp dpt:53
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 224.0.0.0/8 0.0.0.0/0
DROP all -- 0.0.0.0/0 224.0.0.0/8
DROP all -- 255.255.255.255 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
OUTBOUND all -- 0.0.0.0/0 0.0.0.0/0
LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Output'
DROP all -- 0.0.0.0/0 69.84.207.246
DROP all -- 0.0.0.0/0 69.84.207.246
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:443
Chain INBOUND (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
LSI all -- 0.0.0.0/0 0.0.0.0/0
Chain LOG_FILTER (5 references)
target prot opt source destination
Chain LSI (2 references)
target prot opt source destination
LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain LSO (0 references)
target prot opt source destination
LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound '
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTBOUND (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
答案1
事实是,您在链的末尾添加了允许端口 443 的规则INPUT。
但是你之前有一条规则,它删除了所有内容:
Chain INPUT (policy DROP)
[...]
DROP all -- 0.0.0.0/0 0.0.0.0
[...]
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
[...]
规则iptables决定秩序!
用于iptables -I INPUT -p tcp --dport 443 -j ACCEPT将规则放在链的开头INPUT。
标志-A(Append)将规则添加到指定链的末尾,这不是您想要的。
答案2
您在 INPUT 链的末尾添加了针对端口 443 的规则。规则 #13(如上所列)会丢弃任何与先前规则不匹配的流量。
-I添加规则时使用标志而不是-A。例如:
sudo iptables -I INPUT 6 -p tcp --dport 443 -j ACCEPT
这样,流量就不会丢失。