为 Samba Share 配置 IPTABLE 时出现的问题

tag-icon tag-icon linux iptables firewall centos6
为 Samba Share 配置 IPTABLE 时出现的问题

我正在尝试在 CentOS 6 服务器上配置 Samba,以便只有 3 个 IP 地址可以访问 Samba 共享。由于某种原因,我的 iptable 配置是错误的。我检查了第 11-15 行,每行都有问题,我认为是同一个问题。有人能看到我的问题吗?

[user_sa@host ~]$ sudo cat -n /etc/sysconfig/iptables
     1  # Firewall configuration written by system-config-firewall
     2  # Manual customization of this file is not recommended.
     3  *filter
     4  :INPUT ACCEPT [0:0]
     5  :FORWARD ACCEPT [0:0]
     6  :OUTPUT ACCEPT [0:0]
     7  -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
     8  -A INPUT -p icmp -j ACCEPT
     9  -A INPUT -i lo -j ACCEPT
    10  -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
    11  -A RH-Firewall-1-INPUT -s 192.168.1.114/32 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
    12  -A RH-Firewall-1-INPUT -s 192.168.1.114/32 -m state --state NEW -m udp -p udp --dport 445 -j ACCEPT
    13  -A RH-Firewall-1-INPUT -s 192.168.1.114/32 -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
    14  -A RH-Firewall-1-INPUT -s 192.168.1.114/32 -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
    15  -A RH-Firewall-1-INPUT -s 192.168.1.114/32 -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
    16  -A RH-Firewall-1-INPUT -s 192.168.1.115/32 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
    17  -A RH-Firewall-1-INPUT -s 192.168.1.115/32 -m state --state NEW -m udp -p udp --dport 445 -j ACCEPT
    18  -A RH-Firewall-1-INPUT -s 192.168.1.115/32 -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
    19  -A RH-Firewall-1-INPUT -s 192.168.1.115/32 -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
    20  -A RH-Firewall-1-INPUT -s 192.168.1.115/32 -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
    21  -A RH-Firewall-1-INPUT -s 192.168.1.116/32 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
    22  -A RH-Firewall-1-INPUT -s 192.168.1.116/32 -m state --state NEW -m udp -p udp --dport 445 -j ACCEPT
    23  -A RH-Firewall-1-INPUT -s 192.168.1.116/32 -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
    24  -A RH-Firewall-1-INPUT -s 192.168.1.116/32 -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
    25  -A RH-Firewall-1-INPUT -s 192.168.1.116/32 -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
    26  -A INPUT -j REJECT --reject-with icmp-host-prohibited
    27  -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    28  COMMIT
[user_sa@host ~]$ sudo service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules: iptables-restore: line 11 failed
                                                       [FAILED]

答案1

4  :INPUT ACCEPT [0:0]
5  :FORWARD ACCEPT [0:0]
6  :OUTPUT ACCEPT [0:0]
(snip)    
11  -A RH-Firewall-1-INPUT -s 192.168.1.114/32 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT

您正在使用未定义的链 ( RH-Firewall-1-INPUT)。

看起来你ACCEPT从某个网站复制粘贴了这些规则,却没有理解它们到底是干什么的。这……不是一个好主意。无论新信息的来源是什么,在使用命令之前,一定要自己尝试研究,了解它们到底是干什么的。

相关内容