通过 ssh 连接到 Fedora 23 服务器,并决定在添加新规则后重新启动 iptables:。systemctl restart iptables但是iptables从未重新启动,或者重新启动非常慢(我等了 3 个多小时),导致阻止所有连接,迫使我去数据中心重新启动系统。重新启动后一切似乎都正常,所以我尝试systemctl restart iptables再次运行。同样的事情发生了。所有连接都被阻止,iptables -L列出所有规则需要很长时间。为什么重新启动 iptables 会导致这种情况?在 Fedora 上重新启动的更安全方法是什么iptables?
继承人的输出iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere pages33.mit.io tcp dpt:ssh state NEW recent: UPDATE seconds: 120 hit_count: 6 name: sshold2 side: source mask: 255.255.255.255
tcp -- anywhere pages33.mit.io tcp dpt:ssh state NEW recent: SET name: sshold2 side: source mask: 255.255.255.255
DROP tcp -- anywhere order.mit.io tcp dpt:ssh state NEW recent: UPDATE seconds: 120 hit_count: 6 name: sshold side: source mask: 255.255.255.255
tcp -- anywhere order.mit.io tcp dpt:ssh state NEW recent: SET name: sshold side: source mask: 255.255.255.255
DROP all -- loopback/8 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -f 192.168.1.0/24 anywhere
ACCEPT all -f 10.0.1.0/24 anywhere
ACCEPT all -f 10.0.1.0/24 anywhere
ACCEPT all -f 10.0.1.0/24 anywhere
ACCEPT all -f 10.0.1.0/24 anywhere
ACCEPT all -f 10.0.1.0/24 anywhere
swatch_rejects all -- anywhere anywhere
ACCEPT tcp -- anywhere order.mit.io tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere multiport dports 50000:60000
ACCEPT tcp -- anywhere clic.brg.mit.io tcp dpt:http
ACCEPT tcp -- anywhere clic.brg.mit.io tcp dpt:https
ACCEPT tcp -- 123.123.123.0/21 lol.al.mit.io tcp dpt:http
ACCEPT tcp -- 123.123.123.0/21 lol.al.mit.io tcp dpt:https
ACCEPT tcp -- anywhere lol.al.mit.io source IP range xxxxx tcp dpt:http
ACCEPT tcp -- anywhere lol.al.mit.io source IP range xxxxx tcp dpt:https
ACCEPT tcp -- anywhere lol.al.mit.io source IP range xxxxx tcp dpt:http
ACCEPT tcp -- anywhere lol.al.mit.io source IP range xxxxx tcp dpt:https
ACCEPT tcp -- anywhere lol.al.mit.io source IP range xxxxx tcp dpt:http
ACCEPT tcp -- anywhere lol.al.mit.io source IP range xxxxx tcp dpt:https
DROP tcp -- anywhere lol.al.mit.io tcp dpt:http
DROP tcp -- anywhere lol.al.mit.io tcp dpt:https
ACCEPT tcp -- anywhere order.mit.io tcp dpt:ssh
ACCEPT tcp -- anywhere pages33.mit.io tcp dpt:ssh
ACCEPT tcp -- anywhere order.mit.io tcp dpt:http
ACCEPT tcp -- anywhere order.mit.io tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:ircu
ACCEPT udp -- anywhere anywhere udp dpt:ircu-2
ACCEPT udp -- anywhere pages.mit.io udp dpt:bootps
ACCEPT udp -- anywhere pages.mit.io udp dpt:bootpc
ACCEPT tcp -- anywhere pages.mit.io tcp dpt:bootps
ACCEPT tcp -- anywhere pages.mit.io tcp dpt:bootpc
ACCEPT !icmp -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
DROP all -- anywhere anywhere ctstate NEW
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain swatch_rejects (1 references)
target prot opt source destination