不清楚如何排列我的防火墙规则

不清楚如何排列我的防火墙规则

我有打开端口的防火墙规则,但该端口仍然关闭。

我改变了规则的顺序,它开始起作用了——不明白为什么。

这是我以前所拥有的:

cat /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>

  <rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-p ipv4-icmp -m comment --comment ipv4_icmp -j ACCEPT</rule>
  <rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-p ipv6-icmp -m comment --comment ipv6_icmp -j ACCEPT</rule>

  <rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-p tcp -m tcp -m multiport --dports 22 -m comment --comment 'Allow SSH' -j ACCEPT</rule>
  <rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-p tcp -m tcp -m multiport --dports 22 -m comment --comment 'Allow SSH' -j ACCEPT</rule>

  <rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-m state --state RELATED,ESTABLISHED -m comment --comment established -j ACCEPT</rule>
  <rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-m state --state RELATED,ESTABLISHED -m comment --comment established -j ACCEPT</rule>

  <rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-p tcp -m tcp -m multiport --dports 5000:5200 -m comment --comment 'my app' -j ACCEPT</rule>
  <rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-p tcp -m tcp -m multiport --dports 5000:5200 -m comment --comment 'my app' -j ACCEPT</rule>

</direct>

现在端口 5000-5200 未打开,我无法访问它们

然后我将顺序改为这样它就开始起作用了:

cat /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>
  <rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-p tcp -m tcp -m multiport --dports 5000:5200 -m comment --comment 'my app' -j ACCEPT</rule>
  <rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-p tcp -m tcp -m multiport --dports 5000:5200 -m comment --comment 'my app' -j ACCEPT</rule>

  <rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-p ipv4-icmp -m comment --comment ipv4_icmp -j ACCEPT</rule>
  <rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-p ipv6-icmp -m comment --comment ipv6_icmp -j ACCEPT</rule>

  <rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-p tcp -m tcp -m multiport --dports 22 -m comment --comment 'Allow SSH' -j ACCEPT</rule>
  <rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-p tcp -m tcp -m multiport --dports 22 -m comment --comment 'Allow SSH' -j ACCEPT</rule>

  <rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-m state --state RELATED,ESTABLISHED -m comment --comment established -j ACCEPT</rule>
  <rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-m state --state RELATED,ESTABLISHED -m comment --comment established -j ACCEPT</rule>

</direct>

它为什么会这么做?

答案1

您只有 ACCEPT 规则,因此它们的顺序应该不会有任何区别。相反,您是否重新启动/重新加载了firewalld?在这种情况下,您的先前规则可能被标记为永久规则(因此它们被保存到磁盘),但不是运行时规则(因此它们当前未应用)。

相关内容