当前设置
我正在通过可启动 USB 安装的最小 iso 文件全新安装 centos 7。
电脑是老苹果机,以前运行centos 7没问题。
该机器有1个账户,名为“mas”。
问题
我无法从机器外部访问端口 80 或 22。
情况
该机器似乎不接受任何传入连接。Ping 没有响应,ssh 也无人应答。
当 ssh 进入服务器时,无论帐户如何,[/var/log/messages,/var/log/audit/audit.log] 都不会受到影响。
Firewalld 确实有启动警告,但它们都与 ipv6 有关。
通过 localhost 与本地服务器的所有连接均能顺利连接
Selinux 强制执行不是问题 —— 当强制执行允许时,行为是相同的。
例子 :
curl "localhost" -- Receive default Centos page.
ssh mas@localhost -- Continues to ask for password, works after.
上述行为对于 127.0.0.1 相同。
## 编辑 ##
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 10:9a:dd:49:14:28 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.106/24 brd 192.168.0.255 scope global enp3s0
valid_lft forever preferred_lft forever
inet6 fe80::1408:ba9e:471c:e2c8/64 scope link
valid_lft forever preferred_lft forever
ip r
default via 192.168.0.1 dev enp3s0 proto static metric 100
192.168.0.0/24 dev enp3s0 proto kernel scope link src 192.168.0.106 metric 100
iptables-save
[blank]
telnet -nlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1056/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1334/master
tcp6 0 0 :::22 :::* LISTEN 1056/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1334/master
udp 0 0 0.0.0.0:11000 0.0.0.0:* 865/dhclient
udp 0 0 0.0.0.0:68 0.0.0.0:* 865/dhclient
udp 0 0 127.0.0.1:323 0.0.0.0:* 729/chronyd
udp6 0 0 :::55079 :::* 865/dhclient
udp6 0 0 ::1:323 :::* 729/chronyd
raw6 0 0 :::58 :::* 7 744/NetworkManager
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 19789 1334/master private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 19792 1334/master private/rewrite
unix 2 [ ACC ] STREAM LISTENING 19795 1334/master private/bounce
unix 2 [ ACC ] STREAM LISTENING 19798 1334/master private/defer
unix 2 [ ACC ] STREAM LISTENING 19801 1334/master private/trace
unix 2 [ ACC ] STREAM LISTENING 19807 1334/master public/flush
unix 2 [ ACC ] STREAM LISTENING 19804 1334/master private/verify
unix 2 [ ACC ] STREAM LISTENING 19230 1334/master private/proxymap
unix 2 [ ACC ] STREAM LISTENING 19233 1334/master private/proxywrite
unix 2 [ ACC ] STREAM LISTENING 19236 1334/master private/smtp
unix 2 [ ACC ] STREAM LISTENING 19239 1334/master private/relay
unix 2 [ ACC ] STREAM LISTENING 19245 1334/master private/error
unix 2 [ ACC ] STREAM LISTENING 19248 1334/master private/retry
unix 2 [ ACC ] STREAM LISTENING 19251 1334/master private/discard
unix 2 [ ACC ] STREAM LISTENING 11827 1/systemd /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 19254 1334/master private/local
unix 2 [ ACC ] STREAM LISTENING 19257 1334/master private/virtual
unix 2 [ ACC ] STREAM LISTENING 19260 1334/master private/lmtp
unix 2 [ ACC ] STREAM LISTENING 19263 1334/master private/anvil
unix 2 [ ACC ] STREAM LISTENING 19266 1334/master private/scache
unix 2 [ ACC ] STREAM LISTENING 12608 1/systemd /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 19242 1334/master public/showq
unix 2 [ ACC ] STREAM LISTENING 18006 744/NetworkManager /var/run/NetworkManager/private-dhcp
unix 2 [ ACC ] STREAM LISTENING 12415 1/systemd /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 19778 1334/master public/pickup
unix 2 [ ACC ] STREAM LISTENING 19782 1334/master public/cleanup
unix 2 [ ACC ] STREAM LISTENING 19785 1334/master public/qmgr
unix 2 [ ACC ] SEQPACKET LISTENING 12461 1/systemd /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 7111 1/systemd /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 14320 1/systemd /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 14323 1/systemd /var/run/pcscd/pcscd.comm
編輯2
firewall-cmd --state
running
firewall-cmd --list-all
drop (active)
target: DROP
icmp-block-inversion: no
interfaces: enp3s0
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
答案1
CentOS 7 上默认的防火墙iptables不是firewalld。
iptables已禁用但firewalld处于活动状态。
您可以firewalld完全禁用:
systemctl stop firewalld
systemctl disable firewalld
或者您可以为您的服务添加允许规则:
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=22/tcp --permanent
firewall-cmd --reload
-- 编辑设置firewalld
firewall-cmd --get-active-zones
firewall-cmd --get-zone-of-interface=enp3s0
您可以定义区域编辑/etc/sysconfig/network-scripts/ifcfg-enp3s0
ZONE=public
将区域关联到您的网络接口:
firewall-cmd --zone=public --add-interface=enp3s0