我是 IPTables 的新手,我相信我忽略了一些显而易见的事情。
这是我的设置:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state NEW recent: UPDATE seconds: 60 hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
all -- anywhere anywhere state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- ip-10-10-10-0.ap-south-1.compute.internal/24 anywhere policy match dir in pol ipsec proto esp
ACCEPT all -- anywhere ip-10-10-10-0.ap-south-1.compute.internal/24 policy match dir out pol ipsec proto esp
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
然后我尝试打开端口 599:
sudo iptables -A INPUT -p tcp --dport 599 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 599 -m conntrack --ctstate ESTABLISHED -j ACCEPT
不幸的是,我现有的 IPTables 仍然阻止它,我不明白为什么。AWS 健康检查仍然无法在 599 端口上执行 TCP ping。有什么线索我遗漏了什么吗?
最新更新:
sudo iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 11582 695K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:599 ctstate NEW,ESTABLISHED
2 309K 19M DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW recent: UPDATE seconds: 60 hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
3 6546 386K all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
4 11329 7186K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
5 24 1440 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:599 ctstate NEW,ESTABLISHED
6 246 13224 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
7 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
8 50 2227 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
9 2 400 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500
10 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500
11 6275 371K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 10.10.10.0/24 0.0.0.0/0 policy match dir in pol ipsec proto 50
2 0 0 ACCEPT all -- * * 0.0.0.0/0 10.10.10.0/24 policy match dir out pol ipsec proto 50
3 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 18608 packets, 2153K bytes)
num pkts bytes target prot opt in out source destination
答案1
iptables -A INPUT 会在末尾附加一条规则。您当前的最后一条规则是:
DROP all -- anywhere anywhere
因此,它会被添加到末尾,在删除规则之后,并且永远不会到达。您将需要使用行号列出规则:
iptables -nL --line-numbers
然后使用iptables -I INPUT 5 ...(或任何行号)添加到特定位置。
如果允许端口 599 的所有流量返回(使用 NEW、ESTABLISHED),则不需要 OUTPUT 规则。
如果这是在 ec2 实例上运行的,您将需要确保安全组也允许 599 进入。尽管使用 aws 安全组,但单个实例上的 iptables 可能不是必需的……