我将 dns 服务器端口添加到 iptables,当我检查它时,甚至命名服务正在监听它,netstat但是当我从外部检查端口时,它已关闭。
iptables -n -L => 输出:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
netstat -lnp => 输出:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 11222/named
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 652/master
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1357/nginx: master
tcp 0 0 123.123.123.123:53 0.0.0.0:* LISTEN 11222/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 11222/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 585/sshd
tcp6 0 0 ::1:953 :::* LISTEN 11222/named
tcp6 0 0 ::1:25 :::* LISTEN 652/master
tcp6 0 0 :::3306 :::* LISTEN 10529/mysqld
tcp6 0 0 :::80 :::* LISTEN 1357/nginx: master
tcp6 0 0 :::53 :::* LISTEN 11222/named
tcp6 0 0 :::22 :::* LISTEN 585/sshd
udp 0 0 123.123.123.123:53 0.0.0.0:* 11222/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 11222/named
udp6 0 0 :::53 :::* 11222/named
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 11177 652/master private/verify
unix 2 [ ACC ] STREAM LISTENING 11180 652/master public/flush
unix 2 [ ACC ] STREAM LISTENING 11183 652/master private/proxymap
unix 2 [ ACC ] STREAM LISTENING 11186 652/master private/proxywrite
unix 2 [ ACC ] STREAM LISTENING 27726 10529/mysqld /var/lib/mysql/mysql.sock
unix 2 [ ACC ] STREAM LISTENING 11189 652/master private/smtp
unix 2 [ ACC ] STREAM LISTENING 11192 652/master private/relay
unix 2 [ ACC ] STREAM LISTENING 11195 652/master public/showq
unix 2 [ ACC ] STREAM LISTENING 11198 652/master private/error
unix 2 [ ACC ] STREAM LISTENING 11201 652/master private/retry
unix 2 [ ACC ] STREAM LISTENING 11204 652/master private/discard
unix 2 [ ACC ] STREAM LISTENING 11272 325/acpid /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 11207 652/master private/local
unix 2 [ ACC ] STREAM LISTENING 11210 652/master private/virtual
unix 2 [ ACC ] STREAM LISTENING 11213 652/master private/lmtp
unix 2 [ ACC ] STREAM LISTENING 11216 652/master private/anvil
unix 2 [ ACC ] STREAM LISTENING 11219 652/master private/scache
unix 2 [ ACC ] STREAM LISTENING 14096 1082/php-fpm: maste /run/php-fpm/php-fpm.sock
unix 2 [ ACC ] STREAM LISTENING 11151 652/master public/pickup
unix 2 [ ACC ] STREAM LISTENING 9051 1/systemd /var/run/dbus/system_bus_socket
unix 2 [ ACC ] SEQPACKET LISTENING 13690 1/systemd /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 13253 1/systemd /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 7127 1/systemd /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 11155 652/master public/cleanup
unix 2 [ ACC ] STREAM LISTENING 11158 652/master public/qmgr
unix 2 [ ACC ] STREAM LISTENING 11162 652/master private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 11165 652/master private/rewrite
unix 2 [ ACC ] STREAM LISTENING 11168 652/master private/bounce
unix 2 [ ACC ] STREAM LISTENING 11171 652/master private/defer
unix 2 [ ACC ] STREAM LISTENING 11174 652/master private/trace
知道如何修复这个问题吗?
答案1
要修复你必须执行以下操作:
iptables-save > temp.ruleset
vi temp.ruleset
找到带有 的行-j REJECT,只有一行。
将其向下移动两行,位于两个 udp 规则下方。
使用 保存:wq。
使用以下方法重新加载已编辑的规则集iptables-restore < temp.ruleset
请在将来添加带有iptables -I (rule position number)而不是带有 的规则iptables -A,因为您使用此输入拒绝规则进行阻止,因此低于该规则的任何内容都将被阻止。