在防火墙中,端口 80 已关闭,但 nmap 显示该端口已打开,我可以连接到它

在防火墙中,端口 80 已关闭,但 nmap 显示该端口已打开,我可以连接到它

我的 linux 环境是 fedora 27,httpd 正在运行,firewall-cmd --list-all 显示

FedoraWorkstation (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlp3s0
  sources: 
  services: dhcpv6-client ssh samba-client mdns
  ports: 1025-65535/udp 1025-65535/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

虽然不允许 http 服务或端口 80,但 nmap 显示

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-25 18:55 PST
Nmap scan report for 10.0.0.15
Host is up (0.000052s latency).

PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

实际上我可以使用浏览器连接到服务器

“systemctl status httpd”没有显示错误,但“systemctl status firewalld”显示以下错误

Nov 25 18:34:44 localhost.localdomain firewalld[3310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWARD --out-interface virbr0 --jump REJECT' failed:
Nov 25 18:34:44 localhost.localdomain firewalld[3310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWARD --in-interface virbr0 --jump REJECT' failed:
Nov 25 18:34:44 localhost.localdomain firewalld[3310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 53 --jump ACCEPT' 
Nov 25 18:34:44 localhost.localdomain firewalld[3310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface virbr0 --protocol tcp --destination-port 53 --jump ACCEPT' 
Nov 25 18:34:44 localhost.localdomain firewalld[3310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete OUTPUT --out-interface virbr0 --protocol udp --destination-port 68 --jump ACCEPT
Nov 25 18:34:44 localhost.localdomain firewalld[3310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 67 --jump ACCEPT' 
Nov 25 18:34:44 localhost.localdomain firewalld[3310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' 
Nov 25 18:43:17 localhost.localdomain systemd[1]: Reloading firewalld - dynamic firewall daemon.
Nov 25 18:43:17 localhost.localdomain systemd[1]: Reloaded firewalld - dynamic firewall daemon.
Nov 25 18:43:17 localhost.localdomain firewalld[3310]: WARNING: FedoraServer: INVALID_SERVICE: cockpit

如果我在运行 centos7 的虚拟机中遇到同样的情况,firewalld 会按我想要的方式工作。在虚拟机中运行 httpd 时,如果我在防火墙规则中添加 http 服务,那么我可以连接,否则则无法连接。但在 fedora 中,我不知道哪里出了问题。

我尝试做的是从主机端口 80/tcp 到我的虚拟机端口 80/tcp 的端口转发。我意识到端口转发不起作用,防火墙命令中的 add-service 或 add-port 也不起作用。我该如何解决这个问题?

尽管 iptables 已被禁用,但我还是在此处发布了 iptables -L 的输出。192.168.122.0/24 是我的虚拟机的网络

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
INPUT_direct  all  --  anywhere             anywhere            
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
INPUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
FORWARD_direct  all  --  anywhere             anywhere            
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_IN_ZONES  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
OUTPUT_direct  all  --  anywhere             anywhere            

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination         
FWDI_FedoraWorkstation  all  --  anywhere             anywhere            [goto] 
FWDI_FedoraWorkstation  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination         
FWDO_FedoraWorkstation  all  --  anywhere             anywhere            [goto] 
FWDO_FedoraWorkstation  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_direct (1 references)
target     prot opt source               destination         

Chain FWDI_FedoraWorkstation (2 references)
target     prot opt source               destination         
FWDI_FedoraWorkstation_log  all  --  anywhere             anywhere            
FWDI_FedoraWorkstation_deny  all  --  anywhere             anywhere            
FWDI_FedoraWorkstation_allow  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            

Chain FWDI_FedoraWorkstation_allow (1 references)
target     prot opt source               destination         

Chain FWDI_FedoraWorkstation_deny (1 references)
target     prot opt source               destination         

Chain FWDI_FedoraWorkstation_log (1 references)
target     prot opt source               destination         

Chain FWDO_FedoraWorkstation (2 references)
target     prot opt source               destination         
FWDO_FedoraWorkstation_log  all  --  anywhere             anywhere            
FWDO_FedoraWorkstation_deny  all  --  anywhere             anywhere            
FWDO_FedoraWorkstation_allow  all  --  anywhere             anywhere            

Chain FWDO_FedoraWorkstation_allow (1 references)
target     prot opt source               destination         

Chain FWDO_FedoraWorkstation_deny (1 references)
target     prot opt source               destination         

Chain FWDO_FedoraWorkstation_log (1 references)
target     prot opt source               destination         

Chain INPUT_ZONES (1 references)
target     prot opt source               destination         
IN_FedoraWorkstation  all  --  anywhere             anywhere            [goto] 
IN_FedoraWorkstation  all  --  anywhere             anywhere            [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain INPUT_direct (1 references)
target     prot opt source               destination         

Chain IN_FedoraWorkstation (2 references)
target     prot opt source               destination         
IN_FedoraWorkstation_log  all  --  anywhere             anywhere            
IN_FedoraWorkstation_deny  all  --  anywhere             anywhere            
IN_FedoraWorkstation_allow  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            

Chain IN_FedoraWorkstation_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:netbios-ns ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:netbios-dgm ctstate NEW
ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpts:blackjack:65535 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:blackjack:65535 ctstate NEW

Chain IN_FedoraWorkstation_deny (1 references)
target     prot opt source               destination         

Chain IN_FedoraWorkstation_log (1 references)
target     prot opt source               destination         

Chain OUTPUT_direct (1 references)
target     prot opt source               destination  

“lsof -i -P -n|grep LISTEN”的输出是

dnsmasq    1037 nobody    6u  IPv4   27561      0t0  TCP 192.168.122.1:53 (LISTEN)
cupsd      1788   root    9u  IPv6   37232      0t0  TCP [::1]:631 (LISTEN)
cupsd      1788   root   10u  IPv4   37233      0t0  TCP 127.0.0.1:631 (LISTEN)
httpd      2355   root    4u  IPv6   43072      0t0  TCP *:80 (LISTEN)
httpd      2358 apache    4u  IPv6   43072      0t0  TCP *:80 (LISTEN)
httpd      2359 apache    4u  IPv6   43072      0t0  TCP *:80 (LISTEN)
httpd      2360 apache    4u  IPv6   43072      0t0  TCP *:80 (LISTEN)
sshd       3070   root    5u  IPv4   50178      0t0  TCP *:22 (LISTEN)
sshd       3070   root    7u  IPv6   50180      0t0  TCP *:22 (LISTEN)
jupyter-n  3512   rhce    4u  IPv6   64019      0t0  TCP [::1]:8888 (LISTEN)
jupyter-n  3512   rhce    5u  IPv4   64020      0t0  TCP 127.0.0.1:8888 (LISTEN)
python3    3545   rhce   14u  IPv4   66283      0t0  TCP 127.0.0.1:40521 (LISTEN)
python3    3545   rhce   17u  IPv4   66287      0t0  TCP 127.0.0.1:49589 (LISTEN)
python3    3545   rhce   20u  IPv4   66291      0t0  TCP 127.0.0.1:48583 (LISTEN)
python3    3545   rhce   23u  IPv4   66295      0t0  TCP 127.0.0.1:39659 (LISTEN)
python3    3545   rhce   28u  IPv4   66300      0t0  TCP 127.0.0.1:35933 (LISTEN)
python3    3545   rhce   41u  IPv4   68637      0t0  TCP 127.0.0.1:44955 (LISTEN)

ss -tlpn 的输出是

State       Recv-Q Send-Q                                                            Local Address:Port                                                                           Peer Address:Port              
LISTEN      0      100                                                                   127.0.0.1:49589                                                                                     *:*                   users:(("python3",pid=3545,fd=17))
LISTEN      0      32                                                                192.168.122.1:53                                                                                        *:*                   users:(("dnsmasq",pid=1037,fd=6))
LISTEN      0      128                                                                           *:22                                                                                        *:*                   users:(("sshd",pid=3070,fd=5))
LISTEN      0      5                                                                     127.0.0.1:631                                                                                       *:*                   users:(("cupsd",pid=1788,fd=10))
LISTEN      0      128                                                                   127.0.0.1:8888                                                                                      *:*                   users:(("jupyter-noteboo",pid=3512,fd=5))
LISTEN      0      100                                                                   127.0.0.1:44955                                                                                     *:*                   users:(("python3",pid=3545,fd=41))
LISTEN      0      100                                                                   127.0.0.1:35933                                                                                     *:*                   users:(("python3",pid=3545,fd=28))
LISTEN      0      100                                                                   127.0.0.1:48583                                                                                     *:*                   users:(("python3",pid=3545,fd=20))
LISTEN      0      100                                                                   127.0.0.1:40521                                                                                     *:*                   users:(("python3",pid=3545,fd=14))
LISTEN      0      100                                                                   127.0.0.1:39659                                                                                     *:*                   users:(("python3",pid=3545,fd=23))
LISTEN      0      128                                                                           *:80                                                                                        *:*                   users:(("httpd",pid=2360,fd=4),("httpd",pid=2359,fd=4),("httpd",pid=2358,fd=4),("httpd",pid=2355,fd=4))
LISTEN      0      128                                                                           *:22                                                                                        *:*                   users:(("sshd",pid=3070,fd=7))
LISTEN      0      5                                                                         [::1]:631                                                                                       *:*                   users:(("cupsd",pid=1788,fd=9))
LISTEN      0      128                                                                       [::1]:8888                                                                                      *:*                   users:(("jupyter-noteboo",pid=3512,fd=4))

答案1

有趣的是,尽管 firwalld 命令是正确的,但防火墙不允许将端口转发到虚拟机。我发现 iptables 规则在防火墙之前阻止了端口转发。所以我直接将端口转发规则添加到 iptables 规则的第一行。

相关内容