发送https至我的域的请求超时。看来尽管我尝试了,防火墙仍然处于关闭状态。
运行 Debian
Distributor ID: Debian
Description: Debian GNU/Linux 7.11 (wheezy)
Release: 7.11
Codename: wheezy
sudo netstat -ntlp
...
tcp6 0 0 :::443 :::* LISTEN 2224/apache2
...
我当前的 iptables 规则:
# Generated by iptables-save v1.4.14 on Sat Jan 13 23:32:19 2018
*filter
:INPUT ACCEPT [1718:285832]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1521:341387]
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
Apache 会议:
<VirtualHost *:443>
ServerAdmin [email protected]
ServerName domain.com
ServerAlias www.domain.com
SSLEngine on
SSLCertificateFile "/etc/apache2/cert/domain.crt"
SSLCertificateKeyFile "/etc/apache2/cert/domain.key"
SSLCACertificateFile "/etc/apache2/cert/domain.ca-bundle"
<Directory /var/www/domain>
Options FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/domain.err
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/domain.log combined
</VirtualHost>
答案1
首先你的“-A 输入-p tcp -m tcp --dport 443 -j 接受“规则不执行任何操作,因为您的默认策略是接受一切。
为了接受 HTTPS仅有的你的规则应该如下:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport https -j ACCEPT
COMMIT
也就是说,使用 iptables-save 保存的规则内容并不真正反映您机器上的活动规则。使用以下命令找出活动规则:
iptables -t filter -nL # main command to exec
iptables -t mangle -nL
iptables -t nat -nL
为了应用您保存的规则(在 /etc/iptables/rules.v4 中),请使用以下命令(如果尚未安装,请先安装 iptables-persistent 包)。
service iptables-persistent restart