在 Ubuntu 14.04 服务器上,我尝试运行 https 以获取网站的 SSL(服务器将在几周内更换)。网站在 http 上运行良好,但无法在 https 上运行。Webbrowser 显示“无法连接”,所以我认为 iptables 阻止了连接。我对 ufw 有点熟悉,但对 iptables 不太熟悉。
当我执行 时iptables -L --line,得到以下输出:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
38300 2312K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22
122 7916 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22
37010 2251K ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0 tcp dpt:22
162K 6486K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
11M 4302M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
50298 3001K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
6998 431K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
106K 26M UDP udp -- * * 0.0.0.0/0 0.0.0.0/0
1057K 53M TCP tcp -- * * 0.0.0.0/0 0.0.0.0/0
106K 26M REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
194K 8099K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
5553 178K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 18270 packets, 6985K bytes)
pkts bytes target prot opt in out source destination
2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:443 ctstate ESTABLISHED
714 80354 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate ESTABLISHED
Chain TCP (1 references)
pkts bytes target prot opt in out source destination
59249 3411K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
1200 64152 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
498K 26M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:49152:49200
305K 15M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
Chain UDP (1 references)
pkts bytes target prot opt in out source destination
Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
38300 2312K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
部分公网IP地址已被替换为x.x.x.x。
规则 #21-25下Chain INPUT (policy DROP)显示 https,但它ACCEPT在列表中policy DROP。这是否意味着连接被断开或允许通过?此列表中没有针对 http 的规则。
规则Chain OUTPUT (policy ACCEPT)#1 显示 https,规则 #2 显示 http 和 https。看起来这是接受规则。但是,如果前一个规则是断开连接的规则,我假设规则 #1 不会被达到。
规则 #1下Chain TCP (1 references)显示 http,但没有 https 规则。
我需要删除下面的规则吗policy DROP?我尝试添加规则,iptables -A INPUT -p tcp --dport 443 -j ACCEPT但仍然无法连接。
另外,其中/etc/iptables/rules.v4有针对端口 80 的规则(-A TCP -p tcp -m tcp --dport 80 -j ACCEPT),但没有针对 443 的规则。我需要手动添加它吗?
更新 添加了所需信息,用 example.com 替换了一些域名
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 38723 2341K fail2ban-ssh tcp -- any any anywhere anywhere multiport dports ssh
2 0 0 ACCEPT tcp -- any any example.com anywhere tcp dpt:ssh
3 0 0 ACCEPT tcp -- any any example.com anywhere tcp dpt:ssh
4 0 0 ACCEPT tcp -- any any example.com anywhere tcp dpt:ssh
5 122 7916 ACCEPT tcp -- any any example.com anywhere tcp dpt:ssh
6 0 0 ACCEPT tcp -- any any x.x.x.x/26 anywhere tcp dpt:ssh
7 0 0 ACCEPT tcp -- any any example.com anywhere tcp dpt:ssh
8 0 0 ACCEPT tcp -- any any example.com anywhere tcp dpt:ssh
9 0 0 ACCEPT tcp -- any any example.com anywhere tcp dpt:ssh
10 0 0 ACCEPT tcp -- any any example.com anywhere tcp dpt:ssh
11 37418 2278K ACCEPT tcp -- any any example.com anywhere tcp dpt:ssh
12 168K 6750K DROP all -- any any anywhere anywhere ctstate INVALID
13 12M 4492M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
14 51339 3063K ACCEPT all -- lo any anywhere anywhere
15 7249 445K ACCEPT icmp -- any any anywhere anywhere icmp echo-request
16 108K 27M UDP udp -- any any anywhere anywhere
17 1084K 54M TCP tcp -- any any anywhere anywhere
18 108K 27M REJECT udp -- any any anywhere anywhere reject-with icmp-port-unreachable
19 201K 8383K REJECT tcp -- any any anywhere anywhere reject-with tcp-reset
20 5669 181K REJECT all -- any any anywhere anywhere reject-with icmp-proto-unreachable
21 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
22 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https ctstate NEW,ESTABLISHED
23 0 0 ACCEPT tcp -- any any anywhere anywhere multiport dports http,https ctstate NEW,ESTABLISHED
24 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
25 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 381K packets, 210M bytes)
num pkts bytes target prot opt in out source destination
1 2 120 ACCEPT tcp -- any any anywhere anywhere tcp spt:https ctstate ESTABLISHED
2 718 80790 ACCEPT tcp -- any any anywhere anywhere multiport dports http,https ctstate ESTABLISHED
Chain TCP (1 references)
num pkts bytes target prot opt in out source destination
1 60377 3478K ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
2 1202 64232 ACCEPT tcp -- any any anywhere anywhere tcp dpt:mysql
3 510K 26M ACCEPT tcp -- any any anywhere anywhere tcp dpts:49152:49200
4 311K 16M ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp
Chain UDP (1 references)
num pkts bytes target prot opt in out source destination
Chain fail2ban-ssh (1 references)
num pkts bytes target prot opt in out source destination
1 38723 2341K RETURN all -- any any anywhere anywhere
ports.conf来自Apache:
Listen 80
Listen 443 http
我必须补充http到 443 端口,否则 Apache 将无法启动(基于此回答)。然后发生此错误:
AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
主机配置:
<VirtualHost *:443>
ServerName www.example.com
#ServerAdmin [email protected]
DocumentRoot /var/www/test
ErrorLog /var/log/apache2/www.example.com-ssl-error.log
CustomLog /var/log/apache2/www.example.com-ssl-access.log combined
<Directory /var/www/test >
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
allow from all
</Directory>
SSLEngine On
SSLCertificateFile /etc/ssl/cert/www_example_com.crt
SSLCertificateKeyFile /etc/ssl/cert/www_example_com_com.key
SSLCertificateChainFile /etc/ssl/cert/www_example_com_com.ca-bundle
</VirtualHost>
www.example.com-ssl*.log 没有日志条目
答案1
所有针对 https 端口的 iptables 规则均低于 UDP、TCP 和 ALL 的 3 个 REJECT 规则,因此它们匹配您的 https 流量并拒绝连接。
将 https 规则移到这些规则上方(至少将它们插入到第 18 个位置)或将 REJECT 规则移到 https 规则下方。
注意:如果 Gerard H. Pille 给出了与我类似的答案,请给予他赞扬。
编辑:清理所有这些:
这会将 https 端口添加到 TCP 组上已定义的 http 端口:
iptables -R TCP 1 -p tcp -m multiport --dports 80,443 -j ACCEPT
这将删除您附加到 INPUT 链中的所有不必要的规则(命令的顺序很重要):
iptables -D INPUT 25
iptables -D INPUT 24
iptables -D INPUT 23
iptables -D INPUT 22
iptables -D INPUT 21
OUTPUT 链不需要任何这些规则,因为它具有默认策略 ACCEPT(ssh 可以工作,并且您没有任何针对 ssh 的 OUTPUT 规则,对吗?),因此您可以安全地删除它们两个:
iptables -D OUTPUT 2
iptables -D OUTPUT 1
答案2
ports.conf应该
Listen 0.0.0.0:80
Listen 0.0.0.0:443 https
但根本不需要定义这些端口,因为ports.conf:
如果您在非标准端口上运行,则只需设置协议。例如,在端口 8443 上运行 https 站点