无法访问我的 Debian 服务器上的 8000 端口

无法访问我的 Debian 服务器上的 8000 端口

我有一个运行 fusionPBX 的 Debian 服务器,我使用官方脚本。它使用 nginx 来托管应用程序,我尝试在 nginx 的配置文件中添加另一个服务器(Django)以支持在同一台计算机上运行的另一个服务器。但是,我无法访问 Django 服务器。

这台机器上的 nmap 从另一台机器说

$ nmap host_name
Host is up (0.00044s latency).
Not shown: 991 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  open   https
5000/tcp closed upnp
5060/tcp open   sip
5061/tcp closed sip-tls
5080/tcp open   onscreen
5087/tcp closed biotic
7443/tcp open   oracleas-https

Nmap done: 1 IP address (1 host up) scanned in 4.25 seconds

来自同一台机器的 nmap

# nmap localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-17 17:47 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000060s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 992 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
443/tcp  open  https
5432/tcp open  postgresql
8000/tcp open  http-alt
8001/tcp open  vcom-tunnel
8021/tcp open  ftp-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

我想打开端口 8000,这是 iptables 的输出。

# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination         
sip-auth-fail  all  --  0.0.0.0/0            0.0.0.0/0           
sip-auth-ip  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:5060:5091 STRING match  "friendly-scanner" ALGO name bm TO 65535 ICASE
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:5060:5091 STRING match  "friendly-scanner" ALGO name bm TO 65535 ICASE
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:5060:5091 STRING match  "sipcli/" ALGO name bm TO 65535 ICASE
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:5060:5091 STRING match  "sipcli/" ALGO name bm TO 65535 ICASE
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:5060:5091 STRING match  "VaxSIPUserAgent/" ALGO name bm TO 65535 ICASE
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:5060:5091 STRING match  "VaxSIPUserAgent/" ALGO name bm TO 65535 ICASE
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:5060:5091 STRING match  "pplsip" ALGO name bm TO 65535 ICASE
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:5060:5091 STRING match  "pplsip" ALGO name bm TO 65535 ICASE
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:5060:5091 STRING match  "system " ALGO name bm TO 65535 ICASE
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:5060:5091 STRING match  "system " ALGO name bm TO 65535 ICASE
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:5060:5091 STRING match  "exec." ALGO name bm TO 65535 ICASE
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:5060:5091 STRING match  "exec." ALGO name bm TO 65535 ICASE
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:5060:5091 STRING match  "multipart/mixed;boundary" ALGO name bm TO 65535 ICASE
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:5060:5091 STRING match  "multipart/mixed;boundary" ALGO name bm TO 65535 ICASE
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:7443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:5060:5091
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:5060:5091
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:16384:32768
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1194

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain sip-auth-fail (1 references)
target     prot opt source               destination         
DROP       all  --  128.90.90.74         0.0.0.0/0           
DROP       all  --  128.90.170.155       0.0.0.0/0           
DROP       all  --  128.90.170.172       0.0.0.0/0           
DROP       all  --  128.90.161.188       0.0.0.0/0           
DROP       all  --  128.90.168.31        0.0.0.0/0           
DROP       all  --  128.90.140.253       0.0.0.0/0           
DROP       all  --  128.90.170.116       0.0.0.0/0           
DROP       all  --  128.90.90.7          0.0.0.0/0           

Chain sip-auth-ip (1 references)
target     prot opt source               destination         
DROP       all  --  128.90.62.144        0.0.0.0/0           
DROP       all  --  128.90.90.74         0.0.0.0/0           
DROP       all  --  128.90.170.155       0.0.0.0/0           
DROP       all  --  128.90.170.172       0.0.0.0/0           
DROP       all  --  128.90.64.207        0.0.0.0/0           
DROP       all  --  128.90.168.101       0.0.0.0/0           
DROP       all  --  128.90.170.65        0.0.0.0/0           
DROP       all  --  103.27.227.165       0.0.0.0/0           
DROP       all  --  128.90.172.177       0.0.0.0/0           
DROP       all  --  128.90.161.188       0.0.0.0/0           
DROP       all  --  128.90.109.237       0.0.0.0/0           
DROP       all  --  128.90.79.193        0.0.0.0/0           
DROP       all  --  31.6.58.26           0.0.0.0/0           
DROP       all  --  128.90.112.152       0.0.0.0/0           
DROP       all  --  103.27.227.179       0.0.0.0/0           
DROP       all  --  128.90.168.31        0.0.0.0/0           
DROP       all  --  128.90.140.253       0.0.0.0/0           
DROP       all  --  45.254.247.122       0.0.0.0/0           
DROP       all  --  128.90.170.116       0.0.0.0/0           
DROP       all  --  128.90.90.7          0.0.0.0/0

它默认运行 nginx,这是默认配置

server {
    listen 127.0.0.1:80;
    server_name 127.0.0.1;
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    client_max_body_size 80M;
    client_body_buffer_size 128k;

    location / {
        root /var/www/fusionpbx;
        index index.php;
    }

    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
    }

    # Allow the upgrade routines to run longer than normal
    location = /core/upgrade/index.php {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_read_timeout 15m;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
    }

    # Disable viewing .htaccess & .htpassword & .db & .git
    location ~ .htaccess {
        deny all;
    }
    location ~ .htpassword {
        deny all;
    }
    location ~^.+.(db)$ {
        deny all;
    }
    location ~ /\.git {
        deny all;
    }
    location ~ /\.lua {
        deny all;
    }
    location ~ /\. {
        deny all;
    }
}

server {
    listen 80;
    server_name fusionpbx;

    #redirect letsencrypt to dehydrated
    location ^~ /.well-known/acme-challenge {
        default_type "text/plain";
        auth_basic "off";
        alias /var/www/dehydrated;
    }

    #rewrite rule - send to https with an exception for provisioning
    if ($uri !~* ^.*(provision|xml_cdr|firmware).*$) {
        rewrite ^(.*) https://$host$1 permanent;
        break;
    }

    #REST api
    if ($uri ~* ^.*/api/.*$) {
        rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last;
        break;
    }

    #algo
    rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last;

    #mitel
    rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last;
    rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last;

    #grandstream
    rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml;
    rewrite "^.*/provision/(phonebook\.xml)?$" /app/provision/index.php?file=$1 last;
    #grandstream-wave softphone by ext because Android doesn't pass MAC.
    rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1;

    #aastra
    rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg;
    #rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last;

    #yealink
    #rewrite "^.*/provision/(y[0-9]{12})(\.cfg|\.boot)?$" /app/provision/index.php?file=$1$2;
    rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last;

    #polycom
    rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg";
    #rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2;
    rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg";
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml";

    #cisco
    rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last;
    rewrite "^.*/provision/directory\.xml$" /app/provision/?file=directory.xml;

    #Escene
    rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$"       "/app/provision/?ext=$1&file={%24mac}_extern.xml" last;
    rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$"    "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last;

    #Vtech
    rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12})\.cfg$" /app/provision/?mac=$1;
    rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory\.xml$" /app/provision/?mac=$1&file=directory.xml;

    #Digium
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts\.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg";
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf\.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg";

    #Snom
    rewrite "^.*/provision/-([A-Fa-f0-9]{12})?$" /app/provision/index.php?mac=$1;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    client_max_body_size 80M;
    client_body_buffer_size 128k;

    location / {
        root /var/www/fusionpbx;
        index index.php;
    }

    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_read_timeout 15m;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
    }

    # Allow the upgrade routines to run longer than normal
    location = /core/upgrade/index.php {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_read_timeout 15m;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
    }

    # Disable viewing .htaccess & .htpassword & .db & .git
    location ~ .htaccess {
        deny all;
    }
    location ~ .htpassword {
        deny all;
    }
    location ~^.+.(db)$ {
        deny all;
    }
    location ~ /\.git {
        deny all;
    }
    location ~ /\.lua {
        deny all;
    }
    location ~ /\. {
        deny all;
    }
}

server {
    listen 443 ssl;
    #listen 443 ssl http2;
    server_name fusionpbx;

    ssl_certificate         /etc/ssl/certs/nginx.crt;
    ssl_certificate_key     /etc/ssl/private/nginx.key;
    #ssl_protocols           TLSv1.2 TLSv1.3;
    ssl_protocols           TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers             DHE-RSA-AES256-SHA:AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_session_cache       shared:SSL:40m;
    ssl_session_timeout     2h;
    ssl_session_tickets     off;

    #redirect letsencrypt to dehydrated
    location ^~ /.well-known/acme-challenge {
        default_type "text/plain";
        auth_basic "off";
        alias /var/www/dehydrated;
    }

    #REST api
    if ($uri ~* ^.*/api/.*$) {
        rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last;
        break;
    }

    #message media
    rewrite "^/app/messages/media/(.*)/(.*)" /app/messages/message_media.php?id=$1&action=download last;

    #algo
    rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last;

    #mitel
    rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last;
    rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last;

    #grandstream
    rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml;
    rewrite "^.*/provision/(phonebook\.xml)?$" /app/provision/index.php?file=$1 last;
    #grandstream-wave softphone by ext because Android doesn't pass MAC.
    rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1;

    #aastra
    rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg;
    #rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last;

    #yealink
    #rewrite "^.*/provision/(y[0-9]{12})(\.cfg|\.boot)?$" /app/provision/index.php?file=$1$2;
    rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last;

    #polycom
    rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg";
    #rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2;
    rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg";
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml";

    #cisco
    rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last;
    rewrite "^.*/provision/directory\.xml$" /app/provision/?file=directory.xml;

    #Escene
    rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$"       "/app/provision/?ext=$1&file={%24mac}_extern.xml" last;
    rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$"    "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last;

    #Vtech
    rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12})\.cfg$" /app/provision/?mac=$1;
    rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory\.xml$" /app/provision/?mac=$1&file=directory.xml;

    #Digium
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts\.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg";
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf\.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg";

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    client_max_body_size 80M;
    client_body_buffer_size 128k;

    location / {
        root /var/www/fusionpbx;
        index index.php;
    }

    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_read_timeout 15m;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
    }

    # Allow the upgrade routines to run longer than normal
    location = /core/upgrade/index.php {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_read_timeout 15m;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
    }

    # Disable viewing .htaccess & .htpassword & .db & .git
    location ~ .htaccess {
        deny all;
    }
    location ~ .htpassword {
        deny all;
    }
    location ~^.+.(db)$ {
        deny all;
    }
    location ~ /\.git {
        deny all;
    }
    location ~ /\.lua {
        deny all;
    }
    location ~ /\. {
        deny all;
    }
}

我添加的块

server {
    listen 8000;
    server_name 'my_server ip';

    location = /favicon.ico { access_log off; log_not_found off; }
    location /static/ {
        root /home/freeswitch/freeswitch_api/django_api;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/home/freeswitch/freeswitch_api/django_api/django_api.sock;
    }
}

在安装过程中,fusionPBX 脚本会运行一些命令来设置 iptables。以下是脚本

#!/bin/sh

#move to script directory so all relative paths work
cd "$(dirname "$0")"


#add the includes
. ./config.sh
. ./colors.sh
. ./environment.sh

#send a message
verbose "Configuring IPTables"

#defaults to nftables by default this enables iptables
if [ ."$os_codename" = ."buster" ]; then
    update-alternatives --set iptables /usr/sbin/iptables-legacy
    update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
fi
if [ ."$os_codename" = ."bullseye" ]; then
    apt-get install -y iptables
    update-alternatives --set iptables /usr/sbin/iptables-legacy
    update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
fi

#remove ufw
ufw reset
ufw disable
apt-get remove -y ufw
#apt-get purge ufw

#run iptables commands
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "system " --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "system " --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "exec." --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "exec." --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 7443 -j ACCEPT
iptables -A INPUT -p tcp --dport 5060:5091 -j ACCEPT
iptables -A INPUT -p udp --dport 5060:5091 -j ACCEPT
iptables -A INPUT -p udp --dport 16384:32768 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -t mangle -A OUTPUT -p udp -m udp --sport 16384:32768 -j DSCP --set-dscp 46
iptables -t mangle -A OUTPUT -p udp -m udp --sport 5060:5091 -j DSCP --set-dscp 26
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 5060:5091 -j DSCP --set-dscp 26
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#answer the questions for iptables persistent
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
apt-get install -y iptables-persistent

接下来,我运行了这些命令尝试打开端口 8000

iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

这是我的 netstat 输出:

# sudo netstat -tulpn
sudo: unable to resolve host debian-1cpu-1gb-de-fra1: Name or service not known
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:43171         0.0.0.0:*               LISTEN      1123/node           
tcp        0      0 94.237.97.9:5060        0.0.0.0:*               LISTEN      1193/freeswitch     
tcp        0      0 94.237.97.9:5066        0.0.0.0:*               LISTEN      1193/freeswitch     
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2929/nginx: master  
tcp        0      0 94.237.97.9:7443        0.0.0.0:*               LISTEN      1193/freeswitch     
tcp        0      0 127.0.0.1:8021          0.0.0.0:*               LISTEN      1193/freeswitch     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      528/sshd: /usr/sbin 
tcp        0      0 127.0.0.1:35223         0.0.0.0:*               LISTEN      1000/node           
tcp        0      0 94.237.97.9:5080        0.0.0.0:*               LISTEN      1193/freeswitch     
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      541/postgres        
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      878/exim4           
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      2929/nginx: master  
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      2929/nginx: master  
tcp        0      0 0.0.0.0:8001            0.0.0.0:*               LISTEN      2176/python         
tcp6       0      0 2a04:3542:1000:910:5060 :::*                    LISTEN      1193/freeswitch     
tcp6       0      0 :::22                   :::*                    LISTEN      528/sshd: /usr/sbin 
tcp6       0      0 ::1:5432                :::*                    LISTEN      541/postgres        
tcp6       0      0 ::1:25                  :::*                    LISTEN      878/exim4           
udp        0      0 0.0.0.0:68              0.0.0.0:*                           476/dhclient        
udp        0      0 0.0.0.0:68              0.0.0.0:*                           443/dhclient        
udp        0      0 0.0.0.0:161             0.0.0.0:*                           525/snmpd           
udp        0      0 94.237.97.9:5060        0.0.0.0:*                           1193/freeswitch     
udp        0      0 94.237.97.9:5080        0.0.0.0:*                           1193/freeswitch     
udp6       0      0 2a04:3542:1000:910:5060 :::*                                1193/freeswitch 

仍然没有运气,nginx 配置必须正确,因为我在其他 ubuntu 服务器中使用相同的配置,而且它可以工作。我做错了什么?

答案1

我解决了这个问题。我会把解决方案留在这里,供任何遇到同样问题的人参考。实际上,这很简单。我检查了 FsuionPBX 的安装方式以及它们如何配置 iptables。这是脚本。

#!/bin/sh

#move to script directory so all relative paths work
cd "$(dirname "$0")"


#add the includes
. ./config.sh
. ./colors.sh
. ./environment.sh

#send a message
verbose "Configuring IPTables"

#defaults to nftables by default this enables iptables
if [ ."$os_codename" = ."buster" ]; then
    update-alternatives --set iptables /usr/sbin/iptables-legacy
    update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
fi
if [ ."$os_codename" = ."bullseye" ]; then
    apt-get install -y iptables
    update-alternatives --set iptables /usr/sbin/iptables-legacy
    update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
fi

#remove ufw
ufw reset
ufw disable
apt-get remove -y ufw
#apt-get purge ufw

#run iptables commands
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "system " --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "system " --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "exec." --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "exec." --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 7443 -j ACCEPT
iptables -A INPUT -p tcp --dport 5060:5091 -j ACCEPT
iptables -A INPUT -p udp --dport 5060:5091 -j ACCEPT
iptables -A INPUT -p udp --dport 16384:32768 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -t mangle -A OUTPUT -p udp -m udp --sport 16384:32768 -j DSCP --set-dscp 46
iptables -t mangle -A OUTPUT -p udp -m udp --sport 5060:5091 -j DSCP --set-dscp 26
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 5060:5091 -j DSCP --set-dscp 26
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#answer the questions for iptables persistent
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
apt-get install -y iptables-persistent

现在要打开另一个端口,我只需运行 iptable 命令

iptables -A INPUT -p tcp --dport 8000 -j ACCEPT

并使用保存规则

sudo /sbin/iptables-save > /etc/iptables/rules.v4

确保以 root 身份运行它,否则您将收到权限被拒绝错误。

如果您收到权限错误,您可能需要sudo su -在保存规则之前运行。

相关内容