我有一个运行 fusionPBX 的 Debian 服务器,我使用这官方脚本。它使用 nginx 来托管应用程序,我尝试在 nginx 的配置文件中添加另一个服务器(Django)以支持在同一台计算机上运行的另一个服务器。但是,我无法访问 Django 服务器。
这台机器上的 nmap 从另一台机器说
$ nmap host_name
Host is up (0.00044s latency).
Not shown: 991 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
5000/tcp closed upnp
5060/tcp open sip
5061/tcp closed sip-tls
5080/tcp open onscreen
5087/tcp closed biotic
7443/tcp open oracleas-https
Nmap done: 1 IP address (1 host up) scanned in 4.25 seconds
来自同一台机器的 nmap
# nmap localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-17 17:47 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000060s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
443/tcp open https
5432/tcp open postgresql
8000/tcp open http-alt
8001/tcp open vcom-tunnel
8021/tcp open ftp-proxy
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
我想打开端口 8000,这是 iptables 的输出。
# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
sip-auth-fail all -- 0.0.0.0/0 0.0.0.0/0
sip-auth-ip all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5091 STRING match "friendly-scanner" ALGO name bm TO 65535 ICASE
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5060:5091 STRING match "friendly-scanner" ALGO name bm TO 65535 ICASE
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5091 STRING match "sipcli/" ALGO name bm TO 65535 ICASE
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5060:5091 STRING match "sipcli/" ALGO name bm TO 65535 ICASE
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5091 STRING match "VaxSIPUserAgent/" ALGO name bm TO 65535 ICASE
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5060:5091 STRING match "VaxSIPUserAgent/" ALGO name bm TO 65535 ICASE
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5091 STRING match "pplsip" ALGO name bm TO 65535 ICASE
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5060:5091 STRING match "pplsip" ALGO name bm TO 65535 ICASE
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5091 STRING match "system " ALGO name bm TO 65535 ICASE
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5060:5091 STRING match "system " ALGO name bm TO 65535 ICASE
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5091 STRING match "exec." ALGO name bm TO 65535 ICASE
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5060:5091 STRING match "exec." ALGO name bm TO 65535 ICASE
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5091 STRING match "multipart/mixed;boundary" ALGO name bm TO 65535 ICASE
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5060:5091 STRING match "multipart/mixed;boundary" ALGO name bm TO 65535 ICASE
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5060:5091
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5091
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:16384:32768
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain sip-auth-fail (1 references)
target prot opt source destination
DROP all -- 128.90.90.74 0.0.0.0/0
DROP all -- 128.90.170.155 0.0.0.0/0
DROP all -- 128.90.170.172 0.0.0.0/0
DROP all -- 128.90.161.188 0.0.0.0/0
DROP all -- 128.90.168.31 0.0.0.0/0
DROP all -- 128.90.140.253 0.0.0.0/0
DROP all -- 128.90.170.116 0.0.0.0/0
DROP all -- 128.90.90.7 0.0.0.0/0
Chain sip-auth-ip (1 references)
target prot opt source destination
DROP all -- 128.90.62.144 0.0.0.0/0
DROP all -- 128.90.90.74 0.0.0.0/0
DROP all -- 128.90.170.155 0.0.0.0/0
DROP all -- 128.90.170.172 0.0.0.0/0
DROP all -- 128.90.64.207 0.0.0.0/0
DROP all -- 128.90.168.101 0.0.0.0/0
DROP all -- 128.90.170.65 0.0.0.0/0
DROP all -- 103.27.227.165 0.0.0.0/0
DROP all -- 128.90.172.177 0.0.0.0/0
DROP all -- 128.90.161.188 0.0.0.0/0
DROP all -- 128.90.109.237 0.0.0.0/0
DROP all -- 128.90.79.193 0.0.0.0/0
DROP all -- 31.6.58.26 0.0.0.0/0
DROP all -- 128.90.112.152 0.0.0.0/0
DROP all -- 103.27.227.179 0.0.0.0/0
DROP all -- 128.90.168.31 0.0.0.0/0
DROP all -- 128.90.140.253 0.0.0.0/0
DROP all -- 45.254.247.122 0.0.0.0/0
DROP all -- 128.90.170.116 0.0.0.0/0
DROP all -- 128.90.90.7 0.0.0.0/0
它默认运行 nginx,这是默认配置
server {
listen 127.0.0.1:80;
server_name 127.0.0.1;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
client_max_body_size 80M;
client_body_buffer_size 128k;
location / {
root /var/www/fusionpbx;
index index.php;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
}
# Allow the upgrade routines to run longer than normal
location = /core/upgrade/index.php {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_read_timeout 15m;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
}
# Disable viewing .htaccess & .htpassword & .db & .git
location ~ .htaccess {
deny all;
}
location ~ .htpassword {
deny all;
}
location ~^.+.(db)$ {
deny all;
}
location ~ /\.git {
deny all;
}
location ~ /\.lua {
deny all;
}
location ~ /\. {
deny all;
}
}
server {
listen 80;
server_name fusionpbx;
#redirect letsencrypt to dehydrated
location ^~ /.well-known/acme-challenge {
default_type "text/plain";
auth_basic "off";
alias /var/www/dehydrated;
}
#rewrite rule - send to https with an exception for provisioning
if ($uri !~* ^.*(provision|xml_cdr|firmware).*$) {
rewrite ^(.*) https://$host$1 permanent;
break;
}
#REST api
if ($uri ~* ^.*/api/.*$) {
rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last;
break;
}
#algo
rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last;
#mitel
rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last;
rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last;
#grandstream
rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1;
rewrite "^.*/provision/([A-Fa-f0-9]{12})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml;
rewrite "^.*/provision/(phonebook\.xml)?$" /app/provision/index.php?file=$1 last;
#grandstream-wave softphone by ext because Android doesn't pass MAC.
rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1;
#aastra
rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg;
#rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last;
#yealink
#rewrite "^.*/provision/(y[0-9]{12})(\.cfg|\.boot)?$" /app/provision/index.php?file=$1$2;
rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last;
#polycom
rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg";
#rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2;
rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg";
rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml";
#cisco
rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last;
rewrite "^.*/provision/directory\.xml$" /app/provision/?file=directory.xml;
#Escene
rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$" "/app/provision/?ext=$1&file={%24mac}_extern.xml" last;
rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$" "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last;
#Vtech
rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12})\.cfg$" /app/provision/?mac=$1;
rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory\.xml$" /app/provision/?mac=$1&file=directory.xml;
#Digium
rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts\.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg";
rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf\.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg";
#Snom
rewrite "^.*/provision/-([A-Fa-f0-9]{12})?$" /app/provision/index.php?mac=$1;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
client_max_body_size 80M;
client_body_buffer_size 128k;
location / {
root /var/www/fusionpbx;
index index.php;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_read_timeout 15m;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
}
# Allow the upgrade routines to run longer than normal
location = /core/upgrade/index.php {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_read_timeout 15m;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
}
# Disable viewing .htaccess & .htpassword & .db & .git
location ~ .htaccess {
deny all;
}
location ~ .htpassword {
deny all;
}
location ~^.+.(db)$ {
deny all;
}
location ~ /\.git {
deny all;
}
location ~ /\.lua {
deny all;
}
location ~ /\. {
deny all;
}
}
server {
listen 443 ssl;
#listen 443 ssl http2;
server_name fusionpbx;
ssl_certificate /etc/ssl/certs/nginx.crt;
ssl_certificate_key /etc/ssl/private/nginx.key;
#ssl_protocols TLSv1.2 TLSv1.3;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers DHE-RSA-AES256-SHA:AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:40m;
ssl_session_timeout 2h;
ssl_session_tickets off;
#redirect letsencrypt to dehydrated
location ^~ /.well-known/acme-challenge {
default_type "text/plain";
auth_basic "off";
alias /var/www/dehydrated;
}
#REST api
if ($uri ~* ^.*/api/.*$) {
rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last;
break;
}
#message media
rewrite "^/app/messages/media/(.*)/(.*)" /app/messages/message_media.php?id=$1&action=download last;
#algo
rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last;
#mitel
rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last;
rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last;
#grandstream
rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1;
rewrite "^.*/provision/([A-Fa-f0-9]{12})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml;
rewrite "^.*/provision/(phonebook\.xml)?$" /app/provision/index.php?file=$1 last;
#grandstream-wave softphone by ext because Android doesn't pass MAC.
rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1;
#aastra
rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg;
#rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last;
#yealink
#rewrite "^.*/provision/(y[0-9]{12})(\.cfg|\.boot)?$" /app/provision/index.php?file=$1$2;
rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last;
#polycom
rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg";
#rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2;
rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg";
rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml";
#cisco
rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last;
rewrite "^.*/provision/directory\.xml$" /app/provision/?file=directory.xml;
#Escene
rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$" "/app/provision/?ext=$1&file={%24mac}_extern.xml" last;
rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$" "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last;
#Vtech
rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12})\.cfg$" /app/provision/?mac=$1;
rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory\.xml$" /app/provision/?mac=$1&file=directory.xml;
#Digium
rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts\.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg";
rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf\.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg";
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
client_max_body_size 80M;
client_body_buffer_size 128k;
location / {
root /var/www/fusionpbx;
index index.php;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_read_timeout 15m;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
}
# Allow the upgrade routines to run longer than normal
location = /core/upgrade/index.php {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_read_timeout 15m;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
}
# Disable viewing .htaccess & .htpassword & .db & .git
location ~ .htaccess {
deny all;
}
location ~ .htpassword {
deny all;
}
location ~^.+.(db)$ {
deny all;
}
location ~ /\.git {
deny all;
}
location ~ /\.lua {
deny all;
}
location ~ /\. {
deny all;
}
}
我添加的块
server {
listen 8000;
server_name 'my_server ip';
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/freeswitch/freeswitch_api/django_api;
}
location / {
include proxy_params;
proxy_pass http://unix:/home/freeswitch/freeswitch_api/django_api/django_api.sock;
}
}
在安装过程中,fusionPBX 脚本会运行一些命令来设置 iptables。以下是脚本
#!/bin/sh
#move to script directory so all relative paths work
cd "$(dirname "$0")"
#add the includes
. ./config.sh
. ./colors.sh
. ./environment.sh
#send a message
verbose "Configuring IPTables"
#defaults to nftables by default this enables iptables
if [ ."$os_codename" = ."buster" ]; then
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
fi
if [ ."$os_codename" = ."bullseye" ]; then
apt-get install -y iptables
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
fi
#remove ufw
ufw reset
ufw disable
apt-get remove -y ufw
#apt-get purge ufw
#run iptables commands
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "system " --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "system " --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "exec." --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "exec." --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 7443 -j ACCEPT
iptables -A INPUT -p tcp --dport 5060:5091 -j ACCEPT
iptables -A INPUT -p udp --dport 5060:5091 -j ACCEPT
iptables -A INPUT -p udp --dport 16384:32768 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -t mangle -A OUTPUT -p udp -m udp --sport 16384:32768 -j DSCP --set-dscp 46
iptables -t mangle -A OUTPUT -p udp -m udp --sport 5060:5091 -j DSCP --set-dscp 26
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 5060:5091 -j DSCP --set-dscp 26
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#answer the questions for iptables persistent
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
apt-get install -y iptables-persistent
接下来,我运行了这些命令尝试打开端口 8000
iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
这是我的 netstat 输出:
# sudo netstat -tulpn
sudo: unable to resolve host debian-1cpu-1gb-de-fra1: Name or service not known
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:43171 0.0.0.0:* LISTEN 1123/node
tcp 0 0 94.237.97.9:5060 0.0.0.0:* LISTEN 1193/freeswitch
tcp 0 0 94.237.97.9:5066 0.0.0.0:* LISTEN 1193/freeswitch
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2929/nginx: master
tcp 0 0 94.237.97.9:7443 0.0.0.0:* LISTEN 1193/freeswitch
tcp 0 0 127.0.0.1:8021 0.0.0.0:* LISTEN 1193/freeswitch
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 528/sshd: /usr/sbin
tcp 0 0 127.0.0.1:35223 0.0.0.0:* LISTEN 1000/node
tcp 0 0 94.237.97.9:5080 0.0.0.0:* LISTEN 1193/freeswitch
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 541/postgres
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 878/exim4
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2929/nginx: master
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 2929/nginx: master
tcp 0 0 0.0.0.0:8001 0.0.0.0:* LISTEN 2176/python
tcp6 0 0 2a04:3542:1000:910:5060 :::* LISTEN 1193/freeswitch
tcp6 0 0 :::22 :::* LISTEN 528/sshd: /usr/sbin
tcp6 0 0 ::1:5432 :::* LISTEN 541/postgres
tcp6 0 0 ::1:25 :::* LISTEN 878/exim4
udp 0 0 0.0.0.0:68 0.0.0.0:* 476/dhclient
udp 0 0 0.0.0.0:68 0.0.0.0:* 443/dhclient
udp 0 0 0.0.0.0:161 0.0.0.0:* 525/snmpd
udp 0 0 94.237.97.9:5060 0.0.0.0:* 1193/freeswitch
udp 0 0 94.237.97.9:5080 0.0.0.0:* 1193/freeswitch
udp6 0 0 2a04:3542:1000:910:5060 :::* 1193/freeswitch
仍然没有运气,nginx 配置必须正确,因为我在其他 ubuntu 服务器中使用相同的配置,而且它可以工作。我做错了什么?
答案1
我解决了这个问题。我会把解决方案留在这里,供任何遇到同样问题的人参考。实际上,这很简单。我检查了 FsuionPBX 的安装方式以及它们如何配置 iptables。这是脚本。
#!/bin/sh
#move to script directory so all relative paths work
cd "$(dirname "$0")"
#add the includes
. ./config.sh
. ./colors.sh
. ./environment.sh
#send a message
verbose "Configuring IPTables"
#defaults to nftables by default this enables iptables
if [ ."$os_codename" = ."buster" ]; then
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
fi
if [ ."$os_codename" = ."bullseye" ]; then
apt-get install -y iptables
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
fi
#remove ufw
ufw reset
ufw disable
apt-get remove -y ufw
#apt-get purge ufw
#run iptables commands
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "system " --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "system " --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "exec." --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "exec." --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 7443 -j ACCEPT
iptables -A INPUT -p tcp --dport 5060:5091 -j ACCEPT
iptables -A INPUT -p udp --dport 5060:5091 -j ACCEPT
iptables -A INPUT -p udp --dport 16384:32768 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -t mangle -A OUTPUT -p udp -m udp --sport 16384:32768 -j DSCP --set-dscp 46
iptables -t mangle -A OUTPUT -p udp -m udp --sport 5060:5091 -j DSCP --set-dscp 26
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 5060:5091 -j DSCP --set-dscp 26
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#answer the questions for iptables persistent
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
apt-get install -y iptables-persistent
现在要打开另一个端口,我只需运行 iptable 命令
iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
并使用保存规则
sudo /sbin/iptables-save > /etc/iptables/rules.v4
确保以 root 身份运行它,否则您将收到权限被拒绝错误。
如果您收到权限错误,您可能需要sudo su -在保存规则之前运行。