Debian 11 Firewalld+nftables 规则不生效

tag-icon tag-icon debian firewall firewalld nftables firewall-cmd
Debian 11 Firewalld+nftables 规则不生效

更新:在 /etc/hosts 中注释掉以下行之后,有点像

#127.0.1.1  my-host.domain.edu  my-host

重新启动后,防火墙确实打开了预期的端口。我想这样做是因为,在防火墙关闭的情况下进行测试时,绑定到主机 '' 可以接受连接,但绑定到主机 my-host 则不能(因为那只是绑定到 127.0.1.1,而不是我的外部地址)。

我不明白为什么这会改变防火墙的行为,特别是当我指定了规则应该应用于哪个接口时。

原始帖子:

我有一台 Debian 11 服务器(未运行 NetworkManager),我正尝试使用 Firewalld 打开端口,使用我在其他机器上成功使用的相同命令,并在使用和不使用 的情况下运行它们--permanent。我可以在 中看到这些规则nft list ruleset。但我无法访问这台机器上的服务器;VNC Viewer 说“计算机拒绝连接”,在端口 11000 上运行 python echo 服务器时我得到了相同的结果(所以这不仅仅是 VNC 的问题)。我尝试明确将接口添加到 Firewalld,但这并没有改变任何东西。我重新启动了机器,但这并没有改变任何东西。为什么这些端口没有打开?

:~> sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp4s0f0
  sources: 
  services: dhcpv6-client http https ldap ldaps nfs postgresql rsyncd ssh vnc-server
  ports: 1024-65535/tcp 1024-65535/udp
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

:~> sudo nft list table inet firewalld
table inet firewalld {
    chain raw_PREROUTING {
        type filter hook prerouting priority raw + 10; policy accept;
        icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
        meta nfproto ipv6 fib saddr . iif oif missing drop
    }

    chain mangle_PREROUTING {
        type filter hook prerouting priority mangle + 10; policy accept;
        jump mangle_PREROUTING_POLICIES_pre
        jump mangle_PREROUTING_ZONES
        jump mangle_PREROUTING_POLICIES_post
    }

    chain mangle_PREROUTING_POLICIES_pre {
        jump mangle_PRE_policy_allow-host-ipv6
    }

    chain mangle_PREROUTING_ZONES {
        iifname "enp4s0f0" goto mangle_PRE_public
        goto mangle_PRE_public
    }

    chain mangle_PREROUTING_POLICIES_post {
    }

    chain filter_INPUT {
        type filter hook input priority filter + 10; policy accept;
        ct state { established, related } accept
        ct status dnat accept
        iifname "lo" accept
        jump filter_INPUT_POLICIES_pre
        jump filter_INPUT_ZONES
        jump filter_INPUT_POLICIES_post
        ct state { invalid } drop
        reject with icmpx type admin-prohibited
    }

    chain filter_FORWARD {
        type filter hook forward priority filter + 10; policy accept;
        ct state { established, related } accept
        ct status dnat accept
        iifname "lo" accept
        ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
        jump filter_FORWARD_POLICIES_pre
        jump filter_FORWARD_IN_ZONES
        jump filter_FORWARD_OUT_ZONES
        jump filter_FORWARD_POLICIES_post
        ct state { invalid } drop
        reject with icmpx type admin-prohibited
    }

    chain filter_OUTPUT {
        type filter hook output priority filter + 10; policy accept;
        oifname "lo" accept
        ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
        jump filter_OUTPUT_POLICIES_pre
        jump filter_OUTPUT_POLICIES_post
    }

    chain filter_INPUT_POLICIES_pre {
        jump filter_IN_policy_allow-host-ipv6
    }

    chain filter_INPUT_ZONES {
        iifname "enp4s0f0" goto filter_IN_public
        goto filter_IN_public
    }

    chain filter_INPUT_POLICIES_post {
    }

    chain filter_FORWARD_POLICIES_pre {
    }

    chain filter_FORWARD_IN_ZONES {
        iifname "enp4s0f0" goto filter_FWDI_public
        goto filter_FWDI_public
    }

    chain filter_FORWARD_OUT_ZONES {
        oifname "enp4s0f0" goto filter_FWDO_public
        goto filter_FWDO_public
    }

    chain filter_FORWARD_POLICIES_post {
    }

    chain filter_OUTPUT_POLICIES_pre {
    }

    chain filter_OUTPUT_POLICIES_post {
    }

    chain filter_IN_public {
        jump filter_IN_public_pre
        jump filter_IN_public_log
        jump filter_IN_public_deny
        jump filter_IN_public_allow
        jump filter_IN_public_post
        meta l4proto { icmp, ipv6-icmp } accept
    }

    chain filter_IN_public_pre {
    }

    chain filter_IN_public_log {
    }

    chain filter_IN_public_deny {
    }

    chain filter_IN_public_allow {
        tcp dport 22 ct state { new, untracked } accept
        ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
        tcp dport 80 ct state { new, untracked } accept
        tcp dport 443 ct state { new, untracked } accept
        tcp dport 389 ct state { new, untracked } accept
        tcp dport 636 ct state { new, untracked } accept
        tcp dport 2049 ct state { new, untracked } accept
        tcp dport 5432 ct state { new, untracked } accept
        tcp dport 873 ct state { new, untracked } accept
        udp dport 873 ct state { new, untracked } accept
        tcp dport 5900-5903 ct state { new, untracked } accept
        tcp dport 1024-65535 ct state { new, untracked } accept
        udp dport 1024-65535 ct state { new, untracked } accept
    }

    chain filter_IN_public_post {
    }

    chain filter_FWDO_public {
        jump filter_FWDO_public_pre
        jump filter_FWDO_public_log
        jump filter_FWDO_public_deny
        jump filter_FWDO_public_allow
        jump filter_FWDO_public_post
    }

    chain filter_FWDO_public_pre {
    }

    chain filter_FWDO_public_log {
    }

    chain filter_FWDO_public_deny {
    }

    chain filter_FWDO_public_allow {
    }

    chain filter_FWDO_public_post {
    }

    chain filter_FWDI_public {
        jump filter_FWDI_public_pre
        jump filter_FWDI_public_log
        jump filter_FWDI_public_deny
        jump filter_FWDI_public_allow
        jump filter_FWDI_public_post
        meta l4proto { icmp, ipv6-icmp } accept
    }

    chain filter_FWDI_public_pre {
    }

    chain filter_FWDI_public_log {
    }

    chain filter_FWDI_public_deny {
    }

    chain filter_FWDI_public_allow {
    }

    chain filter_FWDI_public_post {
    }

    chain mangle_PRE_public {
        jump mangle_PRE_public_pre
        jump mangle_PRE_public_log
        jump mangle_PRE_public_deny
        jump mangle_PRE_public_allow
        jump mangle_PRE_public_post
    }

    chain mangle_PRE_public_pre {
    }

    chain mangle_PRE_public_log {
    }

    chain mangle_PRE_public_deny {
    }

    chain mangle_PRE_public_allow {
    }

    chain mangle_PRE_public_post {
    }

    chain filter_IN_policy_allow-host-ipv6 {
        jump filter_IN_policy_allow-host-ipv6_pre
        jump filter_IN_policy_allow-host-ipv6_log
        jump filter_IN_policy_allow-host-ipv6_deny
        jump filter_IN_policy_allow-host-ipv6_allow
        jump filter_IN_policy_allow-host-ipv6_post
    }

    chain filter_IN_policy_allow-host-ipv6_pre {
    }

    chain filter_IN_policy_allow-host-ipv6_log {
    }

    chain filter_IN_policy_allow-host-ipv6_deny {
    }

    chain filter_IN_policy_allow-host-ipv6_allow {
        icmpv6 type nd-neighbor-advert accept
        icmpv6 type nd-neighbor-solicit accept
        icmpv6 type nd-router-advert accept
        icmpv6 type nd-redirect accept
    }

    chain filter_IN_policy_allow-host-ipv6_post {
    }

    chain mangle_PRE_policy_allow-host-ipv6 {
        jump mangle_PRE_policy_allow-host-ipv6_pre
        jump mangle_PRE_policy_allow-host-ipv6_log
        jump mangle_PRE_policy_allow-host-ipv6_deny
        jump mangle_PRE_policy_allow-host-ipv6_allow
        jump mangle_PRE_policy_allow-host-ipv6_post
    }

    chain mangle_PRE_policy_allow-host-ipv6_pre {
    }

    chain mangle_PRE_policy_allow-host-ipv6_log {
    }

    chain mangle_PRE_policy_allow-host-ipv6_deny {
    }

    chain mangle_PRE_policy_allow-host-ipv6_allow {
    }

    chain mangle_PRE_policy_allow-host-ipv6_post {
    }
}

答案1

注释掉以下行/etc/hosts,然后重新启动并启用防火墙,使得防火墙能够按预期打开端口。

#127.0.1.1 my-host.domain.edu my-host

我很惊讶这会影响防火墙设置,尤其是当我为区域公共设置了适当的接口时,我不明白为什么这可以修复它。但现在防火墙可以按预期工作了。

相关内容