Iptables 阻止 https/http

2024-6-2 • tag-icon

有一个无聊的问题，当 iptables 运行时，我的 php 管理员无法访问。规则：

# iptables -L -v -n | more
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            recent: UPDATE seconds: 60 name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable
    0     0 REJECT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            recent: UPDATE seconds: 60 name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
 4040 2195K ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5055
    0     0 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0
    1   646 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500
    0     0 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:4500
   35  1764 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 REJECT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
    0     0 REJECT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            recent: SET name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
    0     0 REJECT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            recent: SET name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3652 1884K ACCEPT     0    --  *      *       10.10.141.0/24       0.0.0.0/0            policy match dir in pol ipsec proto 50
 4808 4752K ACCEPT     0    --  *      *       0.0.0.0/0            10.10.141.0/24       policy match dir out pol ipsec proto 50
    4  5120 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 6539 packets, 5343K bytes)
 pkts bytes target     prot opt in     out     source               destination

不对 80,443 端口的任何允许规则生效，例如：

iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT

答案1

将规则移至删除规则之上

答案2

我首先启用日志记录，然后您可以在日志中看到数据包被丢弃的时间：

iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP

然后检查日志并调整规则使用cat /var/log/messages | grep "IPTables-Dropped*“

答案1

答案2

相关内容