端口 443 已开放,但 IP 表拒绝该端口

tag-icon tag-icon ubuntu iptables firewall nmap
端口 443 已开放,但 IP 表拒绝该端口

当我在 Ubuntu 实例上运行以下命令时:

$ nmap host

我看到端口 443 已打开:

Starting Nmap 5.21 ( http://nmap.org ) at 2013-03-19 05:36 PDT
Nmap scan report for [host redacted] (ip address redacted)
Host is up (0.000034s latency).
rDNS record for [ip address redacted]: [host redacted]
Not shown: 995 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
25/tcp    open  smtp
80/tcp    open  http
443/tcp   open  https
30000/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

但是,我无法远程登录到端口 443。当我这样做时,我在系统日志中看到以下条目

Mar 19 05:39:30 localhost kernel: iptables denied: IN=eth0 OUT= MAC=f2:3c:91:ae:c6:7a:c8:4c:75:f5:d6:3f:08:00 SRC=(ip address redacted) DST=(ip address redacted) LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=23782 DF PROTO=TCP SPT=53375 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0

iptables -L --line-numbersACCEPT 链的输出如下:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere            
2    REJECT     all  --  anywhere             127.0.0.0/8         reject-with icmp-port-unreachable 
3    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
4    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www 
5    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:30000 
6    LOG        all  --  anywhere             anywhere            limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: ' 
7    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
8    ufw-before-logging-input  all  --  anywhere             anywhere            
9    ufw-before-input  all  --  anywhere             anywhere            
10   ufw-after-input  all  --  anywhere             anywhere            
11   ufw-after-logging-input  all  --  anywhere             anywhere            
12   ufw-reject-input  all  --  anywhere             anywhere            
13   ufw-track-input  all  --  anywhere             anywhere            
14   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https

我曾经尝试使用 UFW,但现在它已被禁用,我只使用 iptables。我看到在第 14 行我接受了到端口 443 的数据包,但在第 7 行我拒绝了数据包。规则的定位有问题吗?如果是,我该如何将其进一步移至链的上部?还是规则本身有问题?

当我查看 bash 历史记录时,我相信这是所使用的规则:

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

更新:

我只是通过将规则进一步移至链中并删除附加的规则来解决这个问题:

$ iptables -I INPUT 6 -p tcp --dport 443 -j ACCEPT # add the rule to the 6th position
$ iptables -L
$ iptables -D INPUT 15 # delete line 15

答案1

您的规则需要在拒绝行和日志行之前

6    LOG        all  --  anywhere             anywhere            limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: ' 
7    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

应该是最后。这是因为规则是按顺序处理的,一旦匹配成功,就不会再查看其他规则

相关内容