当我在 Ubuntu 实例上运行以下命令时:
$ nmap host
我看到端口 443 已打开:
Starting Nmap 5.21 ( http://nmap.org ) at 2013-03-19 05:36 PDT
Nmap scan report for [host redacted] (ip address redacted)
Host is up (0.000034s latency).
rDNS record for [ip address redacted]: [host redacted]
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
443/tcp open https
30000/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
但是,我无法远程登录到端口 443。当我这样做时,我在系统日志中看到以下条目
Mar 19 05:39:30 localhost kernel: iptables denied: IN=eth0 OUT= MAC=f2:3c:91:ae:c6:7a:c8:4c:75:f5:d6:3f:08:00 SRC=(ip address redacted) DST=(ip address redacted) LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=23782 DF PROTO=TCP SPT=53375 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
iptables -L --line-numbers
ACCEPT 链的输出如下:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
2 REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
3 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
4 ACCEPT tcp -- anywhere anywhere tcp dpt:www
5 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:30000
6 LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: '
7 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
8 ufw-before-logging-input all -- anywhere anywhere
9 ufw-before-input all -- anywhere anywhere
10 ufw-after-input all -- anywhere anywhere
11 ufw-after-logging-input all -- anywhere anywhere
12 ufw-reject-input all -- anywhere anywhere
13 ufw-track-input all -- anywhere anywhere
14 ACCEPT tcp -- anywhere anywhere tcp dpt:https
我曾经尝试使用 UFW,但现在它已被禁用,我只使用 iptables。我看到在第 14 行我接受了到端口 443 的数据包,但在第 7 行我拒绝了数据包。规则的定位有问题吗?如果是,我该如何将其进一步移至链的上部?还是规则本身有问题?
当我查看 bash 历史记录时,我相信这是所使用的规则:
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
更新:
我只是通过将规则进一步移至链中并删除附加的规则来解决这个问题:
$ iptables -I INPUT 6 -p tcp --dport 443 -j ACCEPT # add the rule to the 6th position
$ iptables -L
$ iptables -D INPUT 15 # delete line 15
答案1
您的规则需要在拒绝行和日志行之前
6 LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: '
7 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
应该是最后。这是因为规则是按顺序处理的,一旦匹配成功,就不会再查看其他规则