添加规则后 Centos 不会打开端口

添加规则后 Centos 不会打开端口

因此,在与防火墙进行一些斗争和挣扎之后,我发现我可能正在做一些事情或者防火墙没有正确响应,有一个端口过滤器正在阻止某些端口。

顺便说一句,我已经搜索了互联网,在论坛上发帖,几乎做了所有事情,现在网站名称“serverfault”是我的最后手段,我需要帮助我希望实现的是创建一个 pptp 服务器来连接 windows/linux 客户端

已更新@底部

好的,这就是我所做的:

我对 iptables 文件做了一些修改,结果出现了无数问题,所以我恢复了 iptables.old 文件

iptables.old的内容:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

iptables.old 恢复(恢复为库存)后,nmap 扫描显示:

nmap [server ip]

Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 13:54 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.014s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
113/tcp closed ident
8008/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 4.95 seconds

如果我附加规则:(接受接口 eth0 上传入服务器的所有 tcp 端口)

iptables -A INPUT -i eth0 -m tcp -j ACCEPT

nmap 输出:

nmap [server ip]

Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 13:58 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.017s latency).
Not shown: 858 filtered ports, 139 closed ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
8008/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 3.77 seconds

*注意它允许并打开端口 443 但不允许打开其他端口,并且删除了端口 113......?

删除先前的规则,如果我附加规则:(允许并打开接口 eth0 上传入服务器的端口 80)

iptables -A INPUT -i eth0 -m tcp -p tcp --dport 80 -j ACCEPT

nmap 输出:

nmap [server ip]

Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 14:01 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.014s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
113/tcp closed ident
8008/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 5.12 seconds

*请注意,它删除了端口 443 并允许 80,但已关闭

不删除前一条规则,如果我附加规则:(允许并打开接口 eth0 上进入服务器的端口 1723)

iptables -A INPUT -i eth0 -m tcp -p tcp --dport 1723 -j ACCEPT

nmap 输出:

nmap [server ip]

Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 14:05 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.015s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
113/tcp closed ident
8008/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 5.16 seconds

*注意到打开或关闭的端口没有变化吗?

删除规则后:

iptables -A INPUT -i eth0 -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 1723 -j ACCEPT

nmap 输出:

nmap [server ip]

Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 14:07 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.015s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
113/tcp closed ident

Nmap done: 1 IP address (1 host up) scanned in 5.15 seconds

并返回规则:(接受接口 eth0 上进入服务器的所有 tcp 端口)

iptables -A INPUT -i eth0 -m tcp -j ACCEPT

nmap 输出:

nmap [server ip]

Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 14:07 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.017s latency).
Not shown: 858 filtered ports, 139 closed ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
8008/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 3.87 seconds

注意 eth0 将 999 个过滤端口更改为 858 个过滤端口和 139 个关闭端口

问题:

为什么我不能允许和/或打开特定端口,例如我想允许和打开端口 443,但它不允许,甚至 pptp 的 1723 也不允许,为什么我不能这样做???

抱歉,布局有问题,编辑器也出了问题(唉)

更新@Madhatter 评论 #1

谢谢你 madhatter

在我的 iptables 文件中:

# Firewall configuration written by system-config-firewall  
# Manual customization of this file is not recommended.  
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]  
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT  
-A INPUT -p icmp -j ACCEPT  
-A INPUT -i eth0 -j ACCEPT  
-A INPUT -i lo -j ACCEPT  
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT  

# ----------all rules mentioned in post where added here ONLY!!!----------  

-A INPUT -j REJECT --reject-with icmp-host-prohibited  
-A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT  

如果我想允许并打开端口 1723(或编辑 iptables 以允许来自远程 PC 的 pptp 连接),我应该做哪些更改?(请耐心等待,这是我第一次使用服务器等)

更新 MadHatter 评论 #2

iptables -L -n -v --line-numbers

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        9   660 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
6        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT 6 packets, 840 bytes)
num   pkts bytes target     prot opt in     out     source               destination  

仅就个人而言,madhatter,感谢您的支持,我真的很感激!

更新 MadHatter 评论 #3

以下是接口

 ifconfig

eth0      Link encap:Ethernet  HWaddr 00:1D:D8:B7:1F:DC  
          inet addr:[server ip]  Bcast:[server ip x.x.x].255  Mask:255.255.255.0
          inet6 addr: fe80::21d:d8ff:feb7:1fdc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:36692 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4247 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2830372 (2.6 MiB)  TX bytes:427976 (417.9 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

远程 nmap

nmap -p 1723 [server ip]

Starting Nmap 6.00 ( http://nmap.org ) at 2013-11-01 16:17 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.017s latency).
PORT     STATE    SERVICE
1723/tcp filtered pptp

Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds

本地 nmap

nmap -p 1723 localhost

Starting Nmap 5.51 ( http://nmap.org ) at 2013-11-01 16:19 SAST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000058s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT     STATE SERVICE
1723/tcp open  pptp

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

更新 MadHatter 评论帖子 #4

我很抱歉,如果可能造成任何混淆,我确实附加了规则:(仅在第 3 篇帖子之后)

iptables -A 输入 -p tcp --dport 1723 -j 接受

netstat -apn|grep -w 1723
tcp        0      0 0.0.0.0:1723                0.0.0.0:*                   LISTEN      1142/pptpd   

服务器和“我”之间没有 VPN 和防火墙

更新 MadHatter 评论 #5

事情发生了有趣的转变:

我启动了 Windows 7,创建了 VPN 连接,验证了用户名和密码 -> 检查 sstp,然后检查 pptp(很快就通过了,这意味着没有问题),但在验证用户名和密码时(在网络上注册 PC 之前),它卡住了,出现了这个错误

连接失败,错误 2147943625 远程计算机拒绝网络连接

netstat -apn | grep -w 1723

连接前:

netstat -apn |grep -w 1723
tcp        0      0 0.0.0.0:1723                0.0.0.0:*                   LISTEN      1137/pptpd

错误出现后再次尝试:

 netstat -apn |grep -w 1723
tcp        0      0 0.0.0.0:1723                0.0.0.0:*                   LISTEN      1137/pptpd
tcp        0      0 41.185.26.238:1723          41.13.212.47:49607          TIME_WAIT   -

我不知道这意味着什么,但似乎有进展...,有什么想法吗???

答案1

经过大量测试(见评论),您没有遇到防火墙或传输问题。客户端能够连接到服务器上的 pptpd,其余问题都与应用程序有关(我看到您为此提出了一个单独的问题)。

顺便说一句,我赞同 Jiri 对 nmap 的评论;它不是测试单个端口端到端连接的好工具;但telnet serverip 1723如果能用它就更好了。

我写下这些只是为了让你能够接受一个答案,并防止这个问题永远像幽灵船一样漂浮;也因为否定的答案也是有用的,并且所显示的诊断过程可能会在将来对其他人有用。

相关内容