Centos6 上的 Apache 允许远程客户端访问。然而,服务器不允许传出访问(即ping google.com,ssh等等),除非我禁用 iptables。
为什么 iptables 会阻止传出访问,如何阻止它这样做?
[Michael@vps2 ~]$ ping google.com
^C
[Michael@vps2 ~]$ ping localhost
PING localhost.localdomain (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=1 ttl=64 time=0.019 ms
^C
--- localhost.localdomain ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 789ms
rtt min/avg/max/mdev = 0.019/0.019/0.019/0.000 ms
[Michael@vps2 ~]$ sudo /etc/init.d/iptables status
Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1443
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1337
8 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[Michael@vps2 ~]$ sudo iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
380 41335 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ies-lm
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ndmp
2 168 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:menandmice-dns
23 1208 DROP all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 352 packets, 55019 bytes)
pkts bytes target prot opt in out source destination
[Michael@vps2 ~]$ sudo /etc/init.d/iptables stop
iptables: Setting chains to policy ACCEPT: mangle filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
[Michael@vps2 ~]$ ping google.com
PING google.com (172.217.4.110) 56(84) bytes of data.
64 bytes from ord36s04-in-f110.1e100.net (172.217.4.110): icmp_seq=1 ttl=55 time=1.08 ms
64 bytes from ord36s04-in-f110.1e100.net (172.217.4.110): icmp_seq=2 ttl=55 time=1.00 ms
^C
--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1209ms
rtt min/avg/max/mdev = 1.002/1.045/1.088/0.043 ms
[Michael@vps2 ~]$
答案1
首先,您需要启用相关和已建立的数据包。将其放在规则列表的顶部。
# iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
此外,ICMP 是与 TCP 和 UDP 不同的协议,您应该明确允许它。我通常完全允许 ICMP,因为阻止它有时会产生碎片等问题。
# iptables -I INPUT 2 -p icmp -j ACCEPT
另一件事:您可以更改链的策略,而不是添加“全部删除”规则:
# iptables -P INPUT DROP