1. 首頁
  2. 問答
  3. 80端口是開放的,但iptables的防止阿帕奇連接

80端口是開放的,但iptables的防止阿帕奇連接

2017-07-17 52 views
0

我一直有通過網絡瀏覽器到服務器運行Apache的連接有問題。我發現通過停止iptables服務,我可以連接並從服務器加載網頁。但是,我不明白我在缺少我的iptbales規則,因爲我已經opended高達80端口80端口是開放的,但iptables的防止阿帕奇連接

任何人都可以看到什麼在這裏,可能會造成的任何問題?

-P INPUT ACCEPT 
-P FORWARD ACCEPT 
-P OUTPUT ACCEPT 
-N FORWARD_IN_ZONES 
-N FORWARD_IN_ZONES_SOURCE 
-N FORWARD_OUT_ZONES 
-N FORWARD_OUT_ZONES_SOURCE 
-N FORWARD_direct 
-N FWDI_public 
-N FWDI_public_allow 
-N FWDI_public_deny 
-N FWDI_public_log 
-N FWDO_public 
-N FWDO_public_allow 
-N FWDO_public_deny 
-N FWDO_public_log 
-N INPUT_ZONES 
-N INPUT_ZONES_SOURCE 
-N INPUT_direct 
-N IN_public 
-N IN_public_allow 
-N IN_public_deny 
-N IN_public_log 
-N OUTPUT_direct 
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT 
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT 
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -j INPUT_direct 
-A INPUT -j INPUT_ZONES_SOURCE 
-A INPUT -j INPUT_ZONES 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A INPUT -p udp -m udp --dport 123 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i lo -j ACCEPT 
-A FORWARD -j FORWARD_direct 
-A FORWARD -j FORWARD_IN_ZONES_SOURCE 
-A FORWARD -j FORWARD_IN_ZONES 
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE 
-A FORWARD -j FORWARD_OUT_ZONES 
-A FORWARD -p icmp -j ACCEPT 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
-A OUTPUT -j OUTPUT_direct 
-A OUTPUT -p udp -m udp --sport 123 -j ACCEPT 
-A FORWARD_IN_ZONES -i eno1 -g FWDI_public 
-A FORWARD_IN_ZONES -g FWDI_public 
-A FORWARD_OUT_ZONES -o eno1 -g FWDO_public 
-A FORWARD_OUT_ZONES -g FWDO_public 
-A FWDI_public -j FWDI_public_log 
-A FWDI_public -j FWDI_public_deny 
-A FWDI_public -j FWDI_public_allow 
-A FWDO_public -j FWDO_public_log 
-A FWDO_public -j FWDO_public_deny 
-A FWDO_public -j FWDO_public_allow 
-A INPUT_ZONES -i eno1 -g IN_public 
-A INPUT_ZONES -g IN_public 
-A IN_public -j IN_public_log 
-A IN_public -j IN_public_deny 
-A IN_public -j IN_public_allow 
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

編輯***

下面是iptables的輸出-nvL被博格丹斯托伊卡的要求:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) 
pkts bytes target  prot opt in  out  source    destination   
    6 396 ACCEPT  udp -- *  *  0.0.0.0/0   0.0.0.0/0   udp dpt:53 state NEW 
    0  0 ACCEPT  udp -- *  *  0.0.0.0/0   0.0.0.0/0   udp dpt:53 state NEW 
    22 1520 ACCEPT  all -- *  *  0.0.0.0/0   0.0.0.0/0   ctstate RELATED,ESTABLISHED 
    0  0 ACCEPT  all -- lo  *  0.0.0.0/0   0.0.0.0/0   
    16 2177 INPUT_direct all -- *  *  0.0.0.0/0   0.0.0.0/0   
    16 2177 INPUT_ZONES_SOURCE all -- *  *  0.0.0.0/0   0.0.0.0/0   
    16 2177 INPUT_ZONES all -- *  *  0.0.0.0/0   0.0.0.0/0   
    0  0 ACCEPT  icmp -- *  *  0.0.0.0/0   0.0.0.0/0   
    16 2177 REJECT  all -- *  *  0.0.0.0/0   0.0.0.0/0   reject-with icmp-host-prohibited 
    0  0 ACCEPT  udp -- *  *  0.0.0.0/0   0.0.0.0/0   udp dpt:123 
    0  0 ACCEPT  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   tcp dpt:80 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) 
pkts bytes target  prot opt in  out  source    destination   
    0  0 ACCEPT  all -- *  *  0.0.0.0/0   0.0.0.0/0   ctstate RELATED,ESTABLISHED 
    0  0 ACCEPT  all -- lo  *  0.0.0.0/0   0.0.0.0/0   
    0  0 FORWARD_direct all -- *  *  0.0.0.0/0   0.0.0.0/0   
    0  0 FORWARD_IN_ZONES_SOURCE all -- *  *  0.0.0.0/0   0.0.0.0/0   
    0  0 FORWARD_IN_ZONES all -- *  *  0.0.0.0/0   0.0.0.0/0   
    0  0 FORWARD_OUT_ZONES_SOURCE all -- *  *  0.0.0.0/0   0.0.0.0/0   
    0  0 FORWARD_OUT_ZONES all -- *  *  0.0.0.0/0   0.0.0.0/0   
    0  0 ACCEPT  icmp -- *  *  0.0.0.0/0   0.0.0.0/0   
    0  0 REJECT  all -- *  *  0.0.0.0/0   0.0.0.0/0   reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT 21 packets, 3720 bytes) 
pkts bytes target  prot opt in  out  source    destination   
    21 3720 OUTPUT_direct all -- *  *  0.0.0.0/0   0.0.0.0/0   
    0  0 ACCEPT  udp -- *  *  0.0.0.0/0   0.0.0.0/0   udp spt:123 

Chain FORWARD_IN_ZONES (1 references) 
pkts bytes target  prot opt in  out  source    destination   
    0  0 FWDI_public all -- eno1 *  0.0.0.0/0   0.0.0.0/0   [goto] 
    0  0 FWDI_public all -- *  *  0.0.0.0/0   0.0.0.0/0   [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references) 
pkts bytes target  prot opt in  out  source    destination   

Chain FORWARD_OUT_ZONES (1 references) 
pkts bytes target  prot opt in  out  source    destination   
    0  0 FWDO_public all -- *  eno1 0.0.0.0/0   0.0.0.0/0   [goto] 
    0  0 FWDO_public all -- *  *  0.0.0.0/0   0.0.0.0/0   [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references) 
pkts bytes target  prot opt in  out  source    destination   

Chain FORWARD_direct (1 references) 
pkts bytes target  prot opt in  out  source    destination   

Chain FWDI_public (2 references) 
pkts bytes target  prot opt in  out  source    destination   
    0  0 FWDI_public_log all -- *  *  0.0.0.0/0   0.0.0.0/0   
    0  0 FWDI_public_deny all -- *  *  0.0.0.0/0   0.0.0.0/0   
    0  0 FWDI_public_allow all -- *  *  0.0.0.0/0   0.0.0.0/0   

Chain FWDI_public_allow (1 references) 
pkts bytes target  prot opt in  out  source    destination   

Chain FWDI_public_deny (1 references) 
pkts bytes target  prot opt in  out  source    destination   

Chain FWDI_public_log (1 references) 
pkts bytes target  prot opt in  out  source    destination   

Chain FWDO_public (2 references) 
pkts bytes target  prot opt in  out  source    destination   
    0  0 FWDO_public_log all -- *  *  0.0.0.0/0   0.0.0.0/0   
    0  0 FWDO_public_deny all -- *  *  0.0.0.0/0   0.0.0.0/0   
    0  0 FWDO_public_allow all -- *  *  0.0.0.0/0   0.0.0.0/0   

Chain FWDO_public_allow (1 references) 
pkts bytes target  prot opt in  out  source    destination   

Chain FWDO_public_deny (1 references) 
pkts bytes target  prot opt in  out  source    destination   

Chain FWDO_public_log (1 references) 
pkts bytes target  prot opt in  out  source    destination   

Chain INPUT_ZONES (1 references) 
pkts bytes target  prot opt in  out  source    destination   
    16 2177 IN_public all -- eno1 *  0.0.0.0/0   0.0.0.0/0   [goto] 
    0  0 IN_public all -- *  *  0.0.0.0/0   0.0.0.0/0   [goto] 

Chain INPUT_ZONES_SOURCE (1 references) 
pkts bytes target  prot opt in  out  source    destination   

Chain INPUT_direct (1 references) 
pkts bytes target  prot opt in  out  source    destination   

Chain IN_public (2 references) 
pkts bytes target  prot opt in  out  source    destination   
    16 2177 IN_public_log all -- *  *  0.0.0.0/0   0.0.0.0/0   
    16 2177 IN_public_deny all -- *  *  0.0.0.0/0   0.0.0.0/0   
    16 2177 IN_public_allow all -- *  *  0.0.0.0/0   0.0.0.0/0   

Chain IN_public_allow (1 references) 
pkts bytes target  prot opt in  out  source    destination   
    0  0 ACCEPT  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   tcp dpt:22 ctstate NEW 

Chain IN_public_deny (1 references) 
pkts bytes target  prot opt in  out  source    destination   

Chain IN_public_log (1 references) 
pkts bytes target  prot opt in  out  source    destination   

Chain OUTPUT_direct (1 references) 
pkts bytes target  prot opt in  out  source    destination

來源

2017-07-17 nmh

+0

可以提供'iptables的-nvL'輸出時,所有的防火牆規則是活動的? –

+0

現在添加,歡呼聲, – nmh

回答

0

我真的不能跟隨,因爲你有這麼多的鏈(和我不確定每個連鎖應該是什麼,但是......在猜測中,但是我的猜測可能是錯誤的)。作爲一個基本的規則,你應該有:

1)默認的策略是DROP,然後你讓嚴格,你需要什麼 2)嘗試更新允許規則如下:

iptables -A IN_public_allow -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT 
iptables -A IN_public_allow -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT

它看起來像一個錯誤配置:

-A IN_public -j IN_public_log 
-A IN_public -j IN_public_deny 
-A IN_public -j IN_public_allow

基本上你沒有爲這些鏈定義一個策略。我會完全重新配置防火牆。你必須從一開始就把所有的東西放在紙上,你需要什麼鏈條,爲什麼你需要它們,每個鏈條應該有什麼樣的政策等等。然後,您可以創建規則,並將其添加到他們的特殊的鏈

來源

2017-07-18 11:07:43

相關問題

 相關問題