Domain-Name-System

將 dns 埠添加到 iptables 但它沒有打開 CentOS 7

  • November 6, 2017

我將dns伺服器埠添加到iptables,當我檢查它時,甚至命名服務也在監聽它,netstat但是當我從外部檢查埠時它已關閉。

iptables -n -L => 輸出:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW,ESTABLISHED
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:53

netstat -lnp => 輸出:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      11222/named         
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      652/master          
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1357/nginx: master  
tcp        0      0 123.123.123.123:53       0.0.0.0:*               LISTEN      11222/named         
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      11222/named         
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      585/sshd            
tcp6       0      0 ::1:953                 :::*                    LISTEN      11222/named         
tcp6       0      0 ::1:25                  :::*                    LISTEN      652/master          
tcp6       0      0 :::3306                 :::*                    LISTEN      10529/mysqld        
tcp6       0      0 :::80                   :::*                    LISTEN      1357/nginx: master  
tcp6       0      0 :::53                   :::*                    LISTEN      11222/named         
tcp6       0      0 :::22                   :::*                    LISTEN      585/sshd            
udp        0      0 123.123.123.123:53       0.0.0.0:*                           11222/named         
udp        0      0 127.0.0.1:53            0.0.0.0:*                           11222/named         
udp6       0      0 :::53                   :::*                                11222/named         
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path
unix  2      [ ACC ]     STREAM     LISTENING     11177    652/master           private/verify
unix  2      [ ACC ]     STREAM     LISTENING     11180    652/master           public/flush
unix  2      [ ACC ]     STREAM     LISTENING     11183    652/master           private/proxymap
unix  2      [ ACC ]     STREAM     LISTENING     11186    652/master           private/proxywrite
unix  2      [ ACC ]     STREAM     LISTENING     27726    10529/mysqld         /var/lib/mysql/mysql.sock
unix  2      [ ACC ]     STREAM     LISTENING     11189    652/master           private/smtp
unix  2      [ ACC ]     STREAM     LISTENING     11192    652/master           private/relay
unix  2      [ ACC ]     STREAM     LISTENING     11195    652/master           public/showq
unix  2      [ ACC ]     STREAM     LISTENING     11198    652/master           private/error
unix  2      [ ACC ]     STREAM     LISTENING     11201    652/master           private/retry
unix  2      [ ACC ]     STREAM     LISTENING     11204    652/master           private/discard
unix  2      [ ACC ]     STREAM     LISTENING     11272    325/acpid            /var/run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     11207    652/master           private/local
unix  2      [ ACC ]     STREAM     LISTENING     11210    652/master           private/virtual
unix  2      [ ACC ]     STREAM     LISTENING     11213    652/master           private/lmtp
unix  2      [ ACC ]     STREAM     LISTENING     11216    652/master           private/anvil
unix  2      [ ACC ]     STREAM     LISTENING     11219    652/master           private/scache
unix  2      [ ACC ]     STREAM     LISTENING     14096    1082/php-fpm: maste  /run/php-fpm/php-fpm.sock
unix  2      [ ACC ]     STREAM     LISTENING     11151    652/master           public/pickup
unix  2      [ ACC ]     STREAM     LISTENING     9051     1/systemd            /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     SEQPACKET  LISTENING     13690    1/systemd            /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     13253    1/systemd            /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     7127     1/systemd            /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     11155    652/master           public/cleanup
unix  2      [ ACC ]     STREAM     LISTENING     11158    652/master           public/qmgr
unix  2      [ ACC ]     STREAM     LISTENING     11162    652/master           private/tlsmgr
unix  2      [ ACC ]     STREAM     LISTENING     11165    652/master           private/rewrite
unix  2      [ ACC ]     STREAM     LISTENING     11168    652/master           private/bounce
unix  2      [ ACC ]     STREAM     LISTENING     11171    652/master           private/defer
unix  2      [ ACC ]     STREAM     LISTENING     11174    652/master           private/trace

任何想法如何解決這個問題?

要修復,您必須執行以下操作:

iptables-save > temp.ruleset

vi temp.ruleset

找到帶有 的行-j REJECT,只有一個。

將它向下移動兩行,在兩個 udp 規則下方。

保存:wq

重新載入編輯的規則集iptables-restore < temp.ruleset

請在將來添加規則iptables -I (rule position number)而不是 with iptables -A,因為您正在使用此輸入拒絕規則阻止任何低於它的內容將被阻止。

引用自:https://serverfault.com/questions/882093