Iptables

防火牆完全禁用但仍然無法訪問埠 - Centos7

  • December 7, 2018

我在以下位置禁用了 selinux /etc/sysconfig/selinux

SELINUX=disabled

重新啟動並禁用了firewalldiptables服務。

# sestatus
SELinux status:                 disabled

# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
  Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
  Active: inactive (dead)
    Docs: man:firewalld(1)

# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
  Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
  Active: inactive (dead) 

# ufw status
Status: inactive

我仍然無法使用特定埠訪問伺服器:

# nc -v 10.0.12.3 8887
nc: connect to 10.0.12.3 port 8887 (tcp) failed: Connection refused

我可以 ping 伺服器並 ssh 到它。

我嘗試使用iptablesand來打開埠firewalld,但沒有成功。剩下的最後一個選項是完全禁用防火牆,即使這樣也不起作用。

正在監聽的埠是:

# netstat -plnt

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1031/rpcbind        
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      1843/dnsmasq        
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1392/sshd           
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1391/cupsd          
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1756/master         
tcp        0      0 0.0.0.0:6010            0.0.0.0:*               LISTEN      1892/sshd: jmalapra 
tcp        0      0 0.0.0.0:6011            0.0.0.0:*               LISTEN      2461/sshd: jmalapra 
tcp6       0      0 :::111                  :::*                    LISTEN      1031/rpcbind        
tcp6       0      0 :::22                   :::*                    LISTEN      1392/sshd           
tcp6       0      0 ::1:631                 :::*                    LISTEN      1391/cupsd          
tcp6       0      0 :::6010                 :::*                    LISTEN      1892/sshd: jmalapra 
tcp6       0      0 :::6011                 :::*                    LISTEN      2461/sshd: jmalapra

使用netstatss來驗證服務是否正在偵聽相關 IP/埠。

現在編輯您已驗證相關服務正在執行,請重置您的盒子的安全措施:

# Restore SELinux
sed -i -e 's/SELINUX=disabled/SELINUX=enforcing/g' /etc/sysconfig/selinux
touch /.autorelabel
reboot

# Firewall exception
firewall-cmd --zone=public --add-port=8887/tcp --permanent 
firewall-cmd --reload

# Remove superfluous packages
yum remove -y iptables-services ufw

引用自:https://serverfault.com/questions/919550