Ssh

在 RHEL 6.8 中打開防火牆埠

  • April 20, 2017

我正在努力根據 Redhat 6.8 中的防火牆確定特定埠是否打開

我想打開2222埠。

我嘗試了以下方法:

system-config-firewall,以 sudo 執行,我將埠 2222 描述為要打開的特定埠:

在此處輸入圖像描述 然而,埠似乎沒有打開。我正在嘗試通過 SSH 連接到埠 2222 來對此進行測試。目前 SSH 在埠 22 上執行,我可以正常連接,但是當我將 SSH 配置為通過 2222 執行時,Port 2222在 /etc/ssh/ 中的 sshd_config 中使用時,連接超時。我知道 SSHD 配置為偵聽該埠,因為我可以使用 netstat 進行測試。

我還嘗試了對 /etc/sysconfig/iptables 的各種編輯,包括添加以下規則:

-I INPUT 9 -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT

在我執行這些更改後sudo service iptables restart,我無法連接。有趣的是,如果我這樣做了,cat /etc/sysconfig/iptables | grep 2222我將無法在該列表中看到我的新規則,我希望我應該這樣做。執行時我也看不到sudo iptables -L -n正常嗎?

我已經意識到主機正在執行 SELinux - 根據此輸出:

[andyarmstrong@o0201320382301 ~]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        targeted

我安裝了 semanage,並執行了 : semanage port -a -t ssh_port_t -p tcp 2222– 但我仍然沒有通過它。

整個 /etc/sysconfig/iptables 文件包含以下內容:

#GENERATED BY Modular IPTABLES Config
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 5308 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5901 -j ACCEPT
# Sametime File Transfers use ports 443 and 5656
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5656 -j ACCEPT
#VoiceJam Rules
-A INPUT -p udp -m udp --dport 5004:5005 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5004:5005 -j ACCEPT
-A INPUT -p udp -m udp --dport 20830 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20830 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5060:5062 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5062 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12080 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
# CDS Peering #60050
-A INPUT -p tcp -m tcp --dport 21100 -j ACCEPT
# My Help SSL P2P migration
-A INPUT -p tcp -m tcp --dport 2001 -j ACCEPT
-A INPUT -p udp -m udp --dport 2001 -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 500 -j ACCEPT
-A INPUT -i ipsec+ -p 254 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 9 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT

# Enable forward between KVM server and virtual machines
-I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.123.0/24 -o virbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.123.0/24 -i virbr1 -j ACCEPT
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
# Rule required by package ibm-config-kvm-printing
# Allow printer sharing between Linux host and KVM guests
-A INPUT -i virbr0 -p tcp --dport 631 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1533 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 52311 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30000:30005 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 67:68 -j DROP
-A INPUT -p udp -m udp --dport 67:68 -j DROP
-A INPUT -p tcp -m tcp --dport 137 -j DROP
-A INPUT -p udp -m udp --dport 137 -j DROP
-A INPUT -p tcp -m tcp --dport 138 -j DROP
-A INPUT -p udp -m udp --dport 138 -j DROP
-A INPUT -p tcp -m tcp --dport 139 -j DROP
-A INPUT -p udp -m udp --dport 139 -j DROP
-A INPUT -p tcp -m tcp --dport 1:20 -j DROP
-A INPUT -p tcp -m tcp --dport 111 -j DROP
-A INPUT -p tcp -m tcp --dport 161:162 -j DROP
-A INPUT -p tcp -m tcp --dport 520 -j DROP
-A INPUT -p tcp -m tcp --dport 6348:6349 -j DROP
-A INPUT -p tcp -m tcp --dport 6345:6347 -j DROP
-A INPUT -i virbr0 -p tcp -d 192.168.122.1 --dport 445 -j ACCEPT
-A INPUT -i virbr0 -p tcp -d 192.168.122.1 --dport 1445 -j ACCEPT
-A INPUT -i virbr1 -p tcp -d 192.168.123.1 --dport 445 -j ACCEPT
-A INPUT -i virbr1 -p tcp -d 192.168.123.1 --dport 1445 -j ACCEPT
# Accept local Samba connections
-I INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT 
-I INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT 
-I INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT 
-I INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT 
-I INPUT -i virbr0 -p udp -m udp --dport 137 -j ACCEPT
-I INPUT -i virbr0 -p udp -m udp --dport 138 -j ACCEPT
-I INPUT -i virbr0 -p tcp -m tcp --dport 139 -j ACCEPT
-I INPUT -i virbr0 -p tcp -m tcp --dport 445 -j ACCEPT
-I INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-I INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-I INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-I INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-I INPUT -i virbr1 -p udp -m udp --dport 137 -j ACCEPT
-I INPUT -i virbr1 -p udp -m udp --dport 138 -j ACCEPT
-I INPUT -i virbr1 -p tcp -m tcp --dport 139 -j ACCEPT
-I INPUT -i virbr1 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 48500 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 48500 -j ACCEPT
-A INPUT -p tcp -m limit --limit 3/min -j LOG --log-prefix "FIREWALL: " --log-level 6
-A INPUT -p udp -m limit --limit 3/min -j LOG --log-prefix "FIREWALL: " --log-level 6
-A INPUT -j DROP
:OUTPUT ACCEPT [0:0]
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
:PREROUTING ACCEPT [0:0]
COMMIT
*nat
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i virbr0 -p tcp -d 192.168.122.1 --dport 445 -j REDIRECT --to-port 1445
-A PREROUTING -i virbr1 -p tcp -d 192.168.123.1 --dport 445 -j REDIRECT --to-port 1445

COMMIT

iptables 配置文件是:

# Load additional iptables modules (nat helpers)
#   Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES="ip_conntrack_ftp"

# Unload modules on restart and stop
#   Value: yes|no,  default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"

# Save current firewall rules on stop.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"

# Save (and restore) rule and chain counter.
#   Value: yes|no,  default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"

# Numeric status output
#   Value: yes|no,  default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"

# Verbose status output
#   Value: yes|no,  default: yes
# Print info about the number of packets and bytes plus the "input-" and
# "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"

# Status output with numbered lines
#   Value: yes|no,  default: yes
# Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"

FILE=`mktemp -q /tmp/iptables-rules.XXXXXXXXXX`
/opt/ibm/c4eb/firewall/create-rule-file.sh > $FILE
cp $FILE /etc/sysconfig/iptables
rm $FILE

—-進度更新—–當我執行我的命令時: sudo iptables -A INPUT -p tcp --dport 2222 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT 還有 sudo iptables -A OUTPUT -p tcp --dport 2222 -m conntrack --ctstate ESTABLISHED -j ACCEPT

我看到/etc/sysconfig/iptables文件大小增加到 6583。然後我執行 sudo service iptables save。保存也是一樣的。然後我執行 sudo service iptables restart,文件恢復到原來的大小(6219),沒有我的更新!為什麼!

我錯過了什麼嗎?你能看到我錯過的任何東西嗎?

感謝大家的支持

看起來您的/etc/sysconfig/iptables配置文件正在被覆蓋/opt/ibm/c4eb/firewall/create-rule-file.sh(請參閱 iptables 配置文件的最後一位)…

FILE=`mktemp -q /tmp/iptables-rules.XXXXXXXXXX`
/opt/ibm/c4eb/firewall/create-rule-file.sh > $FILE
cp $FILE /etc/sysconfig/iptables
rm $FILE

我認為(通過快速網路搜尋)c4eb 腳本從下面的文件中獲取輸入,/etc/iptables.d/filter/因此您需要更新它們,因為任何更改都/etc/sysconfig/iptables將被覆蓋。create-rule-file.sh如果沒有任何文件,您顯然可以通過查看腳本來確認這一點。

我希望像這樣的工具在頂部有更明確的註釋…

# Don't edit this file directly, instead edit the files under X and run Y

我想這是暗示

#GENERATED BY Modular IPTABLES Config

但這可能更清楚。

引用自:https://serverfault.com/questions/844772