在 RHEL 6.8 中打開防火牆埠
我正在努力根據 Redhat 6.8 中的防火牆確定特定埠是否打開
我想打開2222埠。
我嘗試了以下方法:
system-config-firewall,以 sudo 執行,我將埠 2222 描述為要打開的特定埠:
然而,埠似乎沒有打開。我正在嘗試通過 SSH 連接到埠 2222 來對此進行測試。目前 SSH 在埠 22 上執行,我可以正常連接,但是當我將 SSH 配置為通過 2222 執行時,
Port 2222
在 /etc/ssh/ 中的 sshd_config 中使用時,連接超時。我知道 SSHD 配置為偵聽該埠,因為我可以使用 netstat 進行測試。我還嘗試了對 /etc/sysconfig/iptables 的各種編輯,包括添加以下規則:
-I INPUT 9 -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT
和
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT
在我執行這些更改後
sudo service iptables restart
,我無法連接。有趣的是,如果我這樣做了,cat /etc/sysconfig/iptables | grep 2222
我將無法在該列表中看到我的新規則,我希望我應該這樣做。執行時我也看不到sudo iptables -L -n
正常嗎?我已經意識到主機正在執行 SELinux - 根據此輸出:
[andyarmstrong@o0201320382301 ~]$ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted
我安裝了 semanage,並執行了 :
semanage port -a -t ssh_port_t -p tcp 2222
– 但我仍然沒有通過它。整個 /etc/sysconfig/iptables 文件包含以下內容:
#GENERATED BY Modular IPTABLES Config *filter :FORWARD DROP [0:0] :INPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable -A INPUT -p tcp -m tcp --dport 5308 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5901 -j ACCEPT # Sametime File Transfers use ports 443 and 5656 -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5656 -j ACCEPT #VoiceJam Rules -A INPUT -p udp -m udp --dport 5004:5005 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5004:5005 -j ACCEPT -A INPUT -p udp -m udp --dport 20830 -j ACCEPT -A INPUT -p tcp -m tcp --dport 20830 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5060:5062 -j ACCEPT -A INPUT -p udp -m udp --dport 5060:5062 -j ACCEPT -A INPUT -p tcp -m tcp --dport 12080 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT # CDS Peering #60050 -A INPUT -p tcp -m tcp --dport 21100 -j ACCEPT # My Help SSL P2P migration -A INPUT -p tcp -m tcp --dport 2001 -j ACCEPT -A INPUT -p udp -m udp --dport 2001 -j ACCEPT -A INPUT -p ah -j ACCEPT -A INPUT -p esp -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 500 -j ACCEPT -A INPUT -i ipsec+ -p 254 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 9 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT # Enable forward between KVM server and virtual machines -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -d 192.168.123.0/24 -o virbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.123.0/24 -i virbr1 -j ACCEPT -A FORWARD -i virbr1 -o virbr1 -j ACCEPT -A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable # Rule required by package ibm-config-kvm-printing # Allow printer sharing between Linux host and KVM guests -A INPUT -i virbr0 -p tcp --dport 631 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8081 -j ACCEPT -A INPUT -p tcp -m tcp --dport 1533 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 52311 -j ACCEPT -A INPUT -p tcp -m tcp --dport 30000:30005 -j ACCEPT -A INPUT -p tcp -m tcp --dport 67:68 -j DROP -A INPUT -p udp -m udp --dport 67:68 -j DROP -A INPUT -p tcp -m tcp --dport 137 -j DROP -A INPUT -p udp -m udp --dport 137 -j DROP -A INPUT -p tcp -m tcp --dport 138 -j DROP -A INPUT -p udp -m udp --dport 138 -j DROP -A INPUT -p tcp -m tcp --dport 139 -j DROP -A INPUT -p udp -m udp --dport 139 -j DROP -A INPUT -p tcp -m tcp --dport 1:20 -j DROP -A INPUT -p tcp -m tcp --dport 111 -j DROP -A INPUT -p tcp -m tcp --dport 161:162 -j DROP -A INPUT -p tcp -m tcp --dport 520 -j DROP -A INPUT -p tcp -m tcp --dport 6348:6349 -j DROP -A INPUT -p tcp -m tcp --dport 6345:6347 -j DROP -A INPUT -i virbr0 -p tcp -d 192.168.122.1 --dport 445 -j ACCEPT -A INPUT -i virbr0 -p tcp -d 192.168.122.1 --dport 1445 -j ACCEPT -A INPUT -i virbr1 -p tcp -d 192.168.123.1 --dport 445 -j ACCEPT -A INPUT -i virbr1 -p tcp -d 192.168.123.1 --dport 1445 -j ACCEPT # Accept local Samba connections -I INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -I INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -I INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -I INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -I INPUT -i virbr0 -p udp -m udp --dport 137 -j ACCEPT -I INPUT -i virbr0 -p udp -m udp --dport 138 -j ACCEPT -I INPUT -i virbr0 -p tcp -m tcp --dport 139 -j ACCEPT -I INPUT -i virbr0 -p tcp -m tcp --dport 445 -j ACCEPT -I INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT -I INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT -I INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT -I INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT -I INPUT -i virbr1 -p udp -m udp --dport 137 -j ACCEPT -I INPUT -i virbr1 -p udp -m udp --dport 138 -j ACCEPT -I INPUT -i virbr1 -p tcp -m tcp --dport 139 -j ACCEPT -I INPUT -i virbr1 -p tcp -m tcp --dport 445 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 48500 -j ACCEPT -A INPUT -i virbr1 -p tcp -m tcp --dport 48500 -j ACCEPT -A INPUT -p tcp -m limit --limit 3/min -j LOG --log-prefix "FIREWALL: " --log-level 6 -A INPUT -p udp -m limit --limit 3/min -j LOG --log-prefix "FIREWALL: " --log-level 6 -A INPUT -j DROP :OUTPUT ACCEPT [0:0] COMMIT *mangle :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill :PREROUTING ACCEPT [0:0] COMMIT *nat :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE -A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE :PREROUTING ACCEPT [0:0] -A PREROUTING -i virbr0 -p tcp -d 192.168.122.1 --dport 445 -j REDIRECT --to-port 1445 -A PREROUTING -i virbr1 -p tcp -d 192.168.123.1 --dport 445 -j REDIRECT --to-port 1445 COMMIT
iptables 配置文件是:
# Load additional iptables modules (nat helpers) # Default: -none- # Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which # are loaded after the firewall rules are applied. Options for the helpers are # stored in /etc/modprobe.conf. IPTABLES_MODULES="ip_conntrack_ftp" # Unload modules on restart and stop # Value: yes|no, default: yes # This option has to be 'yes' to get to a sane state for a firewall # restart or stop. Only set to 'no' if there are problems unloading netfilter # modules. IPTABLES_MODULES_UNLOAD="yes" # Save current firewall rules on stop. # Value: yes|no, default: no # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped # (e.g. on system shutdown). IPTABLES_SAVE_ON_STOP="no" # Save current firewall rules on restart. # Value: yes|no, default: no # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets # restarted. IPTABLES_SAVE_ON_RESTART="no" # Save (and restore) rule and chain counter. # Value: yes|no, default: no # Save counters for rules and chains to /etc/sysconfig/iptables if # 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or # SAVE_ON_RESTART is enabled. IPTABLES_SAVE_COUNTER="no" # Numeric status output # Value: yes|no, default: yes # Print IP addresses and port numbers in numeric format in the status output. IPTABLES_STATUS_NUMERIC="yes" # Verbose status output # Value: yes|no, default: yes # Print info about the number of packets and bytes plus the "input-" and # "outputdevice" in the status output. IPTABLES_STATUS_VERBOSE="no" # Status output with numbered lines # Value: yes|no, default: yes # Print a counter/number for every rule in the status output. IPTABLES_STATUS_LINENUMBERS="yes" FILE=`mktemp -q /tmp/iptables-rules.XXXXXXXXXX` /opt/ibm/c4eb/firewall/create-rule-file.sh > $FILE cp $FILE /etc/sysconfig/iptables rm $FILE
—-進度更新—–當我執行我的命令時:
sudo iptables -A INPUT -p tcp --dport 2222 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
還有sudo iptables -A OUTPUT -p tcp --dport 2222 -m conntrack --ctstate ESTABLISHED -j ACCEPT
我看到
/etc/sysconfig/iptables
文件大小增加到 6583。然後我執行 sudo service iptables save。保存也是一樣的。然後我執行 sudo service iptables restart,文件恢復到原來的大小(6219),沒有我的更新!為什麼!我錯過了什麼嗎?你能看到我錯過的任何東西嗎?
感謝大家的支持
看起來您的
/etc/sysconfig/iptables
配置文件正在被覆蓋/opt/ibm/c4eb/firewall/create-rule-file.sh
(請參閱 iptables 配置文件的最後一位)…FILE=`mktemp -q /tmp/iptables-rules.XXXXXXXXXX` /opt/ibm/c4eb/firewall/create-rule-file.sh > $FILE cp $FILE /etc/sysconfig/iptables rm $FILE
我認為(通過快速網路搜尋)c4eb 腳本從下面的文件中獲取輸入,
/etc/iptables.d/filter/
因此您需要更新它們,因為任何更改都/etc/sysconfig/iptables
將被覆蓋。create-rule-file.sh
如果沒有任何文件,您顯然可以通過查看腳本來確認這一點。我希望像這樣的工具在頂部有更明確的註釋…
# Don't edit this file directly, instead edit the files under X and run Y
我想這是暗示
#GENERATED BY Modular IPTABLES Config
但這可能更清楚。