Ubuntu
如何設置 IPTables 以允許 TCP 埠 599?
我是 IPTables 的新手,我相信我忽略了一些明顯的東西。
這是我的設置:
Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere state NEW recent: UPDATE seconds: 60 hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255 all -- anywhere anywhere state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT all -- anywhere anywhere DROP all -- anywhere anywhere state INVALID ACCEPT udp -- anywhere anywhere udp dpt:isakmp ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- ip-10-10-10-0.ap-south-1.compute.internal/24 anywhere policy match dir in pol ipsec proto esp ACCEPT all -- anywhere ip-10-10-10-0.ap-south-1.compute.internal/24 policy match dir out pol ipsec proto esp DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination
然後我嘗試打開599埠:
sudo iptables -A INPUT -p tcp --dport 599 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -p tcp --sport 599 -m conntrack --ctstate ESTABLISHED -j ACCEPT
不幸的是,我現有的 IPTables 仍然阻止它,我不明白為什麼。AWS 執行狀況檢查仍然無法在 599 埠上執行 TCP ping。任何線索我錯過了什麼?
最新更新:
sudo iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 11582 695K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:599 ctstate NEW,ESTABLISHED 2 309K 19M DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW recent: UPDATE seconds: 60 hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255 3 6546 386K all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255 4 11329 7186K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 5 24 1440 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:599 ctstate NEW,ESTABLISHED 6 246 13224 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 7 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 8 50 2227 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 9 2 400 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 10 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 11 6275 371K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- * * 10.10.10.0/24 0.0.0.0/0 policy match dir in pol ipsec proto 50 2 0 0 ACCEPT all -- * * 0.0.0.0/0 10.10.10.0/24 policy match dir out pol ipsec proto 50 3 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 18608 packets, 2153K bytes) num pkts bytes target prot opt in out source destination
好吧, iptables -A INPUT 在末尾附加了一條規則。您目前的最後一條規則是:
DROP all -- anywhere anywhere
因此,它被添加到最後,在 drop 規則之後,並且永遠不會到達。您將需要列出帶有行號的規則:
iptables -nL --line-numbers
然後使用
iptables -I INPUT 5 ...
(或任何行號)在特定位置添加。如果應該允許埠 599 的所有流量返回(使用 NEW,ESTABLISHED),那麼您不需要 OUTPUT 規則。
如果它在 ec2 實例上執行,您需要確保安全組也允許 599 進入。儘管使用 aws 安全組,單個實例上的 iptables 可能並不完全必要……