Ubuntu

如何設置 IPTables 以允許 TCP 埠 599?

  • November 9, 2017

我是 IPTables 的新手,我相信我忽略了一些明顯的東西。

這是我的設置:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             state NEW recent: UPDATE seconds: 60 hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
          all  --  anywhere             anywhere             state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  ip-10-10-10-0.ap-south-1.compute.internal/24  anywhere             policy match dir in pol ipsec proto esp
ACCEPT     all  --  anywhere             ip-10-10-10-0.ap-south-1.compute.internal/24  policy match dir out pol ipsec proto esp
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

然後我嘗試打開599埠:

sudo iptables -A INPUT -p tcp --dport 599 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 599 -m conntrack --ctstate ESTABLISHED -j ACCEPT

不幸的是,我現有的 IPTables 仍然阻止它,我不明白為什麼。AWS 執行狀況檢查仍然無法在 599 埠上執行 TCP ping。任何線索我錯過了什麼?

最新更新:

sudo iptables -vnL --line-numbers



Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    11582  695K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:599 ctstate NEW,ESTABLISHED
2     309K   19M DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state NEW recent: UPDATE seconds: 60 hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
3     6546  386K            all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
4    11329 7186K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
5       24  1440 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:599 ctstate NEW,ESTABLISHED
6      246 13224 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
7        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
8       50  2227 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
9        2   400 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500
10       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:4500
11    6275  371K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      *       10.10.10.0/24        0.0.0.0/0            policy match dir in pol ipsec proto 50
2        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            10.10.10.0/24        policy match dir out pol ipsec proto 50
3        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 18608 packets, 2153K bytes)
num   pkts bytes target     prot opt in     out     source               destination

好吧, iptables -A INPUT 在末尾附加了一條規則。您目前的最後一條規則是:

DROP all -- anywhere anywhere

因此,它被添加到最後,在 drop 規則之後,並且永遠不會到達。您將需要列出帶有行號的規則:

iptables -nL --line-numbers

然後使用iptables -I INPUT 5 ...(或任何行號)在特定位置添加。

如果應該允許埠 599 的所有流量返回(使用 NEW,ESTABLISHED),那麼您不需要 OUTPUT 規則。

如果它在 ec2 實例上執行,您需要確保安全組也允許 599 進入。儘管使用 aws 安全組,單個實例上的 iptables 可能並不完全必要……

引用自:https://serverfault.com/questions/882115