Shan

初学iptables的小坑
问题   前一阵学习iptables的时候,开启防火墙之后访问web服务,发现访问会被拒绝。但...
扫描右侧二维码阅读全文
15
2018/07

初学iptables的小坑

问题

  前一阵学习iptables的时候,开启防火墙之后访问web服务,发现访问会被拒绝。但是通过"iptables -nL"命令查看当前规则的时候发现第三条策略是允许访问的。如下:

# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination      

解决

  发现问题后,马上去查找资料。找了很久,发现全部都是iptables的语法、详解什么的。
  后来才知道iptables的"-nL"选项是不会列出详细信息的,所以我们需要到iptables的配置文件中去看它的所有规则或者调用"-v"选项来查看详细信息。

# cat /etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

或者

# iptables -vL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  565 52609 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    1    48 ACCEPT     icmp --  any    any     anywhere             anywhere           
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere           
    1    52 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh
  163 50464 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 391 packets, 171K bytes)
 pkts bytes target     prot opt in     out     source               destination         

  通过这两种方式查看规则,发现第三条默认策略是使用"-i"选项指定了接口,所以第三条默认策略是针对lo即Loopback(本地环回接口)的,肯定是不会对eth0网卡的请求生效。因此无法访问web服务也是情理之中了。

Last modification:August 16th, 2018 at 08:28 am

Leave a Comment