V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
Distributions
Ubuntu
Fedora
CentOS
中文资源站
网易开源镜像站
naohion
V2EX  ›  Linux

如何解决 Linux 防火墙完全失效的问题?

  •  
  •   naohion · 2020-08-11 02:44:57 +08:00 · 1984 次点击
    这是一个创建于 1567 天前的主题,其中的信息可能已经有所发展或是发生改变。

    CentOS 7 的服务器,之前配置 IPv6 一直无法使用,没去管,今天随手扫了一下开放端口发现 firewalld 规则里没有开放的端口全部被开放了。确定 zone 设置正确,firewalld 和 iptables 都在正常工作,规则都已正常保存。然后我加了一条 iptables 拒绝规则,然而还是可以访问。firewalld 打开 panic 模式照样能 ssh 连接服务器。不知道这和 IPv6 无效是否有关,请问有大佬知道吗?研究了一天还没解决。

    第 1 条附言  ·  2020-08-11 17:26:58 +08:00
    已经解决了,是 docker 的问题,会添加 chain 绕过 iptables 。网络上的方案全试过一遍,只有启动容器时指定 -p 127.0.0.1:x:x 的有效。这里提供一个自己研究出来的一键更新 0.0.0.0 -> 127.0.0.1 的命令有需要的可以拿去用。
    systemctl stop docker;
    cd /var/lib/docker;
    find -name '*.json' | xargs perl -pi -e 's|"HostIp":""|"HostIp":"127.0.0.1"|g'; (这条很重要)
    find -name '*.json' | xargs perl -pi -e 's|0.0.0.0|127.0.0.1|g';
    systemctl start docker
    zwl2012
        1
    zwl2012  
       2020-08-11 08:51:10 +08:00 via iPhone
    docker
    snoopygao
        2
    snoopygao  
       2020-08-11 08:58:08 +08:00
    贴出来 list-all-zone 看看
    naohion
        3
    naohion  
    OP
       2020-08-11 10:04:01 +08:00
    @zwl2012 一直在用 docker 但一些容器的端口不希望外网访问

    @snoopygao $ sudo firewall-cmd --list-all-zone
    [sudo] password for user:
    block
    target: %%REJECT%%
    icmp-block-inversion: no
    interfaces:
    sources:
    services:
    ports:
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:


    dmz
    target: default
    icmp-block-inversion: no
    interfaces:
    sources:
    services: ssh
    ports:
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:


    drop
    target: DROP
    icmp-block-inversion: no
    interfaces:
    sources:
    services:
    ports:
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:


    external
    target: default
    icmp-block-inversion: no
    interfaces:
    sources:
    services: ssh
    ports:
    protocols:
    masquerade: yes
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:


    home
    target: default
    icmp-block-inversion: no
    interfaces:
    sources:
    services: dhcpv6-client mdns samba-client ssh
    ports:
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:


    internal
    target: default
    icmp-block-inversion: no
    interfaces:
    sources:
    services: dhcpv6-client mdns samba-client ssh
    ports:
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:


    public (active)
    target: default
    icmp-block-inversion: no
    interfaces: eth0
    sources:
    services: dhcpv6-client ssh
    ports: 443/tcp 22/tcp 80/tcp
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:


    trusted
    target: ACCEPT
    icmp-block-inversion: no
    interfaces:
    sources:
    services:
    ports:
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:


    work
    target: default
    icmp-block-inversion: no
    interfaces:
    sources:
    services: dhcpv6-client ssh
    ports:
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   3248 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 23ms · UTC 12:55 · PVG 20:55 · LAX 04:55 · JFK 07:55
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.