首页 注册 登录
V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
kestrelBright
V2EX  ›  程序员

求助 iptables 开放端口无效

  •   
  •   kestrelBright · 2023-01-03 17:05:45 +08:00 · 1344 次点击
    这是一个创建于 681 天前的主题,其中的信息可能已经有所发展或是发生改变。

    系统是 centos7 ,firewall 关闭了的

    [root@localhost init.d]# systemctl status firewalld.service
● firewalld.service
   Loaded: masked (/dev/null; bad)
   Active: inactive (dead) since 四 2022-10-27 15:08:38 CST; 2 months 7 days ago
 Main PID: 7533 (code=exited, status=0/SUCCESS)

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

    有一个 iptables 可以使用,但并不是 service

    [root@localhost init.d]# service iptables save
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.


[root@localhost init.d]# iptables -nvL
Chain INPUT (policy ACCEPT 382K packets, 216M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3307
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1881

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 206K packets, 190M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:9000
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.3           tcp dpt:6379
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.4           tcp dpt:9000

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

    诡异的是扫描端口,发现 1881 和 3307 没有通,1880 通了的 如果 yum 重新安装 iptables.service ,配置开通 3307 和 1881 后再扫描端口,发现 1880 和 1881 、3307 的 tcp 全部是关闭状态 求大佬解惑

  • docker0
  • TCP
  • Accept
  • bytes
    11 条回复    2023-01-05 10:50:56 +08:00
    xuanbg
        1
    xuanbg  
       2023-01-03 17:09:35 +08:00
    firewalld.service 关掉了吗?
    kestrelBright
        2
    kestrelBright  
    OP
       2023-01-03 17:11:46 +08:00
    @xuanbg 关了的
    AS4694lAS4808
        3
    AS4694lAS4808  
       2023-01-03 18:20:14 +08:00
    确定端口没绑定到回环上吧?
    gesse
        4
    gesse  
       2023-01-03 18:27:18 +08:00
    贴出
    iptables-save
    看看
    old9
        5
    old9  
       2023-01-03 18:53:44 +08:00 via Android
    还有贴下 ss -ant
    chunrix
        6
    chunrix  
       2023-01-03 19:01:12 +08:00
    用诸如以下的命令,将你想要的规则插入到最前面
    iptables -I INPUT 1 -p tcp --sport 80 -j ACCEPT
    如果依旧不生效,就是没保存吧
    iptables-save > /etc/sysconfig/iptables
    YaakovZiv
        7
    YaakovZiv  
       2023-01-03 19:22:09 +08:00
    云主机吗,有宝塔软件吗。
    oneisall8955
        8
    oneisall8955  
       2023-01-03 19:28:46 +08:00 via Android
    是不是云主机,安全策略组开了吗
    kestrelBright
        9
    kestrelBright  
    OP
       2023-01-05 09:39:54 +08:00
    @AS4694lAS4808 请教回环是什么意思? loopback 么?

    @gesse
    ```
    [root@localhost ~]# iptables-save
    # Generated by iptables-save v1.4.21 on Thu Jan 5 09:33:51 2023
    *nat
    :PREROUTING ACCEPT [312443:27129720]
    :INPUT ACCEPT [312443:27129720]
    :OUTPUT ACCEPT [383787:24152445]
    :POSTROUTING ACCEPT [383789:24152565]
    :DOCKER - [0:0]
    -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
    -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
    -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
    -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
    -A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 6379 -j MASQUERADE
    -A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
    -A DOCKER -i docker0 -j RETURN
    -A DOCKER ! -i docker0 -p tcp -m tcp --dport 9000 -j DNAT --to-destination 172.17.0.2:9000
    -A DOCKER ! -i docker0 -p tcp -m tcp --dport 6379 -j DNAT --to-destination 172.17.0.3:6379
    -A DOCKER ! -i docker0 -p tcp -m tcp --dport 9001 -j DNAT --to-destination 172.17.0.4:9000
    COMMIT
    # Completed on Thu Jan 5 09:33:51 2023
    # Generated by iptables-save v1.4.21 on Thu Jan 5 09:33:51 2023
    *filter
    :INPUT ACCEPT [14664149:7555216414]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [8199559:6986569057]
    :DOCKER - [0:0]
    :DOCKER-ISOLATION-STAGE-1 - [0:0]
    :DOCKER-ISOLATION-STAGE-2 - [0:0]
    :DOCKER-USER - [0:0]
    -A INPUT -p tcp -m tcp --dport 3307 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 1881 -j ACCEPT
    -A FORWARD -j DOCKER-USER
    -A FORWARD -j DOCKER-ISOLATION-STAGE-1
    -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -o docker0 -j DOCKER
    -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
    -A FORWARD -i docker0 -o docker0 -j ACCEPT
    -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
    -A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 6379 -j ACCEPT
    -A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
    -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
    -A DOCKER-ISOLATION-STAGE-1 -j RETURN
    -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
    -A DOCKER-ISOLATION-STAGE-2 -j RETURN
    -A DOCKER-USER -j RETURN
    COMMIT
    ```


    @old9
    ```
    [root@localhost ~]# ss -nat
    State Recv-Q Send-Q Local Address:Port Peer Address:Port
    LISTEN 0 128 *:18090 *:*
    LISTEN 0 128 *:3307 *:*
    LISTEN 0 128 *:3308 *:*
    LISTEN 0 128 *:3309 *:*
    LISTEN 0 128 *:21453 *:*
    LISTEN 0 128 *:21454 *:*
    LISTEN 0 128 *:111 *:*
    LISTEN 0 128 *:80 *:*
    LISTEN 0 128 *:6000 *:*
    LISTEN 0 5 192.168.122.1:53 *:*
    LISTEN 0 128 *:22 *:*
    LISTEN 0 128 *:24631 *:*
    LISTEN 0 128 127.0.0.1:631 *:*
    LISTEN 0 128 *:24632 *:*
    LISTEN 0 128 *:1880 *:*
    LISTEN 0 128 *:1881 *:*
    LISTEN 0 128 *:801 *:*
    LISTEN 0 128 *:10050 *:*
    TIME-WAIT 0 0 1.1.5.19:35706 4.1.8.8:1880
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58260
    ESTAB 0 0 1.1.5.19:80 1.2.5.2:50305
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58640
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58526
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58508
    TIME-WAIT 0 0 1.1.5.19:36360 4.1.8.8:1880
    ESTAB 0 0 1.1.5.19:80 1.2.5.2:50308
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58368
    ESTAB 0 0 1.1.5.19:80 1.2.5.2:50309
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58288
    ESTAB 0 0 1.1.5.19:22 10.10.4.139:53924
    TIME-WAIT 0 0 1.1.5.19:80 2.2.8.176:50335
    TIME-WAIT 0 0 1.1.5.19:80 2.2.8.176:50340
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58272
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58656
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58320
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58452
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58304
    ESTAB 0 0 1.1.5.19:80 1.2.5.2:50307
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58462
    TIME-WAIT 0 0 1.1.5.19:80 2.2.8.176:50341
    ESTAB 0 0 1.1.5.19:33678 4.1.8.8:1723
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58432
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58482
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58384
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58606
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58470
    TIME-WAIT 0 0 1.1.5.19:36356 4.1.8.8:1880
    ESTAB 0 0 1.1.5.19:80 1.2.5.2:50306
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58410
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58676
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58536
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58440
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58338
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58422
    TIME-WAIT 0 0 1.1.5.19:36358 4.1.8.8:1880
    ESTAB 0 0 1.1.5.19:80 8.1.1.2:58354
    LISTEN 0 128 :::9000 :::*
    LISTEN 0 128 :::9001 :::*
    LISTEN 0 128 :::6379 :::*
    LISTEN 0 128 :::111 :::*
    LISTEN 0 128 :::6000 :::*
    LISTEN 0 128 :::22 :::*
    LISTEN 0 128 ::1:631 :::*
    ```
    @chunrix 保存了的
    -rw-r--r-- 1 root root 2171 1 月 3 16:57 iptables


    @YaakovZiv 非云主机,idc 机房的,没有宝塔

    @oneisall8955 非云主机
    gesse
        10
    gesse  
       2023-01-05 10:04:18 +08:00
    *filter
    :INPUT ACCEPT [14664149:7555216414]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [8199559:6986569057]

    你这个默认规则就是 accept ,没有特意 DROP/REJECT 端口都不会阻拦的,而且和 docker 端口也不冲突。找找其他原因。
    kestrelBright
        11
    kestrelBright  
    OP
       2023-01-05 10:50:56 +08:00
    @gesse 好的 谢谢大佬
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   3405 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 25ms · UTC 04:51 · PVG 12:51 · LAX 20:51 · JFK 23:51
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.