今天遇到一个问题: linux服务器能被windows ping通, 但telnet 4000端口却不通, 而在linux 中 运行 lsof -i:4000 可以看到该端口LISTEN状态无异常。 猜测这是防火墙问题,借此机会简单了解下linux 防火墙相关的知识和指令
1. Iptables#
Debian/Ubuntu系统自带防火墙大多是Iptables.
如何看系统类型呢? 1
2# uname -a
Linux g37-dev-acfd361f 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u5 (2017-09-19) x86_64 GNU/Linux
1.2 Iptables安装#
Debian/Ubuntu系统一般都自带了, 先查看本机版本 1
2
3
4
5
6
7liuwen03@g37-dev-acfd361f:~$ dpkg -l iptables
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-======================-================-================-=================================================
ii iptables 1.4.21-2+b1 amd64 administration tools for packet filtering and NAT
如未安装, 命令如下 1
2apt-get update
apt-get install iptables1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68# iptables -h
iptables v1.4.21
Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--wait -w wait for the xtables lock
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
1.5 Iptables 防火墙规则#
--list 或 -L 可以查看当前防火墙规则 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- localhost.i.nease.net anywhere
ACCEPT all -- onlinegame.i.nease.net anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:32200
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
如上所示, 有几条规则(Chain) - INPUT - 保存针对 进入此服务器的流量的规则 - FORWARD 保存 将转发到此服务器后面 IP的流量的规则(如 用当前服务器作其他服务器的防火墙)。 - OUTPUT 保存从 此服务器到 Internet 的流量的规则。
对于Chain INPUT, 其target列取值有如下三种: - ACCEPT: Traffic is accepted for delivery. - REJECT: Traffic is rejected, sending a packet back to the sending host. - DROP: The traffic is dropped. Nothing is sent back to the sending host.
从Chain INPUT可以看出, 除个别ACCEPT的target, 其余的都会执行到DROP, 拦截其余接口
1.6 Iptables 设置防火墙规则#
如下是设置rules的常用指令 - -A: 'append' this rule to the end of the INPUT Chain - -I: 'insert' this rule to the top of the INPUT Chain - -s: Source Address. This rule only pertains to traffic coming FROM this IP. Substitute with the IP address you are SSHing from. - -d: Destination Address. This rule only pertains to traffic going TO this IP. Substitute with the IP of this server. - -p: Protocol. Specifying traffic which is TCP. - --dport: Destination Port. Specifying traffic which is for TCP Port 22 (SSH) - -j: Jump. If everything in this rule matches then 'jump' to ACCEPT - -D: Delete matching rule from chain
如1.5所示, 服务器上有一个监听 32200的tcp端口, 这个是ssh端口。而我需要的4000端口没在INPUT中 (这里需要使用-I 插入到头部) 1
2
3
4iptables -I INPUT -p tcp --dport 4000 -j ACCEPT
# 对应的删除指令
iptables -D INPUT -p tcp --dport 4000 -j ACCEPT1
2
3
4iptables -I INPUT -s xxx.xxx.xxx.xxx -p all -j ACCEPT
# 对应的删除指令
iptables -D INPUT -s xxx.xxx.xxx.xxx -p all -j ACCEPT1
firewall-cmd --zone=public --add-port=8888/tcp --permanent
1
2
3--zone #作用域
--add-port=80/tcp #添加端口,格式为:端口/通讯协议
--permanent #永久生效,没有此参数重启后失效1
firewall-cmd --reload