[linux] 13. 防火墙放行指定端口

今天遇到一个问题： linux服务器能被windows ping通, 但telnet 4000端口却不通， 而在linux 中 运行 lsof -i:4000 可以看到该端口LISTEN状态无异常。 猜测这是防火墙问题，借此机会简单了解下linux 防火墙相关的知识和指令

1. Iptables#

Debian/Ubuntu系统自带防火墙大多是Iptables.

如何看系统类型呢？

# uname -a
Linux g37-dev-acfd361f 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u5 (2017-09-19) x86_64 GNU/Linux

#### 1.1 Iptables定义 iptables(from wikipedia) is a user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall, implemented as different Netfilter modules.

1.2 Iptables安装#

Debian/Ubuntu系统一般都自带了, 先查看本机版本

liuwen03@g37-dev-acfd361f:~$ dpkg -l iptables
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                   Version          Architecture     Description
+++-======================-================-================-=================================================
ii  iptables               1.4.21-2+b1      amd64            administration tools for packet filtering and NAT

如未安装, 命令如下

apt-get update
apt-get install iptables

#### 1.4 Iptables -h -h 查看帮助文档

# iptables -h
iptables v1.4.21

Usage: iptables -[ACD] chain rule-specification [options]
       iptables -I chain [rulenum] rule-specification [options]
       iptables -R chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LS] [chain [rulenum]] [options]
       iptables -[FZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands:
Either long or short options are allowed.
  --append  -A chain            Append to chain
  --check   -C chain            Check for the existence of a rule
  --delete  -D chain            Delete matching rule from chain
  --delete  -D chain rulenum
                                Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
                                Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
                                Replace rule rulenum (1 = first) in chain
  --list    -L [chain [rulenum]]
                                List the rules in a chain or all chains
  --list-rules -S [chain [rulenum]]
                                Print the rules in a chain or all chains
  --flush   -F [chain]          Delete all rules in  chain or all chains
  --zero    -Z [chain [rulenum]]
                                Zero counters in chain or all chains
  --new     -N chain            Create a new user-defined chain
  --delete-chain
            -X [chain]          Delete a user-defined chain
  --policy  -P chain target
                                Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
                                Change chain name, (moving any references)
Options:
    --ipv4      -4              Nothing (line is ignored by ip6tables-restore)
    --ipv6      -6              Error (line is ignored by iptables-restore)
[!] --protocol  -p proto        protocol: by number or name, eg. `tcp'
[!] --source    -s address[/mask][...]
                                source specification
[!] --destination -d address[/mask][...]
                                destination specification
[!] --in-interface -i input name[+]
                                network interface name ([+] for wildcard)
 --jump -j target
                                target for rule (may load target extension)
  --goto      -g chain
                              jump to chain with no return
  --match       -m match
                                extended match (may load extension)
  --numeric     -n              numeric output of addresses and ports
[!] --out-interface -o output name[+]
                                network interface name ([+] for wildcard)
  --table       -t table        table to manipulate (default: `filter')
  --verbose     -v              verbose mode
  --wait        -w              wait for the xtables lock
  --line-numbers                print line numbers when listing
  --exact       -x              expand numbers (display exact values)
[!] --fragment  -f              match second or further fragments only
  --modprobe=<command>          try to insert modules using this command
  --set-counters PKTS BYTES     set the counter during insert/append
[!] --version   -V              print package version.

1.5 Iptables 防火墙规则#

--list 或 -L 可以查看当前防火墙规则

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  localhost.i.nease.net  anywhere
ACCEPT     all  --  onlinegame.i.nease.net  anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:32200
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

如上所示, 有几条规则(Chain) - INPUT - 保存针对 进入此服务器的流量的规则 - FORWARD 保存 将转发到此服务器后面 IP的流量的规则（如 用当前服务器作其他服务器的防火墙）。 - OUTPUT 保存从 此服务器到 Internet 的流量的规则。

对于Chain INPUT, 其target列取值有如下三种： - ACCEPT: Traffic is accepted for delivery. - REJECT: Traffic is rejected, sending a packet back to the sending host. - DROP: The traffic is dropped. Nothing is sent back to the sending host.

从Chain INPUT可以看出, 除个别ACCEPT的target, 其余的都会执行到DROP, 拦截其余接口

1.6 Iptables 设置防火墙规则#

如下是设置rules的常用指令 - -A: 'append' this rule to the end of the INPUT Chain - -I: 'insert' this rule to the top of the INPUT Chain - -s: Source Address. This rule only pertains to traffic coming FROM this IP. Substitute with the IP address you are SSHing from. - -d: Destination Address. This rule only pertains to traffic going TO this IP. Substitute with the IP of this server. - -p: Protocol. Specifying traffic which is TCP. - --dport: Destination Port. Specifying traffic which is for TCP Port 22 (SSH) - -j: Jump. If everything in this rule matches then 'jump' to ACCEPT - -D: Delete matching rule from chain

如1.5所示, 服务器上有一个监听 32200的tcp端口, 这个是ssh端口。而我需要的4000端口没在INPUT中 (这里需要使用-I 插入到头部)

iptables -I INPUT -p tcp --dport 4000 -j ACCEPT

# 对应的删除指令
iptables -D INPUT -p tcp --dport 4000 -j ACCEPT

对于我的windows, 我希望linux服务器能不做拦截, 应该如何做呢? 如下指令就是开放端口给 ip xxx.xxx.xxx.xxx

iptables -I INPUT -s xxx.xxx.xxx.xxx -p all -j ACCEPT

# 对应的删除指令
iptables -D INPUT -s xxx.xxx.xxx.xxx -p all -j ACCEPT

## 2. Centos Centos系统自带的防火墙是 firewall #### 放行特定端口 若要放行8888端口

firewall-cmd --zone=public --add-port=8888/tcp --permanent

命令含义：

--zone                      #作用域
--add-port=80/tcp  #添加端口，格式为：端口/通讯协议
--permanent           #永久生效，没有此参数重启后失效

然后重启防火墙

firewall-cmd --reload

## 3.reference 1. Basic Iptables - Debian/RedHat