我在CentOS 5.6机器上遇到了IPtables的问题,以前工作正常,我不能完全确定何时开始发生这种情况,因为当我在端口上允许新的IP时我才注意到这个问题.
基本上,当我尝试停止,启动或重启时,我得到以下内容:
- Flushing firewall rules: [ OK ]
- Setting chains to policy ACCEPT: security raw nat mangle filter [Failed]
- Unloading iptables modules: [ OK ]
出于某种原因,无论我做什么,我都无法重新配置规则.我已经尝试完全卸载IPtables(通过yum),但即使在系统重启后,它仍然只允许连接到问题开始之前打开的端口,并过滤其他所有内容.
我真的在我的智慧结束,iptables状态显示完全空链,但仍然没有外部连接的喜悦.
任何想法,将不胜感激.如果您希望我提供更多信息,请告诉我.
提前致谢,
山姆.
编辑:/ etc / sysconfig / iptables的内容(由于删除并重新安装了iptables,它基本上是空的).
- # Firewall configuration written by system-config-securitylevel
- # Manual customization of this file is not recommended.
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- COMMIT
编辑2:
如果我运行/etc/init.d/iptables停止我得到:
- Flushing firewall rules: [ OK ]
- Setting chains to policy ACCEPT: security raw nat mangle filter [Failed]
- Unloading iptables modules: [ OK ]
而空的规则:
- $iptables -L -n -v
- Chain INPUT (policy ACCEPT 81 packets,6575 bytes)
- pkts bytes target prot opt in out source destination
- Chain FORWARD (policy ACCEPT 0 packets,0 bytes)
- pkts bytes target prot opt in out source destination
- Chain OUTPUT (policy ACCEPT 72 packets,4133 bytes)
- pkts bytes target prot opt in out source destination
但它仍然阻止和过滤端口.
同样,开始的结果是:
- /etc/init.d/iptables start
- Flushing firewall rules: [ OK ]
- Setting chains to policy ACCEPT: security raw nat mangle filter [Failed]
- Unloading iptables modules: [ OK ]
- Applying iptables firewall rules: [ OK ]
- iptables -L -n -v
- Chain INPUT (policy DROP 0 packets,0 bytes)
- pkts bytes target prot opt in out source destination
- 207 54155 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 reject-with tcp-reset
- 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
- 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
- 4 228 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
- 2 116 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
- 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
- 1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
- 2 128 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
- 0 0 ACCEPT tcp -- * * -sanitized- 0.0.0.0/0 tcp dpt:22
- 0 0 ACCEPT tcp -- * * 192.168.0.0/16 0.0.0.0/0 tcp dpt:22
- 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
- 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 code 0
- 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
- Chain FORWARD (policy DROP 0 packets,0 bytes)
- pkts bytes target prot opt in out source destination
- 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 reject-with tcp-reset
- 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
- 0 0 ACCEPT all -- lo lo 0.0.0.0/0 0.0.0.0/0
- 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
- Chain OUTPUT (policy DROP 0 packets,0 bytes)
- pkts bytes target prot opt in out source destination
- 158 25662 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 reject-with tcp-reset
- 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
- 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
- 33 2351 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
但我仍然无法连接SSH端口22(我使用的是串口控制台).
这个帖子有一个适合我的解决方案:
http://forum.linode.com/viewtopic.php?t=6981&postdays=0&postorder=asc&start=0
解决方案是将以下行添加到/etc/init.d/iptables
- echo -n $"${IPTABLES}: Setting chains to policy $policy: "
- ret=0
- for i in $tables; do
- echo -n "$i "
- case "$i" in
- + security)
- + $IPTABLES -t filter -P INPUT $policy \
- + && $IPTABLES -t filter -P OUTPUT $policy \
- + && $IPTABLES -t filter -P FORWARD $policy \
- + || let ret+=1
- + ;;
- raw)
- $IPTABLES -t raw -P PREROUTING $policy \
- && $IPTABLES -t raw -P OUTPUT $policy \
- || let ret+=1
- ;;