我在CentOS 5.6机器上遇到了IPtables的问题,以前工作正常,我不能完全确定何时开始发生这种情况,因为当我在端口上允许新的IP时我才注意到这个问题.
基本上,当我尝试停止,启动或重启时,我得到以下内容:
Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: security raw nat mangle filter [Failed] Unloading iptables modules: [ OK ]
出于某种原因,无论我做什么,我都无法重新配置规则.我已经尝试完全卸载IPtables(通过yum),但即使在系统重启后,它仍然只允许连接到问题开始之前打开的端口,并过滤其他所有内容.
我真的在我的智慧结束,iptables状态显示完全空链,但仍然没有外部连接的喜悦.
任何想法,将不胜感激.如果您希望我提供更多信息,请告诉我.
提前致谢,
山姆.
编辑:/ etc / sysconfig / iptables的内容(由于删除并重新安装了iptables,它基本上是空的).
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT
编辑2:
如果我运行/etc/init.d/iptables停止我得到:
Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: security raw nat mangle filter [Failed] Unloading iptables modules: [ OK ]
而空的规则:
$iptables -L -n -v Chain INPUT (policy ACCEPT 81 packets,6575 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets,0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 72 packets,4133 bytes) pkts bytes target prot opt in out source destination
但它仍然阻止和过滤端口.
同样,开始的结果是:
/etc/init.d/iptables start Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: security raw nat mangle filter [Failed] Unloading iptables modules: [ OK ] Applying iptables firewall rules: [ OK ] iptables -L -n -v Chain INPUT (policy DROP 0 packets,0 bytes) pkts bytes target prot opt in out source destination 207 54155 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 reject-with tcp-reset 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 228 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 2 116 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 2 128 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 0 0 ACCEPT tcp -- * * -sanitized- 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 192.168.0.0/16 0.0.0.0/0 tcp dpt:22 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 code 0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets,0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 reject-with tcp-reset 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 ACCEPT all -- lo lo 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets,0 bytes) pkts bytes target prot opt in out source destination 158 25662 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 reject-with tcp-reset 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 33 2351 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
但我仍然无法连接SSH端口22(我使用的是串口控制台).
这个帖子有一个适合我的解决方案:
http://forum.linode.com/viewtopic.php?t=6981&postdays=0&postorder=asc&start=0
解决方案是将以下行添加到/etc/init.d/iptables
echo -n $"${IPTABLES}: Setting chains to policy $policy: " ret=0 for i in $tables; do echo -n "$i " case "$i" in + security) + $IPTABLES -t filter -P INPUT $policy \ + && $IPTABLES -t filter -P OUTPUT $policy \ + && $IPTABLES -t filter -P FORWARD $policy \ + || let ret+=1 + ;; raw) $IPTABLES -t raw -P PREROUTING $policy \ && $IPTABLES -t raw -P OUTPUT $policy \ || let ret+=1 ;;