[英]iptables input, output rules
I need help with this iptables rules. 我需要有关此iptables规则的帮助。 I don't understand why is needed INPUT rule for port 8080
我不明白为什么8080端口需要输入规则
server with public ip 123.123.123.123 具有公共ip 123.123.123.123的服务器
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -I INPUT 1 -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -s 123.123.123.123 -j ACCEPT
when I disable INPUT rule pro 8080, firewall will block port 8080 当我禁用输入规则pro 8080时,防火墙将阻止端口8080
when SERVER try open GET 123.123.123.123:8080 fails! 当SERVER尝试打开GET 123.123.123.123:8080失败时! (responce timeout) why?
(响应超时)为什么?
why it didn't enable rule ESTABLISHED,RELATED ??? 为什么它没有启用规则ESTABLISHED,相关?
iptables -I INPUT 1 -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
^ this works for connections that already are established, so id doesn't catch any new connections. ^这适用于已建立的连接,因此id不会捕获任何新连接。
iptables -A INPUT -p tcp --dport 8080 -s 123.123.123.123 -j ACCEPT
^ and this one catch anything what's trying to send TCP packets to 123.123.123.123:8080 and accepts it. ^,这个可以捕获任何试图将TCP数据包发送到123.123.123.123:8080并接受它的内容。 If you can't connect to that service when this entry is not present is because there can be something furthermore in your chain which catch the trafic and makes
-j REJECT
or -j DROP
如果您在没有该条目时无法连接到该服务,则是因为您的链中还有其他东西会引起交通拥堵并使
-j REJECT
或-j DROP
...or you have REJECT or DROP policy on this chain. ...或者您在此链上有拒绝或放弃政策。
check iptables -L INPUT
to check that and iptables -P INPUT ACCEPT
to change it. 检查
iptables -L INPUT
进行检查,并检查iptables -P INPUT ACCEPT
进行更改。
One easy way to check what is going on on your chain is to check iptables -L -n -v
. 检查链中正在发生什么的一种简单方法是检查
iptables -L -n -v
。 The verbose parameter will give you amount of pkts and bytes for every rule so watching it you can figure out if your rule is catching anything. verbose参数将为您提供每个规则的pkts和字节数,因此观看它可以找出您的规则是否捕获了任何东西。
thanks, solution is not to enable INPUT ACCEPT 谢谢,解决方案是不启用输入接受
but add enabletion for all connection from server to self 但是为从服务器到自身的所有连接添加启用
iptables -I INPUT 2 -p all -m state --state NEW -s 123.123.123.123 -j ACCEPT
I didn't reliaze that new connection from server is valid (OUTPUT is enabled) but firewall then get's NEW connection to INPUT ... that's not enabled by default 我没有说服服务器的新连接有效(已启用OUTPUT),但是防火墙随后获得了与INPUT的新连接...默认情况下未启用
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.