堆栈内存溢出
  简体   繁体   English

端口80已打开,但Iptables阻止Apache连接

[英]port 80 is open but Iptables prevents Apache connections

 原文  2017-07-17 16:35:46       apache/ centos/ centos7/ iptables/ httpd.conf

问题描述

I've been having trouble connecting via a web browser to server that runs Apache. 我一直无法通过网络浏览器连接到运行Apache的服务器。 I've discovered that by stopping the iptables service, I can then connect to and load a web page from the server. 我发现通过停止iptables服务,可以连接到服务器并从服务器加载网页。 However, i don't understand what I'm missing in my iptbales rules, as I've already opended up port 80. 但是,我不了解我的iptbales规则所缺少的内容,因为我已经开放了80端口。

Can anyone see anything here that could be causing any issues? 有人能在这里看到任何可能引起问题的东西吗? 

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N FORWARD_IN_ZONES
-N FORWARD_IN_ZONES_SOURCE
-N FORWARD_OUT_ZONES
-N FORWARD_OUT_ZONES_SOURCE
-N FORWARD_direct
-N FWDI_public
-N FWDI_public_allow
-N FWDI_public_deny
-N FWDI_public_log
-N FWDO_public
-N FWDO_public_allow
-N FWDO_public_deny
-N FWDO_public_log
-N INPUT_ZONES
-N INPUT_ZONES_SOURCE
-N INPUT_direct
-N IN_public
-N IN_public_allow
-N IN_public_deny
-N IN_public_log
-N OUTPUT_direct
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A OUTPUT -p udp -m udp --sport 123 -j ACCEPT
-A FORWARD_IN_ZONES -i eno1 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o eno1 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i eno1 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

EDIT*** 编辑***

Here is the output of iptables -nvL as requested by Bogdan Stoica: 这是Bogdan Stoica要求的iptables -nvL的输出: 

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    6   396 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 state NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 state NEW
   22  1520 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   16  2177 INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   16  2177 INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   16  2177 INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
   16  2177 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:123
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_IN_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_OUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 21 packets, 3720 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   21  3720 OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:123

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_public  all  --  eno1   *       0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 FWDI_public  all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_public  all  --  *      eno1    0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 FWDO_public  all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDI_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDI_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDI_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDO_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   16  2177 IN_public  all  --  eno1   *       0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 IN_public  all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   16  2177 IN_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   16  2177 IN_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   16  2177 IN_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW

Chain IN_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination

1 个解决方案

解决方案1
 0  2017-07-18 11:07:43

I can't really follow because you have so many chains (and I do not know for sure what each chain is supposed to but... In can guess though but my guessing might be wrong). 我不能真正理解,因为您有很多链(而且我不确定每个链应该做什么,但是...虽然可以猜测,但我的猜测可能是错误的)。 As a basic rule you should have: 作为基本规则,您应该具有:

1) the default policy is DROP and then you allow strictly what you need 2) try updating your allow rules as follows: 1)默认策略是DROP,然后您严格允许您需要的内容2)尝试如下更新您的允许规则: 

iptables -A IN_public_allow -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
iptables -A IN_public_allow -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT

It looks like a misconfiguration: 看起来像是配置错误: 

-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow

Basically you do not define a policy for those chains. 基本上,您没有为这些链定义策略。 I would reconfigure the firewall entirely. 我将完全重新配置防火墙。 You have to put everyting on paper from the start, what chains do you need, why you need them, what policies each chain is supposed to have an so on. 您必须从一开始就将所有内容写在纸上,您需要什么链条,为什么需要它们,每个链条应具有哪些政策等等。 Then you can create rules and add them to their specific chains 然后,您可以创建规则并将其添加到其特定链中

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Apache拒绝打开甚至更改端口80和443的端口 - Apache refused to open even changing port 80 and port 443 端口80上的Apache和Node - Apache and Node on port 80 安装Apache和端口80 - Installing Apache and port 80 在端口80上运行Apache - Running Apache on port 80 无法使用PID 4,问题端口80和Apache打开过程 - Unable to Open Proccess with PID 4 , problem port 80 and Apache 重定向tomcat在apache端口80中打开后无法访问phpmyadmn - After Redirecting tomcat to open in apache port 80 unable to access phpmyadmn 无法在Apache上列出端口80 - cant list to port 80 on apache 去,sudo和apache端口80 - Go, sudo, and apache port 80 忙... Apache开始[端口80] - Busy… Apache started [Port 80] Apache无法绑定端口80 - Apache failed to bind port 80
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM