服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 端口443打开,但IP表拒绝
Intereting Posts
恶意设备在networking中的通知(端口安全) Exchange 2007:如何知道哪些连接是Outlook Anywhere? 用户版本的/ etc / hosts 不同子网中的FreeBSD IP别名和默认的传出IP地址 Hyper V与本地DNS和转发 – nslookup工作,但ping得到一般故障 在Windows Server 2012中更改所有用户的区域设置 Lotus NotesSQL驱动程序 – 无法安装 OpenLDAP中gid的最大值是多less? 我可以在多台机器上使用单个OS X安装映像吗? upstart:initctl:未知作业 Apache2 / Shibboleth TCP连接停留在CLOSE_WAIT中 系统离线时Cron作业 如何在Centos 6中打开一个端口 vCenter SQL Express数据库维护 间歇断开:需要更换,路由器还是调制解调器?

端口443打开,但IP表拒绝

当我在我的Ubuntu实例上运行以下命令时:

$ nmap host

我看到端口443是打开的: 

 Starting Nmap 5.21 ( http://nmap.org ) at 2013-03-19 05:36 PDT Nmap scan report for [host redacted] (ip address redacted) Host is up (0.000034s latency). rDNS record for [ip address redacted]: [host redacted] Not shown: 995 closed ports PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 80/tcp open http 443/tcp open https 30000/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

但是,我无法telnet到端口443.当我这样做,我在我的系统日志中看到以下条目 

 Mar 19 05:39:30 localhost kernel: iptables denied: IN=eth0 OUT= MAC=f2:3c:91:ae:c6:7a:c8:4c:75:f5:d6:3f:08:00 SRC=(ip address redacted) DST=(ip address redacted) LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=23782 DF PROTO=TCP SPT=53375 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0

并输出iptables -L --line-numbers ACCEPT链: 

 Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere 2 REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable 3 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 4 ACCEPT tcp -- anywhere anywhere tcp dpt:www 5 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:30000 6 LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: ' 7 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable 8 ufw-before-logging-input all -- anywhere anywhere 9 ufw-before-input all -- anywhere anywhere 10 ufw-after-input all -- anywhere anywhere 11 ufw-after-logging-input all -- anywhere anywhere 12 ufw-reject-input all -- anywhere anywhere 13 ufw-track-input all -- anywhere anywhere 14 ACCEPT tcp -- anywhere anywhere tcp dpt:https

我曾经尝试过使用UFW,但是现在已经禁用了,我只是使用了iptables。 我看到,在线14我接受数据包端口443,但在第7行,我拒绝数据包。 规则的定位是否存在问题? 如果是这样,我怎样才能把它进一步上升? 或者这是规则本身的问题?

当我查看bash历史时,我相信这是使用的规则:

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

更新:

我只是通过将规则进一步移到链上来解决这个问题,并删除了附加的规则: 

 $ iptables -I INPUT 6 -p tcp --dport 443 -j ACCEPT # add the rule to the 6th position $ iptables -L $ iptables -D INPUT 15 # delete line 15

您的规则需要在拒绝行和日志行之前 

 6 LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: ' 7 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

应该是最后的。 这是因为规则是按顺序处理的,一旦匹配就不会再看规则