服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Centos 6.6 Web Server iptables FTP问题
Intereting Posts
我安装了PHP 7.x后,phpinfo仍然显示较老的PHP 5.x BIND – 缓慢查询响应隔离到单一接口 无法将磁盘pipe理从本地Win7 / Server 2008连接到远程XP PC 在Apache服务器中限制传出带宽的最佳方法(镜像) Httpd进程使用更多的内存随着时间的推移 我可以用外键在某些表中复制2个SQL Server数据库吗? 基本authenticationapache 2.2绕过IP 在Windows XP上远程桌面断开连接时如何防止Hamachi服务停止? 我似乎无法find一个物理机器,试图看起来实际上,而不是 lighttpd:如何禁用第二个站点上的身份validation Windows 2003的锁屏没有屏幕保护程序 build议在12.04 LTS上使用Ubuntu 14.04 LTS吗? 停止Postfix从本地主机发送邮件 如何获得客户端的OpenSSH SFTP子系统以履行LogLevel设置? IPv6 Postfix可以接收邮件,但不能发送

Centos 6.6 Web Server iptables FTP问题

我已经完成了我的iptables,但FTPlogin/连接不起作用。 硬件/路由器级别的NAT /防火墙被正确转发。

我已经添加了一个条目,但似乎没有工作。

问: 为什么FTP连接不允许在这里?

我目前的iptablesconfiguration是: 

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:http limit: avg 25/min burst 100 ACCEPT tcp -- anywhere cpc15-bmly9-2-0-custx.2-3.cable.virginm.net tcp spts:1024:65535 dpt:ftp state NEW,ESTABLISHED ACCEPT tcp -- anywhere cpc15-bmly9-2-0-custx.2-3.cable.virginm.net tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT tcp -- anywhere cpc15-bmly9-2-0-custx.2-3.cable.virginm.net tcp spts:1024:65535 dpt:ftp-data state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:29292 state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:ssh state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- cpc15-bmly9-2-0-custx.2-3.cable.virginm.net anywhere tcp spt:ftp dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- cpc15-bmly9-2-0-custx.2-3.cable.virginm.net anywhere tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- cpc15-bmly9-2-0-custx.2-3.cable.virginm.net anywhere tcp spt:ftp-data dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:29292 state ESTABLISHED

更新更新,但仍然不允许连接 

 [root@host ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:http limit: avg 25/min burst 100 ACCEPT tcp -- anywhere cpc15-bmly9-2-0-custx.2-3.cable.virginm.net tcp spts:1024:65535 dpt:ftp state NEW,ESTABLISHED ACCEPT tcp -- anywhere cpc15-bmly9-2-0-custx.2-3.cable.virginm.net tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT tcp -- anywhere cpc15-bmly9-2-0-custx.2-3.cable.virginm.net tcp spts:1024:65535 dpt:ftp-data state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:29292 state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ctstate ESTABLISHED /* Allow ftp connections on port 21 */ ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data ctstate RELATED,ESTABLISHED /* Allow ftp connections on port 20 */ ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 ctstate ESTABLISHED /* Allow passive inbound connections */ Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:ssh state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- cpc15-bmly9-2-0-custx.2-3.cable.virginm.net anywhere tcp spt:ftp dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- cpc15-bmly9-2-0-custx.2-3.cable.virginm.net anywhere tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- cpc15-bmly9-2-0-custx.2-3.cable.virginm.net anywhere tcp spt:ftp-data dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:29292 state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ctstate NEW,ESTABLISHED /* Allow ftp connections on port 21 */ ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data ctstate ESTABLISHED /* Allow ftp connections on port 20 */ ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 ctstate RELATED,ESTABLISHED /* Allow passive inbound connections */

一些一般的东西:

  • iptables防火墙中的规则集按顺序遍历。
  • 简化:当数据包满足授予或拒绝访问的规则时,iptables处理停止。
  • 您可以将iptablesconfiguration为一个简单的数据包filter ,其中每个数据包都在自己的数据库中进行检查,或者在考虑连接信息时使用有状态的防火墙。

通常,状态防火墙configuration中的第一条规则是允许来自已经build立的连接的分组访问。 这个想法是在那里,为了build立连接,首先,它必须被允许通过一个明确的规则,并重复所有后续的检查是一个完全浪费的努力( iptables -L -v -n将显示下列) : 

 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 2789K 866M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

创build它的语法(显示iptablesconfiguration的另一个常用符号)是: 

  iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

虽然通常iptables命令本身被省略。

你的configuration缺less这个第一条规则。

接下来的规则只需要允许NEW连接来允许你想要的协议,而不是像以前那样同时使用NEW和ACCEPTED: 

 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED

但是让SSH足够的是: 

 -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

你的FTP问题:在使用两个连接的方面,FTP是一个奇怪的协议。 首先是控制连接,默认情况下,FTP服务器将在TCP端口21上侦听。
控制连接用于authentication和发布命令。 实际的文件传输和诸如目录列表的输出之类的东西将通过第二个TCP连接DATA连接 。 在主动FTP中,将从TCP端口20的fTP服务器启动DATA连接并连接到FTP客户端。 主动FTP不适用于防火墙后面的用户,NAT网关已经被大部分用掉了。
大多数FTP服务器支持被动FTP。 通过被动FTP,FTP服务器将打开第二个端口上的DATA连接的监听器,然后FTP客户端可以连接该监听器。 防火墙的问题是,数据端口可以是1024-65536之间的任何可用的非特权端口。

在无状态的防火墙中,通常通过限制FTP服务器分配的被动端口数来解决,然后明确地打开这些端口。 即限制被动范围到端口21000-21050和: 

 iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp --match multiport --dports 21000:21050 -j ACCEPT

在一个有状态的防火墙中,你不需要明确地打开DATA端口,netfilter helper模块将会识别被分配的dynamic端口,并通过将DATA连接标记为RELATEDdynamic地打开正确的客户端口,第一条规则: 

  iptables -I INPUT -p tcp -m state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT

这要求正确加载内核模块 ,在FTP情况下手动运行insmod nf_conntrack_ftp ,通过编辑/etc/sysconfig/iptables-config并将辅助模块nf_conntrack_ftp添加到IPTABLES_MODULESvariables,可以使其持久化。

注意:当FTP与SSL一起使用时,FTP连接跟踪模块将失败,因为控制连接将被encryption,并且nf_conntrack_ftp将不能再读取PASV repsonse。