虽然在Linux方面有经验,但我是iptables新手,根据Rackspace虚拟服务器安装指南进行设置。
使用端口扫描和检查所需端口的远程访问,我可以看到除了我专门打开的端口之外,所有stream量都被阻塞。
但是我不能访问我在本地打开的端口 (例如w3m http://localhost:4848 )。
这是我的iptables规则:
# Generated by iptables-save v1.4.12 on Tue Oct 7 20:06:11 2014 *filter :INPUT DROP [44:3960] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [184:19472] -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 4848 -j ACCEPT COMMIT # Completed on Tue Oct 7 20:06:11 2014
由sudo iptables -L -n -v转储
Chain INPUT (policy DROP 45 packets, 4050 bytes) pkts bytes target prot opt in out source destination 106 10697 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 1 64 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4848 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 77 packets, 9149 bytes) pkts bytes target prot opt in out source destination
更多的输出请求评论:
$ip link show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff $ ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff inet XXX.XXX.XXX.XXX/24 brd XXX.XXX.XXX.255 scope global eth0 inet6 XXXX::XXXX:XXXX:XXXX:XX/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff inet XXX.XXX.XXX.XXX/19 brd XXX.XXX.XXX.255 scope global eth1 inet6 XXXX::XXXX:XXXXX:XXXX:XXXX/64 scope link valid_lft forever preferred_lft forever
我怀疑缺乏对这些港口的本地访问是glassfish不能正常工作的根本原因。
所以我的问题是:
为了找出你缺less哪些规则,在链的末尾设置日志规则是很方便的。
iptables -A INPUT -j LOG
您将在dmesg输出中看到所有到达INPUT链a末端的数据包,然后由于您的DROP策略而被丢弃。 正如我在评论中所说的,你可能错过了一个你的回环设备的规则:
iptables -I INPUT -i lo -j ACCEPT
但是尝试添加日志logging规则来找出更具体的iptables标准。