阻止在iptables上的端口 – 不明白为什么

我在Linux上有一个iptables安装程序，这是看到一个端口到我configuration的日志捕获。但是我不明白为什么它应该被捕获。

这是日志条目，….

Jun 9 14:12:16 server2 kernel: iptables_dropIN=eth1 OUT= MAC=00:50:56:90:22:87:00:50:56:90:68:4f:08:00 SRC=192.168.100.94 DST=192.168.100.63 LEN=173 TOS=0x00 PREC=0x00 TTL=64 ID=19707 DF PROTO=TCP SPT=3872 DPT=49634 WINDOW=6151 RES=0x00 ACK PSH URGP=0

主机名是server2，IP地址是192.168.100.63（匿名）。我在LOGGING链的末尾有一个“全部接受”。当我做一个“netstat -anp”它显示以下内容

 [root@server2 ~]# netstat -anp |grep -i 49634 Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.100.63:49634 192.168.100.94:3872 ESTABLISHED 4036/java tcp 0 0 192.168.100.63:1521 192.168.100.63:49634 ESTABLISHED 5162/oracleCX1 tcp 0 0 192.168.100.63:49634 192.168.100.63:1521 ESTABLISHED 27489/mds-r

我理解TCP会话是如何pipe理的，并且从我的理解来看，应该允许在iptables上默认使用高端口。在IP 192.168.100.94上有一个应用程序，它正在从端口3872发出这个连接请求，并使用端口49634进行连接，但我找不到任何解释这些会话出现问题的原因。

有什么build议？

编辑：这里是主机iptables这个服务器的日志出现（server2）和其他服务器（server3）

 [root@server2 ~]# iptables --list -n --line-numbers Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:161 8 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:161 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:162 10 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:162 11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:3200:3299 13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:3300:3399 14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:3600:3699 15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:14942 16 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3872 17 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1521 18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:15027 19 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:7937:9936 20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21212 21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:8000:8099 22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:8100:8199 23 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:50000:59999 24 ACCEPT tcp -- 192.168.100.75 0.0.0.0/0 state NEW tcp dpt:22 25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:55700 26 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spt:51400 27 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139 28 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1947 29 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:7938 30 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:111 31 LOGGING all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain LOGGING (1 references) num target prot opt source destination 1 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 12/sec burst 5 LOG flags 0 level 4 prefix `iptables_drop' 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 [root@server2 ~]#

server（服务器）

 Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:161 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:161 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:162 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:162 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:3200:3299 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:3300:3399 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:3600:3699 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:14942 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3872 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1527 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1521 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:15027 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:7937:9936 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21212 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:8000:8099 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:8100:8199 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:50000:59999 ACCEPT tcp -- 192.168.100.75 0.0.0.0/0 state NEW tcp dpt:22 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139 LOGGING all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain LOGGING (1 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 12/sec burst 5 LOG flags 0 level 4 prefix `iptables_drop' REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

[root @ server3〜]＃