我所在的公司(Softlayer)要求我为他们的监控服务开放端口范围48000到48020。
从ifconfig,这些是我的接口:
eth0 Link encap:Ethernet HWaddr 06:3F:74:F6:7F:0C inet addr:10.54.12.130 ... eth1 Link encap:Ethernet HWaddr 06:0C:1E:65:0E:A8 inet addr:50.23.75.242 .... 这些是我目前的iptables规则:
Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere 2 REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable 3 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 4 ACCEPT tcp -- anywhere anywhere tcp dpt:http 5 ACCEPT tcp -- anywhere anywhere tcp dpt:https 6 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ici 7 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere
我试过这个iptables命令: iptables -I INPUT 7 -i eth0 -p tcp -s 10.54.12.130 --dport 48000:48020 -j ACCEPT
结果如下:
Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere 2 REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable 3 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 4 ACCEPT tcp -- anywhere anywhere tcp dpt:http 5 ACCEPT tcp -- anywhere anywhere tcp dpt:https 6 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ici 7 ACCEPT tcp -- 10.54.12.130 anywhere tcp dpts:nimcontroller:48020 8 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere
但是Softlayer提供的Nimsoft监视器testing工具显示它无法连接。
我究竟做错了什么?
10.54.12.130是您的内部IP地址,而不是Softlayer的Nimsoft服务器的内部IP地址。 您只允许从您自己的IP连接到这些端口! 这就是为什么它不工作。
要解决该问题,请将源IP地址更改为Softlayer给您的Nimsoft服务器IP地址,或者如果它是可信的pipe理networking,则可以完全省略源IP。 Softlayer自己build议你使用10.0.0.0/8的源码。 所以规则如下:
-A INPUT -i eth0 -s 10.0.0.0/8 -p tcp -m state --state NEW --dports 48000:48020 -j ACCEPT