我的表规则:
sudo iptables -L --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- anywhere anywhere tcp dpt:http 2 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 3 ACCEPT icmp -- anywhere anywhere 4 ACCEPT all -- anywhere anywhere 5 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh 6 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql 7 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) num target prot opt source destination 附加信息
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1083K 263M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 3942M 4886G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 734 42672 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 864 62326 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 138 8568 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 151 20254 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 778 packets, 161K bytes) pkts bytes target prot opt in out source destination
通过从input链中删除规则7,我可以远程访问服务器。 我的理解是规则7之前的任何规则都应该不受其影响,所以规则6应该取代MySQL连接。
是否有任何额外的规则我应该添加/修改?
您的iptables规则允许传入连接到端口3306,但只在eth0接口上。 您可能正试图从不同的界面进行连接。
要解决该问题,请将规则replace为允许所需stream量的规则。 例如,允许来自所有接口的stream量:
iptables -R INPUT 6 -m state --state NEW -p tcp --dport 3306 -j ACCEPT