CentOS5.2 iptables奇怪问题
时间:2011-01-11
来源:互联网
服务器有2块网卡,eth0:192.168.78.10 eth1:192.168.77.10
设置服务器防火墙如下:
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -I OUTPUT -p tcp -j ACCEPT
iptables -I INPUT -p icmp -j ACCEPT
iptables -I OUTPUT -p icmp -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -i eth1 -p tcp --dport 80 -j DROP
这样设置后,还是能够通过eth1还是能够访问服务器的80端口,即http://192.168.77.10,为什么呢?
iptables -vnL结果如下:
[root@localhost ~]# iptables -vnL
Chain INPUT (policy DROP 3 packets, 118 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
177 15296 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 60 packets, 90000 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
198 37688 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
[root@localhost ~]# iptables -vnL
Chain INPUT (policy DROP 5 packets, 184 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
191 16360 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 60 packets, 90000 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
218 40536 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
设置服务器防火墙如下:
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -I OUTPUT -p tcp -j ACCEPT
iptables -I INPUT -p icmp -j ACCEPT
iptables -I OUTPUT -p icmp -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -i eth1 -p tcp --dport 80 -j DROP
这样设置后,还是能够通过eth1还是能够访问服务器的80端口,即http://192.168.77.10,为什么呢?
iptables -vnL结果如下:
[root@localhost ~]# iptables -vnL
Chain INPUT (policy DROP 3 packets, 118 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
177 15296 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 60 packets, 90000 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
198 37688 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
[root@localhost ~]# iptables -vnL
Chain INPUT (policy DROP 5 packets, 184 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
191 16360 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 60 packets, 90000 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
218 40536 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
作者: wan_gjie 发布时间: 2011-01-11
我觉得吧,只要匹配了这条就应该能访问http://192.168.77.10
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
作者: dn833 发布时间: 2011-01-11
相关阅读 更多
热门阅读
-
office 2019专业增强版最新2021版激活秘钥/序列号/激活码推荐 附激活工具
阅读:74
-
如何安装mysql8.0
阅读:31
-
Word快速设置标题样式步骤详解
阅读:28
-
20+道必知必会的Vue面试题(附答案解析)
阅读:37
-
HTML如何制作表单
阅读:22
-
百词斩可以改天数吗?当然可以,4个步骤轻松修改天数!
阅读:31
-
ET文件格式和XLS格式文件之间如何转化?
阅读:24
-
react和vue的区别及优缺点是什么
阅读:121
-
支付宝人脸识别如何关闭?
阅读:21
-
腾讯微云怎么修改照片或视频备份路径?
阅读:28
