主页 / server / 问题 / 509397
Accepted
skyler
Asked: 2013-05-21 15:19:11 +0800 CST

允许通过内部接口进行 Nimsoft 连接的 iptables 规则

  • 772

我托管的公司 (Softlayer) 要求我为他们的监控服务打开 48000 到 48020 的端口范围。

在 ifconfig 中,这些是我的接口:

eth0      Link encap:Ethernet  HWaddr 06:3F:74:F6:7F:0C
          inet addr:10.54.12.130
          ...

eth1      Link encap:Ethernet  HWaddr 06:0C:1E:65:0E:A8
          inet addr:50.23.75.242
          ....

这些是我当前的 iptables 规则:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere
2    REJECT     all  --  anywhere             loopback/8          reject-with icmp-port-unreachable
3    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
4    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
5    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
6    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ici
7    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere

我试过这个 iptables 命令: iptables -I INPUT 7 -i eth0 -p tcp -s 10.54.12.130 --dport 48000:48020 -j ACCEPT

结果是:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere
2    REJECT     all  --  anywhere             loopback/8          reject-with icmp-port-unreachable
3    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
4    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
5    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
6    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ici
7    ACCEPT     tcp  --  10.54.12.130         anywhere            tcp dpts:nimcontroller:48020
8    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere

但是Softlayer提供的Nimsoft-monitor-testing工具显示无法连接。

我究竟做错了什么?

iptables

1 个回答

  1. Best Answer

    10.54.12.130 是您的内部 IP 地址,而不是 Softlayer 的 Nimsoft 服务器的内部 IP 地址。您只允许从您自己的 IP 连接到这些端口!这就是它不起作用的原因。

    要解决此问题,请将源 IP 地址更改为 Softlayer 为您提供的 Nimsoft 服务器 IP 地址,或者如果它是受信任的管理网络,您可以完全省略源 IP。Softlayer 自己推荐你使用 10.0.0.0/8 的源。所以规则看起来像:

    -A INPUT -i eth0 -s 10.0.0.0/8 -p tcp -m state --state NEW --dports 48000:48020 -j ACCEPT
    • 3

相关问题