我使用以下规则配置了 iptables:
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED, RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
但 nmap 指责除了80, 22 and 53
root @ ns1: / # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all - anywhere anywhere
ACCEPT tcp - anywhere anywhere tcp dpt: ssh
ACCEPT tcp - anywhere anywhere tcp dpt: http
ACCEPT tcp - anywhere anywhere tcp dpt: https
ACCEPT all - anywhere anywhere ctstate RELATED, ESTABLISHED
ACCEPT tcp - anywhere anywhere tcp dpt: domain
ACCEPT udp - anywhere anywhere udp dpt: domain
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root @ ns1: / # nmap -vv 10.0.0.2
...
PORT STATE SERVICE
22 / tcp open ssh
53 / tcp open domain
80 / tcp open http
111 / tcp open rpcbind
139 / tcp open netbios-ssn
445 / tcp open microsoft-ds
...
可能会发生什么?我相信这些端口111 139 445
不会出现
两点:
删除从任何地方接受任何内容的第一条规则:
#iptables -D INPUT 1
然后考虑到任何打开的连接仍然能够通过 iptables,因为它在创建规则之前已经建立,所以也许服务重启会修复它