iptables问题（开放防火墙）

iptables问题（开放防火墙）

进入sbin

sbin# ls

如下：

root@iZ0srtmu41khg6Z:/sbin# ls
acpi_available   dosfslabel        fsck.fat      installkernel      MAKEDEV           modprobe               plymouthd     start-stop-daemon
agetty           dumpe2fs          fsck.minix    ip                 mii-tool          mount.fuse             poweroff      sulogin
apm_available    e2fsck            fsck.msdos    ip6tables          mkdosfs           mount.lowntfs-3g       rarp          swaplabel
apparmor_parser  e2image           fsck.nfs      ip6tables-restore  mke2fs            mount.ntfs             raw           swapoff
badblocks        e2label           fsck.vfat     ip6tables-save     mkfs              mount.ntfs-3g          reboot        swapon
blkdiscard       e2undo            fsfreeze      ipmaddr            mkfs.bfs          nameif                 regdbdump     switch_root
blkid            ebtables          fstab-decode  ipset              mkfs.cramfs       ntfsclone              resize2fs     sysctl
blockdev         ebtables-restore  fstrim        iptables           mkfs.ext2         ntfscp                 resolvconf    tc
brctl            ebtables-save     getcap        iptables-restore   mkfs.ext3         ntfslabel              rmmod         telinit
bridge           ecs_mq_rps_rfs    getpcaps      iptables-save      mkfs.ext4         ntfsresize             route         tipc
capsh            ethtool           getty         iptunnel           mkfs.ext4dev      ntfsundelete           rtacct        tune2fs
cfdisk           fatlabel          halt          isosize            mkfs.fat          on_ac_power            rtmon         udevadm
chcpu            fdisk             hdparm        iw                 mkfs.minix        pam_extrausers_chkpwd  runlevel      unix_chkpwd
crda             findfs            hwclock       kbdrate            mkfs.msdos        pam_extrausers_update  runuser       unix_update
ctrlaltdel       fsck              ifconfig      killall5           mkfs.ntfs         pam_tally              setcap        ureadahead
debugfs          fsck.cramfs       ifdown        ldconfig           mkfs.vfat         pam_tally2             setvtrgb      wipefs
depmod           fsck.ext2         ifquery       ldconfig.real      mkhomedir_helper  parted                 sfdisk        xtables-multi
dhclient         fsck.ext3         ifup          logsave            mkntfs            partprobe              shadowconfig  zramctl
dhclient-script  fsck.ext4         init          losetup            mkswap            pivot_root             shutdown
dosfsck          fsck.ext4dev      insmod        lsmod              modinfo           plipconfig             slattach

里面有iptables 和 iptables-save

iptables-save

中间部分代码：

-A INPUT -p tcp -m tcp --dport 6379 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6379 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6379 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6379 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8889 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A DOCKER-ISOLATION -j RETURN
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 1433 -m conntrack --ctstate NEW -j ACCEPT

我配置的这个如下无效

-A INPUT -p tcp -m tcp --dport 6379 -j ACCEPT

修改如下

iptables -A IN_public_allow -p tcp -m tcp --dport 6379 -m conntrack --ctstate NEW -j ACCEPT

再次查看

iptables-save

显示部分代码如下

-A IN_public -j IN_public_allow
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 1433 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 6379 -m conntrack --ctstate NEW -j ACCEPT

客户端测试成功！

ps：如果有什么地方有问题，请赐教。转载请注明出处，谢谢。