求助 iptables 开放端口无效

V2EX = way to explore

V2EX 是一个关于分享和探索的地方

已注册用户请登录

请不要在回答技术问题时复制粘贴 AI 生成的内容

这是一个创建于 1011 天前的主题，其中的信息可能已经有所发展或是发生改变。

系统是 centos7 ，firewall 关闭了的

[root@localhost init.d]# systemctl status firewalld.service ● firewalld.service Loaded: masked (/dev/null; bad) Active: inactive (dead) since 四 2022-10-27 15:08:38 CST; 2 months 7 days ago Main PID: 7533 (code=exited, status=0/SUCCESS) Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

有一个 iptables 可以使用，但并不是 service

[root@localhost init.d]# service iptables save The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl. [root@localhost init.d]# iptables -nvL Chain INPUT (policy ACCEPT 382K packets, 216M bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3307 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1881 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 206K packets, 190M bytes) pkts bytes target prot opt in out source destination Chain DOCKER (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:9000 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.3 tcp dpt:6379 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.4 tcp dpt:9000 Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

诡异的是扫描端口，发现 1881 和 3307 没有通，1880 通了的如果 yum 重新安装 iptables.service ，配置开通 3307 和 1881 后再扫描端口，发现 1880 和 1881 、3307 的 tcp 全部是关闭状态求大佬解惑

docker0

TCP

bytes

11 条回复 2023-01-05 10:50:56 +08:00

xuanbg

2023-01-03 17:09:35 +08:00

firewalld.service 关掉了吗？

kestrelBright

2023-01-03 17:11:46 +08:00

@xuanbg 关了的

AS4694lAS4808

2023-01-03 18:20:14 +08:00

确定端口没绑定到回环上吧？

gesse

2023-01-03 18:27:18 +08:00

贴出
iptables-save
看看

old9

2023-01-03 18:53:44 +08:00 via Android

还有贴下 ss -ant

chunrix

2023-01-03 19:01:12 +08:00

用诸如以下的命令，将你想要的规则插入到最前面
iptables -I INPUT 1 -p tcp --sport 80 -j ACCEPT
如果依旧不生效，就是没保存吧
iptables-save > /etc/sysconfig/iptables

YaakovZiv

2023-01-03 19:22:09 +08:00

云主机吗，有宝塔软件吗。

itechify

PRO

2023-01-03 19:28:46 +08:00 via Android

是不是云主机，安全策略组开了吗

kestrelBright

2023-01-05 09:39:54 +08:00

@AS4694lAS4808 请教回环是什么意思？ loopback 么？

@gesse
```
[root@localhost ~]# iptables-save
# Generated by iptables-save v1.4.21 on Thu Jan 5 09:33:51 2023
*nat
:PREROUTING ACCEPT [312443:27129720]
:INPUT ACCEPT [312443:27129720]
:OUTPUT ACCEPT [383787:24152445]
:POSTROUTING ACCEPT [383789:24152565]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 6379 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 9000 -j DNAT --to-destination 172.17.0.2:9000
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 6379 -j DNAT --to-destination 172.17.0.3:6379
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 9001 -j DNAT --to-destination 172.17.0.4:9000
COMMIT
# Completed on Thu Jan 5 09:33:51 2023
# Generated by iptables-save v1.4.21 on Thu Jan 5 09:33:51 2023
*filter
:INPUT ACCEPT [14664149:7555216414]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8199559:6986569057]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -p tcp -m tcp --dport 3307 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1881 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 6379 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
```

@old9
```
[root@localhost ~]# ss -nat
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:18090 *:*
LISTEN 0 128 *:3307 *:*
LISTEN 0 128 *:3308 *:*
LISTEN 0 128 *:3309 *:*
LISTEN 0 128 *:21453 *:*
LISTEN 0 128 *:21454 *:*
LISTEN 0 128 *:111 *:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:6000 *:*
LISTEN 0 5 192.168.122.1:53 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 *:24631 *:*
LISTEN 0 128 127.0.0.1:631 *:*
LISTEN 0 128 *:24632 *:*
LISTEN 0 128 *:1880 *:*
LISTEN 0 128 *:1881 *:*
LISTEN 0 128 *:801 *:*
LISTEN 0 128 *:10050 *:*
TIME-WAIT 0 0 1.1.5.19:35706 4.1.8.8:1880
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58260
ESTAB 0 0 1.1.5.19:80 1.2.5.2:50305
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58640
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58526
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58508
TIME-WAIT 0 0 1.1.5.19:36360 4.1.8.8:1880
ESTAB 0 0 1.1.5.19:80 1.2.5.2:50308
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58368
ESTAB 0 0 1.1.5.19:80 1.2.5.2:50309
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58288
ESTAB 0 0 1.1.5.19:22 10.10.4.139:53924
TIME-WAIT 0 0 1.1.5.19:80 2.2.8.176:50335
TIME-WAIT 0 0 1.1.5.19:80 2.2.8.176:50340
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58272
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58656
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58320
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58452
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58304
ESTAB 0 0 1.1.5.19:80 1.2.5.2:50307
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58462
TIME-WAIT 0 0 1.1.5.19:80 2.2.8.176:50341
ESTAB 0 0 1.1.5.19:33678 4.1.8.8:1723
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58432
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58482
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58384
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58606
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58470
TIME-WAIT 0 0 1.1.5.19:36356 4.1.8.8:1880
ESTAB 0 0 1.1.5.19:80 1.2.5.2:50306
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58410
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58676
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58536
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58440
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58338
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58422
TIME-WAIT 0 0 1.1.5.19:36358 4.1.8.8:1880
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58354
LISTEN 0 128 :::9000 :::*
LISTEN 0 128 :::9001 :::*
LISTEN 0 128 :::6379 :::*
LISTEN 0 128 :::111 :::*
LISTEN 0 128 :::6000 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 128 ::1:631 :::*
```
@chunrix 保存了的
-rw-r--r-- 1 root root 2171 1 月 3 16:57 iptables

@YaakovZiv 非云主机，idc 机房的，没有宝塔

@oneisall8955 非云主机

gesse

2023-01-05 10:04:18 +08:00

*filter
:INPUT ACCEPT [14664149:7555216414]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8199559:6986569057]

你这个默认规则就是 accept ，没有特意 DROP/REJECT 端口都不会阻拦的，而且和 docker 端口也不冲突。找找其他原因。

kestrelBright

2023-01-05 10:50:56 +08:00

@gesse 好的谢谢大佬