今天在做nmap实验的时候,发现iptables一开起来,所有的探测都成了filtered:
[root@CentOS.1 23:00 ~]
#nmap -sA -p 53,80,3306 192.168.10.129
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-10-04 23:01 PDT
Interesting ports on CentOS.2 (192.168.10.129):
PORT STATE SERVICE
53/tcp filtered domain
80/tcp filtered http
3306/tcp filtered mysql
MAC Address: 00:0C:29:42:99:CF (VMware)
Nmap finished: 1 IP address (1 host up) scanned in 0.094 seconds
查看iptables后发现默认的规则里有这么一条:
[root@CentOS.2 23:06 ~]
#iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
就是“REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited ‘这句,屏蔽了nmap探测的icmp回应。
我们需要修改/etc/sysconfig/iptables的参数,默认的如下:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
我们只需要把”-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited“这条用”#“号注释掉。就可以打开icmp的相关功能了。
测试如下:
[root@CentOS.1 23:00 ~]
#nmap -sA -p 53,80,3306 192.168.10.129
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-10-04 23:00 PDT
Interesting ports on CentOS.2 (192.168.10.129):
PORT STATE SERVICE
53/tcp UNfiltered domain
80/tcp UNfiltered http
3306/tcp UNfiltered mysql
MAC Address: 00:0C:29:42:99:CF (VMware)
Nmap finished: 1 IP address (1 host up) scanned in 0.084 seconds
----------------------------------------------------全文完-----------------------------------------------
分享到:
相关推荐
Centos离线安装iptables
CentOS 安装使用Iptables,1.安装iptables-services2.设置开机启动3.配置说明
centos7安装iptables并配置规则
Linus服务器上iptables一键生成已有的端口防火墙。centos7需要输入y进行安装iptables。可用于批量生成启动iptables,最后可以根据需求进行个别调整。
阿里云CentOS6.8启动iptables的sh文件,放到CentOS系统里直接启动
centos6 iptables常用操作, 规则的新增。
centos6-iptables-1.4.7-16.el6.x86-64
阿里云Centos配置iptables防火墙.docx
CentOS 7的iptables服务.docx
CentOS下配置iptables防火墙.pdf
CentOS 7.0启用iptables防火墙.docx
iptable包,搭建K8s集群所需,用于centos系统,修复 kube-proxy 报错,版本iptables-1.4.21-24.el7.x86_64.rpm
CentOS 7.0关闭默认防火墙启用iptables防火墙.docx
centos7默认安装了firewall.如果不需要这个,可以把这个关闭,并且把iptables给装上去,并且把相关平常使用比较多的端口进行配置
CentOS操作系统下配置iptables防火墙.docx
Linux CentOS上用iptables设置防火墙遇到的问题.docx
OUTPUT和FORWORD都是ACCEPT的规则 一、检查iptables服务状态 首先检查iptables服务的状态 [root@woxplife ~]# service iptables status iptables: Firewall is not running. 说明iptables服务是有安装的,但是...
本篇文章主要介绍了CentOS7安装iptables防火墙的方法,小编觉得挺不错的,现在分享给大家,也给大家做个参考。一起跟随小编过来看看吧
防火墙白名单设置方法_iptables_centos6 防火墙白名单设置方法_iptables_centos6 防火墙白名单设置方法_iptables_centos6