最新消息:20210917 已从crifan.com换到crifan.org

【已解决】CentOS 7中如何通过iptables添加https的443端口

CentOS crifan 711浏览 0评论
折腾:
【未解决】nginx中配置了https的ssl证书后不起效果
期间,nginx配置了https,但是https页面始终拒绝访问。
感觉是防火墙和端口的问题。
但是去看了一堆netstat却又已经listen 443的端口了。
且去阿里云的安全组中也加了443端口允许外部访问。
但是通过:
linux – Nginx secure port 443 is not opened/ connection refuse – Server Fault
去试试:iptables -L
[root@xxx nginx]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
INPUT_direct  all  --  anywhere             anywhere            
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
INPUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
FORWARD_direct  all  --  anywhere             anywhere            
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_IN_ZONES  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
OUTPUT_direct  all  --  anywhere             anywhere            

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination         
FWDI_public  all  --  anywhere             anywhere            [goto] 
FWDI_public  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination         
FWDO_public  all  --  anywhere             anywhere            [goto] 
FWDO_public  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_direct (1 references)
target     prot opt source               destination         

Chain FWDI_public (2 references)
target     prot opt source               destination         
FWDI_public_log  all  --  anywhere             anywhere            
FWDI_public_deny  all  --  anywhere             anywhere            
FWDI_public_allow  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            

Chain FWDI_public_allow (1 references)
target     prot opt source               destination         

Chain FWDI_public_deny (1 references)
target     prot opt source               destination         

Chain FWDI_public_log (1 references)
target     prot opt source               destination         

Chain FWDO_public (2 references)
target     prot opt source               destination         
FWDO_public_log  all  --  anywhere             anywhere            
FWDO_public_deny  all  --  anywhere             anywhere            
FWDO_public_allow  all  --  anywhere             anywhere            

Chain FWDO_public_allow (1 references)
target     prot opt source               destination         

Chain FWDO_public_deny (1 references)
target     prot opt source               destination         

Chain FWDO_public_log (1 references)
target     prot opt source               destination         

Chain INPUT_ZONES (1 references)
target     prot opt source               destination         
IN_public  all  --  anywhere             anywhere            [goto] 
IN_public  all  --  anywhere             anywhere            [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain INPUT_direct (1 references)
target     prot opt source               destination         

Chain IN_public (2 references)
target     prot opt source               destination         
IN_public_log  all  --  anywhere             anywhere            
IN_public_deny  all  --  anywhere             anywhere            
IN_public_allow  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            

Chain IN_public_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp-data ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ddi-tcp-1 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:39000:safetynetp ctstate NEW

Chain IN_public_deny (1 references)
target     prot opt source               destination         

Chain IN_public_log (1 references)
target     prot opt source               destination         

Chain OUTPUT_direct (1 references)
target     prot opt source               destination 
里面并没有看到https
难道阿里云安全组更改后,需要去重启服务器?
去重启试试
[root@xxx nginx]# reboot -now
reboot: invalid option -- 'o'
[root@xxx nginx]# reboot --now
reboot: unrecognized option '--now'
[root@xxx nginx]# reboot --help
reboot [OPTIONS...] [ARG]

Reboot the system.

     --help      Show this help
     --halt      Halt the machine
  -p --poweroff  Switch off the machine
     --reboot    Reboot the machine
  -f --force     Force immediate halt/power-off/reboot
  -w --wtmp-only Don't halt/power-off/reboot, just write wtmp record
  -d --no-wtmp   Don't write wtmp record
     --no-wall   Don't send wall message before halt/power-off/reboot
[root@xxx nginx]# reboot --reboot
重启后:
iptables -L
输出结果和上面一样:
还是没有https
感觉是:
此服务器中实际上没有开启https的外部访问,所以要去:
当前CentOS中加上http的443端口,允许外部访问。
使得iptables -L能看到https
如何给CentOS的防火墙增加配置,支持https
使得iptables -L输出结果中允许https的TCP请求
nginx add https for iptables
nginx centos add https for iptables
ssl – Secure TCP traffic to backend server with nginx – Stack Overflow
ubuntu – How to start nginx via different port(other than 80) – Stack Overflow
nginx – Allow connections to only a specific URL via HTTPS with iptables, -m recent (potentially) and -m string (definitely) – Server Fault
linux – iptables to allow only ssh and https – Server Fault
好像是:
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
How To Secure Nginx with Let’s Encrypt on CentOS 7 | DigitalOcean
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
How To Create a Self-Signed SSL Certificate for Nginx on CentOS 7 | DigitalOcean
* sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Linux Iptables Setup Firewall For a Web Server – nixCraft
[root@xxx nginx]# service iptables status
Redirecting to /bin/systemctl status iptables.service
Unit iptables.service could not be found.
此处没有iptables这个服务。
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
HowTo: Create a Self-Signed SSL Certificate on Nginx For CentOS / RHEL – nixCraft
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
centos iptables add https
Iptables Essentials: Common Firewall Rules and Commands | DigitalOcean
* sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
* sudo iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
How To Set Up a Basic Iptables Firewall on Centos 6 | DigitalOcean
HowTos/Network/IPTables – CentOS Wiki
# Accept tcp packets on destination port 22 (SSH)
 iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Open http port ( 80 ) in iptables on CentOS – BinaryTides
好想操作完毕,还要去:
service iptables save
Setting up iptables for SSL (port 443)
How to configure iptables on CentOS – UpCloud
[root@xxx nginx]# iptables --help
iptables v1.4.21

Usage: iptables -[ACD] chain rule-specification [options]
       iptables -I chain [rulenum] rule-specification [options]
       iptables -R chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LS] [chain [rulenum]] [options]
       iptables -[FZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands:
Either long or short options are allowed.
  --append  -A chain            Append to chain
  --check   -C chain            Check for the existence of a rule
  --delete  -D chain            Delete matching rule from chain
  --delete  -D chain rulenum
                                Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
                                Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
                                Replace rule rulenum (1 = first) in chain
  --list    -L [chain [rulenum]]
                                List the rules in a chain or all chains
  --list-rules -S [chain [rulenum]]
                                Print the rules in a chain or all chains
  --flush   -F [chain]          Delete all rules in  chain or all chains
  --zero    -Z [chain [rulenum]]
                                Zero counters in chain or all chains
  --new     -N chain            Create a new user-defined chain
  --delete-chain
            -X [chain]          Delete a user-defined chain
  --policy  -P chain target
                                Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
                                Change chain name, (moving any references)
Options:
    --ipv4      -4              Nothing (line is ignored by ip6tables-restore)
    --ipv6      -6              Error (line is ignored by iptables-restore)
[!] --protocol  -p proto        protocol: by number or name, eg. `tcp'
[!] --source    -s address[/mask][...]
                                source specification
[!] --destination -d address[/mask][...]
                                destination specification
[!] --in-interface -i input name[+]
                                network interface name ([+] for wildcard)
 --jump -j target
                                target for rule (may load target extension)
  --goto      -g chain
                              jump to chain with no return
  --match       -m match
                                extended match (may load extension)
  --numeric     -n              numeric output of addresses and ports
[!] --out-interface -o output name[+]
                                network interface name ([+] for wildcard)
  --table       -t table        table to manipulate (default: `filter')
  --verbose     -v              verbose mode
  --wait        -w [seconds]    maximum wait to acquire xtables lock before give up
  --wait-interval -W [usecs]    wait time to try to acquire xtables lock
                                default is 1 second
  --line-numbers                print line numbers when listing
  --exact       -x              expand numbers (display exact values)
[!] --fragment  -f              match second or further fragments only
  --modprobe=<command>          try to insert modules using this command
  --set-counters PKTS BYTES     set the counter during insert/append
[!] --version   -V              print package version.
然后试试:
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
然后输出结果变了:
[root@xxx nginx]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
INPUT_direct  all  --  anywhere             anywhere            
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
INPUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https

...
Chain IN_public_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp-data ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ddi-tcp-1 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:39000:safetynetp ctstate NEW

Chain IN_public_deny (1 references)
target     prot opt source               destination         

...
但是只是:
Chain INPUT (policy ACCEPT)
部分多了:
ACCEPT     tcp  —  anywhere             anywhere             tcp dpt:https
原以为的:
Chain IN_public_allow (1 references)
没有变化
先不管,去:
[root@xxx nginx]# service iptables save
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.
无法保存。
重启服务器,看看
iptables -L
是否保存了新增的规则
结果并没有:
[root@xxx nginx]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
INPUT_direct  all  --  anywhere             anywhere            
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
INPUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
...
继续参考:
How to configure iptables on CentOS – UpCloud
去用-I insert去插入到:
[root@xxx nginx]# iptables -L --line-numbers
...
Chain IN_public_allow (1 references)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp-data ctstate NEW
3    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp ctstate NEW
4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
5    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http ctstate NEW
6    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ddi-tcp-1 ctstate NEW
7    ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:39000:safetynetp ctstate NEW
... 
中的dpt:http上面
但是虽然知道是:
iptables -I IN_public_allow 5 -p tcp --dport 443 -j ACCEPT
但还是不会保存。
centos 7 iptables 添加https
CentOS7下安装Nginx及配置SSL证书 – 落青的个人空间 – 开源中国
CentOS7安装iptables防火墙 – 太清 – 博客园
先去安装:
[root@xxx nginx]# service iptables status
Redirecting to /bin/systemctl status iptables.service
Unit iptables.service could not be found.
[root@xxx nginx]# yum install -y iptables
Loaded plugins: fastestmirror
base                                                                                                                                                              | 3.6 kB  00:00:00     
epel                                                                                                                                                              | 3.2 kB  00:00:00     
extras                                                                                                                                                            | 3.4 kB  00:00:00     
updates                                                                                                                                                           | 3.4 kB  00:00:00     
(1/7): base/7/x86_64/group_gz                                                                                                                                     | 166 kB  00:00:00     
(2/7): epel/x86_64/group_gz                                                                                                                                       |  88 kB  00:00:00     
(3/7): epel/x86_64/updateinfo                                                                                                                                     | 932 kB  00:00:00     
(4/7): extras/7/x86_64/primary_db                                                                                                                                 | 205 kB  00:00:00     
(5/7): epel/x86_64/primary                                                                                                                                        | 3.6 MB  00:00:00     
(6/7): updates/7/x86_64/primary_db                                                                                                                                | 6.0 MB  00:00:00     
(7/7): base/7/x86_64/primary_db                                                                                                                                   | 5.9 MB  00:00:00     
Determining fastest mirrors
epel                                                                                                                                                                         12719/12719
Resolving Dependencies
--> Running transaction check
---> Package iptables.x86_64 0:1.4.21-18.2.el7_4 will be updated
---> Package iptables.x86_64 0:1.4.21-24.1.el7_5 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=========================================================================================================================================================================================
 Package                                    Arch                                     Version                                             Repository                                 Size
=========================================================================================================================================================================================
Updating:
 iptables                                   x86_64                                   1.4.21-24.1.el7_5                                   updates                                   432 k

Transaction Summary
=========================================================================================================================================================================================
Upgrade  1 Package

Total download size: 432 k
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
iptables-1.4.21-24.1.el7_5.x86_64.rpm                                                                                                                             | 432 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : iptables-1.4.21-24.1.el7_5.x86_64                                                                                                                                     1/2 
  Cleanup    : iptables-1.4.21-18.2.el7_4.x86_64                                                                                                                                     2/2 
  Verifying  : iptables-1.4.21-24.1.el7_5.x86_64                                                                                                                                     1/2 
  Verifying  : iptables-1.4.21-18.2.el7_4.x86_64                                                                                                                                     2/2 

Updated:
  iptables.x86_64 0:1.4.21-24.1.el7_5                                                                                                                                                    

Complete!
[root@xxx nginx]# yum update iptables 
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
No packages marked for update
[root@xxx nginx]# yum install iptables-services
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package iptables-services.x86_64 0:1.4.21-24.1.el7_5 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=========================================================================================================================================================================================
 Package                                          Arch                                  Version                                             Repository                              Size
=========================================================================================================================================================================================
Installing:
 iptables-services                                x86_64                                1.4.21-24.1.el7_5                                   updates                                 51 k

Transaction Summary
=========================================================================================================================================================================================
Install  1 Package

Total download size: 51 k
Installed size: 25 k
Is this ok [y/d/N]: y
Downloading packages:
iptables-services-1.4.21-24.1.el7_5.x86_64.rpm                                                                                                                    |  51 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : iptables-services-1.4.21-24.1.el7_5.x86_64                                                                                                                            1/1 
  Verifying  : iptables-services-1.4.21-24.1.el7_5.x86_64                                                                                                                            1/1 

Installed:
  iptables-services.x86_64 0:1.4.21-24.1.el7_5                                                                                                                                           

Complete!
【已解决】CentOS 7中如何通过firewalld去添加https的443端口
此处故意用firewalld去删除之前添加的https的规则
[root@xxx nginx]# firewall-cmd --zone=public --remove-service=https --permanent
success
[root@xxx nginx]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh dhcpv6-client https
  ports: 20/tcp 21/tcp 22/tcp 80/tcp 8888/tcp 39000-40000/tcp 443/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
发现忘了reload,再去:
[root@xxx nginx]# firewall-cmd --reload
success
结果以为:iptables中没了443,结果还有:
[root@xxx nginx]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_direct  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_IN_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_IN_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_OUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_OUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
OUTPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination         
FWDI_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
FWDI_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination         
FWDO_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
FWDO_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_direct (1 references)
target     prot opt source               destination         

Chain FWDI_public (2 references)
target     prot opt source               destination         
FWDI_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
FWDI_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
FWDI_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           

Chain FWDI_public_allow (1 references)
target     prot opt source               destination         

Chain FWDI_public_deny (1 references)
target     prot opt source               destination         

Chain FWDI_public_log (1 references)
target     prot opt source               destination         

Chain FWDO_public (2 references)
target     prot opt source               destination         
FWDO_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
FWDO_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
FWDO_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FWDO_public_allow (1 references)
target     prot opt source               destination         

Chain FWDO_public_deny (1 references)
target     prot opt source               destination         

Chain FWDO_public_log (1 references)
target     prot opt source               destination         

Chain INPUT_ZONES (1 references)
target     prot opt source               destination         
IN_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
IN_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain INPUT_direct (1 references)
target     prot opt source               destination         

Chain IN_public (2 references)
target     prot opt source               destination         
IN_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
IN_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
IN_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           

Chain IN_public_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:20 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:21 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8888 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:39000:40000 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW

Chain IN_public_deny (1 references)
target     prot opt source               destination         

Chain IN_public_log (1 references)
target     prot opt source               destination         

Chain OUTPUT_direct (1 references)
target     prot opt source               destination  
Chain IN_public_allow (1 references)
中还是有https的。
再去重启reboot –reboot
结果iptables中还是有443
再去试试:
[root@xxx ~]# firewall-cmd --zone=public --remove-service=https --permanent
Warning: NOT_ENABLED: https
success
[root@xxx ~]# firewall-cmd --zone=public --remove-port=443/tcp --permanent 
success
[root@xxx ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh dhcpv6-client
  ports: 20/tcp 21/tcp 22/tcp 80/tcp 8888/tcp 39000-40000/tcp 443/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

[root@xxx ~]# firewall-cmd --reload                
success
[root@xxx ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh dhcpv6-client
  ports: 20/tcp 21/tcp 22/tcp 80/tcp 8888/tcp 39000-40000/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
然后再去看看:
iptables -L -n
结果:
Chain IN_public_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:20 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:21 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8888 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:39000:40000 ctstate NEW
中的确没有了https的443了。
访问:
https://www.xxx/
立刻出现拒绝:
然后再去尝试用iptables去添加https的443的tcp:
[root@xxx ~]# iptables -I IN_public_allow 5 -p tcp --dport 443 -j ACCEPT
[root@xxx ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
看来是添加进去了。
去看看效果:
[root@xxx ~]# iptables -L --line-numbers                                
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
2    ACCEPT     all  --  anywhere             anywhere            
3    INPUT_direct  all  --  anywhere             anywhere            
4    INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
5    INPUT_ZONES  all  --  anywhere             anywhere            
6    DROP       all  --  anywhere             anywhere             ctstate INVALID
7    REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
2    ACCEPT     all  --  anywhere             anywhere            
3    FORWARD_direct  all  --  anywhere             anywhere            
4    FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
5    FORWARD_IN_ZONES  all  --  anywhere             anywhere            
6    FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
7    FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
8    DROP       all  --  anywhere             anywhere             ctstate INVALID
9    REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    OUTPUT_direct  all  --  anywhere             anywhere            

Chain FORWARD_IN_ZONES (1 references)
num  target     prot opt source               destination         
1    FWDI_public  all  --  anywhere             anywhere            [goto] 
2    FWDI_public  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
num  target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (1 references)
num  target     prot opt source               destination         
1    FWDO_public  all  --  anywhere             anywhere            [goto] 
2    FWDO_public  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
num  target     prot opt source               destination         

Chain FORWARD_direct (1 references)
num  target     prot opt source               destination         

Chain FWDI_public (2 references)
num  target     prot opt source               destination         
1    FWDI_public_log  all  --  anywhere             anywhere            
2    FWDI_public_deny  all  --  anywhere             anywhere            
3    FWDI_public_allow  all  --  anywhere             anywhere            
4    ACCEPT     icmp --  anywhere             anywhere            

Chain FWDI_public_allow (1 references)
num  target     prot opt source               destination         

Chain FWDI_public_deny (1 references)
num  target     prot opt source               destination         

Chain FWDI_public_log (1 references)
num  target     prot opt source               destination         

Chain FWDO_public (2 references)
num  target     prot opt source               destination         
1    FWDO_public_log  all  --  anywhere             anywhere            
2    FWDO_public_deny  all  --  anywhere             anywhere            
3    FWDO_public_allow  all  --  anywhere             anywhere            

Chain FWDO_public_allow (1 references)
num  target     prot opt source               destination         

Chain FWDO_public_deny (1 references)
num  target     prot opt source               destination         

Chain FWDO_public_log (1 references)
num  target     prot opt source               destination         

Chain INPUT_ZONES (1 references)
num  target     prot opt source               destination         
1    IN_public  all  --  anywhere             anywhere            [goto] 
2    IN_public  all  --  anywhere             anywhere            [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
num  target     prot opt source               destination         

Chain INPUT_direct (1 references)
num  target     prot opt source               destination         

Chain IN_public (2 references)
num  target     prot opt source               destination         
1    IN_public_log  all  --  anywhere             anywhere            
2    IN_public_deny  all  --  anywhere             anywhere            
3    IN_public_allow  all  --  anywhere             anywhere            
4    ACCEPT     icmp --  anywhere             anywhere            

Chain IN_public_allow (1 references)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp-data ctstate NEW
3    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp ctstate NEW
4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
5    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
6    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http ctstate NEW
7    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ddi-tcp-1 ctstate NEW
8    ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:39000:safetynetp ctstate NEW

Chain IN_public_deny (1 references)
num  target     prot opt source               destination         

Chain IN_public_log (1 references)
num  target     prot opt source               destination         

Chain OUTPUT_direct (1 references)
num  target     prot opt source               destination 
可见:
Chain IN_public_allow (1 references)
部分,新增了:
5    ACCEPT     tcp  —  anywhere             anywhere             tcp dpt:https
虽然和之前的配置,比如:
6    ACCEPT     tcp  —  anywhere             anywhere             tcp dpt:http ctstate NEW
有点点不一样:
少了ctstate NEW,但是是生效的,因为此时打开:
是可以打开的了。
不过用刚才:
【已解决】CentOS 7中如何通过firewalld去添加https的443端口
中的:
[root@xxx ~]# firewall-cmd --query-service https
no
[root@xxx ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh dhcpv6-client
  ports: 20/tcp 21/tcp 22/tcp 80/tcp 8888/tcp 39000-40000/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
发现还是不支持的。
CentOS 7修改SSH端口并配置iptables防火墙-Linux运维日志
CentOS 7关闭firewall使用iptables 并打开3306端口 – Vi_error.nextval – CSDN博客
CentOS7使用iptables防火墙开放端口 – irokay的专栏 – CSDN博客
看来上面是少了:
-m state –state NEW
的参数了。
CentOS 7修改SSH端口并配置iptables防火墙-Linux运维日志
服务器安全设置Centos7 防火墙firewall与iptables-博客-云栖社区-阿里云
CentOS7.3 安装 iptables 与详细使用 – 搜云库技术团队 – SegmentFault 思否
去删除掉刚才加的https:
[root@xxx ~]# iptables -D IN_public_allow 5
[root@xxx ~]# iptables -L --line-numbers 
...
Chain IN_public_allow (1 references)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp-data ctstate NEW
3    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp ctstate NEW
4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
5    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http ctstate NEW
6    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ddi-tcp-1 ctstate NEW
7    ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:39000:safetynetp ctstate NEW
...
不要忘了:
[root@xxx ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
再去添加:
iptables -I IN_public_allow 5 -m state --state NEW -p tcp --dport 443 -j ACCEPT
结果输出的顺序不一致:
Chain IN_public_allow (1 references)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp-data ctstate NEW
3    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp ctstate NEW
4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
5    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https
6    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http ctstate NEW
7    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ddi-tcp-1 ctstate NEW
8    ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:39000:safetynetp ctstate NEW
所以再去删了,重新添加:
iptables -I IN_public_allow 5 -p tcp -m state --state NEW --dport 443 -j ACCEPT
结果现象一样,还是:
state NEW tcp dpt:https
而不是以为的:
tcp dpt:https state NEW
不过不论是:
state NEW tcp dpt:https
tcp dpt:https
都是可以work-》https地址都可以打开的。
不过呢,貌似和firewalld不兼容,查出来都不支持https:
[root@xxx ~]# firewall-cmd --query-service https
no
[root@xxx ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh dhcpv6-client
  ports: 20/tcp 21/tcp 22/tcp 80/tcp 8888/tcp 39000-40000/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
都没有443。
不过也无所谓了。
【总结】
此处CentOS中用iptables管理端口权限:
如果用:
service iptables save
出错:
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.
或:
service iptables status
出错:
Redirecting to /bin/systemctl status iptables.service
Unit iptables.service could not be found.
说明:iptables管理工具没有安装,需要去安装:
yum install -y iptables
yum update iptables 
yum install -y iptables-services
然后再去管理。
由于用CentOS 7中默认用firewalld去管理端口的,所以为了防止iptables和firewalld冲突,所以按道理,应该去根据:
CentOS7安装iptables防火墙 – 太清 – 博客园
说的,先去“禁用/停止自带的firewalld服务”
#停止firewalld服务
systemctl stop firewalld
#禁用firewalld服务
systemctl mask firewalld
不过,此处没有。后续也可以操作,成功添加https的443端口的。
不过,由于后来发现:firewalld比iptables好用太多,所有后续还是建议用firewalld去管理端口。
详见:
【已解决】CentOS 7中如何通过firewalld去添加https的443端口
 
此处单独说:
用iptables添加https的443端口的话,则是:
此处打算是用I= Insert,而不是很多人常说的A=Add,所以先要搞清楚插入的位置。
先用:
iptables -L --line-numbers
去看到:
Chain IN_public_allow (1 references)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp-data ctstate NEW
3    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp ctstate NEW
4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
5    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http ctstate NEW
6    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ddi-tcp-1 ctstate NEW
7    ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:39000:safetynetp ctstate NEW
想要插入在http之前,http的num是5,所以用:
iptables -I IN_public_allow 5 -p tcp --dport 443 -j ACCEPT
表示:
  • I: Insert插入到
  • IN_public_allow:对应的区域zone,chain链
  • 5:num是5,对应着上面的
    • 5    ACCEPT     tcp  —  anywhere             anywhere             tcp dpt:http ctstate NEW
  • -p tcp:protocol协议是tcp
  • –dport 443:端口是433
  • -j ACCEPT:target是ACCEPT接受
    • 即允许这条规则
    • 其中:
      • –jump -j target
        •  target for rule (may load target extension)
然后通过:
iptables -L --line-numbers
可以看到最新添加的https:
Chain IN_public_allow (1 references)
num  target     prot opt source               destination         
...
5    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
6    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http ctstate NEW
...
然后记得不要忘了:
service iptables save
去保存最新的配置。
此时443的https请求就可以正常传入了 -》 就可以正常去打开https的地址了。
其中:
如果换用:
iptables -I IN_public_allow 5 -m state --state NEW -p tcp --dport 443 -j ACCEPT
输出的则是:
state NEW tcp dpt:https
以及:
即使换用:
iptables -I IN_public_allow 5 -p tcp -m state --state NEW --dport 443 -j ACCEPT
也还是输出:
state NEW tcp dpt:https
而不是以为的(和别的http等保持一致的)
tcp dpt:http ctstate NEW
另外:
想要去删除刚插入的那条https记录,则可以:
iptables -D IN_public_allow 5
其中的5是通过:
iptables -L –line-numbers
最新的https的那条的num
另外注意:
此处iptables的结果和firewalld不兼容,所以:
firewall-cmd --query-service https
输出是:no
以及:
firewall-cmd --zone=public --list-all
看到的是:
[root@xxx ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh dhcpv6-client
  ports: 20/tcp 21/tcp 22/tcp 80/tcp 8888/tcp 39000-40000/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
也是没有支持https的。

转载请注明:在路上 » 【已解决】CentOS 7中如何通过iptables添加https的443端口

发表我的评论
取消评论

表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
93 queries in 0.171 seconds, using 23.49MB memory