Abrindo uma porta de firewall no RHEL 6.8

Eu estou lutando para determinar se uma porta específica está aberta de acordo com o firewall no Redhat 6.8

Eu quero abrir a porta 2222.

Eu tentei o seguinte:

system-config-firewall, rodando como sudo, e tenho a porta 2222 descrita como uma porta específica a ser aberta:

Noentanto,aportanãopareceaberta.EuestoutestandoissotentandoconectarviaSSHparaaporta2222.AtualmenteSSHéexecutadonaporta22,eeupossoconectarbem,masquandoeuconfiguraroSSHparaexecutarvia2222,usandoPort2222nosshd_configem/etc/ssh/,aconexãoexpira.EuseiqueoSSHDestáconfiguradoparaescutarnessaporta,poispossotestá-lousandoonetstat.

Eutambémtenteiváriasediçõesem/etc/sysconfig/iptables,incluindoasseguintesregras:

-IINPUT9-mstate--stateNEW-mtcp-ptcp--dport2222-jACCEPT

e

-AINPUT-mstate--stateNEW-mtcp-ptcp--dport2222-jACCEPT

Apóscadaumadessasalterações,executosudoserviceiptablesrestartenãoconsigomeconectar.Curiosamente,seeufizercat/etc/sysconfig/iptables|grep2222nãoconsigoverminhanovaregranessalistagem,oqueeuesperoqueeudeveria.Eutambémnãoconsigoverquandoexecutandosudoiptables-L-nIssoénormal?

EupercebiqueohostestáexecutandooSELinux-deacordocomestasaída:

[andyarmstrong@o0201320382301~]$sestatusSELinuxstatus:enabledSELinuxfsmount:/selinuxCurrentmode:permissiveModefromconfigfile:permissivePolicyversion:24Policyfromconfigfile:targeted

Euinstaleisemanageeexecutei:semanageport-a-tssh_port_t-ptcp2222-masaindanãoentendi.

Todooarquivo/etc/sysconfig/iptablespossuioseguinte:

#GENERATEDBYModularIPTABLESConfig*filter:FORWARDDROP[0:0]:INPUTDROP[0:0]-AINPUT-ilo-jACCEPT-AINPUT-ptcp-mstate--stateRELATED,ESTABLISHED-jACCEPT-AINPUT-pudp-mstate--stateRELATED,ESTABLISHED-jACCEPT-AINPUT-ptcp-mtcp--dport113-jREJECT--reject-withicmp-port-unreachable-AINPUT-ptcp-mtcp--dport5308-jACCEPT-AINPUT-ptcp-mtcp--dport22-jACCEPT-AINPUT-ptcp-mtcp--dport5900-jACCEPT-AINPUT-ptcp-mtcp--dport5901-jACCEPT#SametimeFileTransfersuseports443and5656-AINPUT-ptcp-mtcp--dport443-jACCEPT-AINPUT-ptcp-mtcp--dport5656-jACCEPT#VoiceJamRules-AINPUT-pudp-mudp--dport5004:5005-jACCEPT-AINPUT-ptcp-mtcp--dport5004:5005-jACCEPT-AINPUT-pudp-mudp--dport20830-jACCEPT-AINPUT-ptcp-mtcp--dport20830-jACCEPT-AINPUT-ptcp-mtcp--dport5060:5062-jACCEPT-AINPUT-pudp-mudp--dport5060:5062-jACCEPT-AINPUT-ptcp-mtcp--dport12080-jACCEPT-AINPUT-mstate--stateNEW-mtcp-ptcp--dport53-jACCEPT-AINPUT-mstate--stateNEW-mudp-pudp--dport53-jACCEPT-AINPUT-mstate--stateNEW-mtcp-ptcp--dport21-jACCEPT#CDSPeering#60050-AINPUT-ptcp-mtcp--dport21100-jACCEPT#MyHelpSSLP2Pmigration-AINPUT-ptcp-mtcp--dport2001-jACCEPT-AINPUT-pudp-mudp--dport2001-jACCEPT-AINPUT-pah-jACCEPT-AINPUT-pesp-jACCEPT-AINPUT-mstate--stateNEW-mudp-pudp--dport500-jACCEPT-AINPUT-iipsec+-p254-jACCEPT-AINPUT-picmp-micmp--icmp-type3-jACCEPT-AINPUT-picmp-micmp--icmp-type4-jACCEPT-AINPUT-picmp-micmp--icmp-type11-jACCEPT-AINPUT-picmp-micmp--icmp-type12-jACCEPT-AINPUT-picmp-micmp--icmp-type9-jACCEPT-AINPUT-picmp-micmp--icmp-type8-jACCEPT-AINPUT-picmp-micmp--icmp-type0-jACCEPT#EnableforwardbetweenKVMserverandvirtualmachines-IFORWARD-ptcp--tcp-flagsSYN,RSTSYN-jTCPMSS--clamp-mss-to-pmtu-AFORWARD-d192.168.122.0/24-ovirbr0-mstate--stateRELATED,ESTABLISHED-jACCEPT-AFORWARD-s192.168.122.0/24-ivirbr0-jACCEPT-AFORWARD-ivirbr0-ovirbr0-jACCEPT-AFORWARD-ovirbr0-jREJECT--reject-withicmp-port-unreachable-AFORWARD-ivirbr0-jREJECT--reject-withicmp-port-unreachable-AFORWARD-d192.168.123.0/24-ovirbr1-mstate--stateRELATED,ESTABLISHED-jACCEPT-AFORWARD-s192.168.123.0/24-ivirbr1-jACCEPT-AFORWARD-ivirbr1-ovirbr1-jACCEPT-AFORWARD-ovirbr1-jREJECT--reject-withicmp-port-unreachable-AFORWARD-ivirbr1-jREJECT--reject-withicmp-port-unreachable#Rulerequiredbypackageibm-config-kvm-printing#AllowprintersharingbetweenLinuxhostandKVMguests-AINPUT-ivirbr0-ptcp--dport631-jACCEPT-AINPUT-ptcp-mtcp--dport8081-jACCEPT-AINPUT-ptcp-mtcp--dport1533-jACCEPT-AINPUT-mstate--stateNEW-mudp-pudp--dport52311-jACCEPT-AINPUT-ptcp-mtcp--dport30000:30005-jACCEPT-AINPUT-ptcp-mtcp--dport67:68-jDROP-AINPUT-pudp-mudp--dport67:68-jDROP-AINPUT-ptcp-mtcp--dport137-jDROP-AINPUT-pudp-mudp--dport137-jDROP-AINPUT-ptcp-mtcp--dport138-jDROP-AINPUT-pudp-mudp--dport138-jDROP-AINPUT-ptcp-mtcp--dport139-jDROP-AINPUT-pudp-mudp--dport139-jDROP-AINPUT-ptcp-mtcp--dport1:20-jDROP-AINPUT-ptcp-mtcp--dport111-jDROP-AINPUT-ptcp-mtcp--dport161:162-jDROP-AINPUT-ptcp-mtcp--dport520-jDROP-AINPUT-ptcp-mtcp--dport6348:6349-jDROP-AINPUT-ptcp-mtcp--dport6345:6347-jDROP-AINPUT-ivirbr0-ptcp-d192.168.122.1--dport445-jACCEPT-AINPUT-ivirbr0-ptcp-d192.168.122.1--dport1445-jACCEPT-AINPUT-ivirbr1-ptcp-d192.168.123.1--dport445-jACCEPT-AINPUT-ivirbr1-ptcp-d192.168.123.1--dport1445-jACCEPT#AcceptlocalSambaconnections-IINPUT-ivirbr0-pudp-mudp--dport53-jACCEPT-IINPUT-ivirbr0-ptcp-mtcp--dport53-jACCEPT-IINPUT-ivirbr0-pudp-mudp--dport67-jACCEPT-IINPUT-ivirbr0-ptcp-mtcp--dport67-jACCEPT-IINPUT-ivirbr0-pudp-mudp--dport137-jACCEPT-IINPUT-ivirbr0-pudp-mudp--dport138-jACCEPT-IINPUT-ivirbr0-ptcp-mtcp--dport139-jACCEPT-IINPUT-ivirbr0-ptcp-mtcp--dport445-jACCEPT-IINPUT-ivirbr1-pudp-mudp--dport53-jACCEPT-IINPUT-ivirbr1-ptcp-mtcp--dport53-jACCEPT-IINPUT-ivirbr1-pudp-mudp--dport67-jACCEPT-IINPUT-ivirbr1-ptcp-mtcp--dport67-jACCEPT-IINPUT-ivirbr1-pudp-mudp--dport137-jACCEPT-IINPUT-ivirbr1-pudp-mudp--dport138-jACCEPT-IINPUT-ivirbr1-ptcp-mtcp--dport139-jACCEPT-IINPUT-ivirbr1-ptcp-mtcp--dport445-jACCEPT-AINPUT-ivirbr0-ptcp-mtcp--dport48500-jACCEPT-AINPUT-ivirbr1-ptcp-mtcp--dport48500-jACCEPT-AINPUT-ptcp-mlimit--limit3/min-jLOG--log-prefix"FIREWALL: " --log-level 6
-A INPUT -p udp -m limit --limit 3/min -j LOG --log-prefix "FIREWALL: " --log-level 6
-A INPUT -j DROP
:OUTPUT ACCEPT [0:0]
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
:PREROUTING ACCEPT [0:0]
COMMIT
*nat
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i virbr0 -p tcp -d 192.168.122.1 --dport 445 -j REDIRECT --to-port 1445
-A PREROUTING -i virbr1 -p tcp -d 192.168.123.1 --dport 445 -j REDIRECT --to-port 1445

COMMIT

O arquivo de configuração do iptables é:

# Load additional iptables modules (nat helpers)
#   Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES="ip_conntrack_ftp"

# Unload modules on restart and stop
#   Value: yes|no,  default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"

# Save current firewall rules on stop.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"

# Save (and restore) rule and chain counter.
#   Value: yes|no,  default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"

# Numeric status output
#   Value: yes|no,  default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"

# Verbose status output
#   Value: yes|no,  default: yes
# Print info about the number of packets and bytes plus the "input-" and
# "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"

# Status output with numbered lines
#   Value: yes|no,  default: yes
# Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"

FILE='mktemp -q /tmp/iptables-rules.XXXXXXXXXX'
/opt/ibm/c4eb/firewall/create-rule-file.sh > $FILE
cp $FILE /etc/sysconfig/iptables
rm $FILE

---- Atualização de progresso ----- Quando eu executo meus comandos: %código% e também sudo iptables -A INPUT -p tcp --dport 2222 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

Eu vejo o tamanho do aumento do arquivo sudo iptables -A OUTPUT -p tcp --dport 2222 -m conntrack --ctstate ESTABLISHED -j ACCEPT para 6583. Eu, então, faço o sudo service iptables save. Salvar é o mesmo. Então eu sudo serviço iptables reiniciar, eo arquivo reverte para o seu tamanho original (6219) sem minhas atualizações! Por quê!

Estou faltando alguma coisa? Você pode ver alguma coisa que eu perdi?

Obrigado por todo o suporte