adicionou dns port ao iptables mas não está aberto o CentOS 7

Question

adicionou dns port ao iptables mas não está aberto o CentOS 7

#1 resposta do (1 votos)

1

Eu adicionei as portas do servidor dns ao iptables e até mesmo o serviço nomeado está escutando quando eu verifico com netstat , mas quando eu verifico a porta de fora ele é fechado.

iptables -n -L = > saída:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW,ESTABLISHED
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:53

netstat -lnp = > saída:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      11222/named         
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      652/master          
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1357/nginx: master  
tcp        0      0 123.123.123.123:53       0.0.0.0:*               LISTEN      11222/named         
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      11222/named         
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      585/sshd            
tcp6       0      0 ::1:953                 :::*                    LISTEN      11222/named         
tcp6       0      0 ::1:25                  :::*                    LISTEN      652/master          
tcp6       0      0 :::3306                 :::*                    LISTEN      10529/mysqld        
tcp6       0      0 :::80                   :::*                    LISTEN      1357/nginx: master  
tcp6       0      0 :::53                   :::*                    LISTEN      11222/named         
tcp6       0      0 :::22                   :::*                    LISTEN      585/sshd            
udp        0      0 123.123.123.123:53       0.0.0.0:*                           11222/named         
udp        0      0 127.0.0.1:53            0.0.0.0:*                           11222/named         
udp6       0      0 :::53                   :::*                                11222/named         
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path
unix  2      [ ACC ]     STREAM     LISTENING     11177    652/master           private/verify
unix  2      [ ACC ]     STREAM     LISTENING     11180    652/master           public/flush
unix  2      [ ACC ]     STREAM     LISTENING     11183    652/master           private/proxymap
unix  2      [ ACC ]     STREAM     LISTENING     11186    652/master           private/proxywrite
unix  2      [ ACC ]     STREAM     LISTENING     27726    10529/mysqld         /var/lib/mysql/mysql.sock
unix  2      [ ACC ]     STREAM     LISTENING     11189    652/master           private/smtp
unix  2      [ ACC ]     STREAM     LISTENING     11192    652/master           private/relay
unix  2      [ ACC ]     STREAM     LISTENING     11195    652/master           public/showq
unix  2      [ ACC ]     STREAM     LISTENING     11198    652/master           private/error
unix  2      [ ACC ]     STREAM     LISTENING     11201    652/master           private/retry
unix  2      [ ACC ]     STREAM     LISTENING     11204    652/master           private/discard
unix  2      [ ACC ]     STREAM     LISTENING     11272    325/acpid            /var/run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     11207    652/master           private/local
unix  2      [ ACC ]     STREAM     LISTENING     11210    652/master           private/virtual
unix  2      [ ACC ]     STREAM     LISTENING     11213    652/master           private/lmtp
unix  2      [ ACC ]     STREAM     LISTENING     11216    652/master           private/anvil
unix  2      [ ACC ]     STREAM     LISTENING     11219    652/master           private/scache
unix  2      [ ACC ]     STREAM     LISTENING     14096    1082/php-fpm: maste  /run/php-fpm/php-fpm.sock
unix  2      [ ACC ]     STREAM     LISTENING     11151    652/master           public/pickup
unix  2      [ ACC ]     STREAM     LISTENING     9051     1/systemd            /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     SEQPACKET  LISTENING     13690    1/systemd            /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     13253    1/systemd            /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     7127     1/systemd            /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     11155    652/master           public/cleanup
unix  2      [ ACC ]     STREAM     LISTENING     11158    652/master           public/qmgr
unix  2      [ ACC ]     STREAM     LISTENING     11162    652/master           private/tlsmgr
unix  2      [ ACC ]     STREAM     LISTENING     11165    652/master           private/rewrite
unix  2      [ ACC ]     STREAM     LISTENING     11168    652/master           private/bounce
unix  2      [ ACC ]     STREAM     LISTENING     11171    652/master           private/defer
unix  2      [ ACC ]     STREAM     LISTENING     11174    652/master           private/trace

alguma idéia de como corrigir isso?

iptables firewall domain-name-system centos

por Saeid Raei 06.11.2017 / 17:20

1 resposta

Tags iptables firewall domain-name-system centos

Política de rescisão padrão do Auto Scaling bind9 performances lentas do que o google dns

score 1 · Accepted Answer

Para corrigir, você precisa fazer o seguinte:

iptables-save > temp.ruleset

vi temp.ruleset

encontre a linha com -j REJECT , só existe uma.

Mova duas linhas para baixo, abaixo das duas regras do udp.

Salvar com :wq .

Recarregue o conjunto de regras editado com iptables-restore < temp.ruleset

No futuro, adicione regras com iptables -I (rule position number) em vez de iptables -A , pois você está bloqueando com essa regra de rejeição de entrada. Qualquer coisa abaixo dela será bloqueada.