请小心CentOS里的默认iptables规则
今天在做nmap实验的时候,发现iptables一开起来,所有的探测都成了filtered:
[[email protected] 23:00 ~] #nmap -sA -p 53,80,3306 192.168.10.129 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-10-04 23:01 PDT Interesting ports on CentOS.2 (192.168.10.129): PORT STATE SERVICE 53/tcp filtered domain 80/tcp filtered http 3306/tcp filtered mysql MAC Address: 00:0C:29:42:99:CF (VMware) Nmap finished: 1 IP address (1 host up) scanned in 0.094 seconds
查看iptables后发现默认的规则里有这么一条:
[[email protected] 23:06 ~] #iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
就是“REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited ‘这句,屏蔽了nmap探测的icmp回应。
我们需要修改/etc/sysconfig/iptables的参数,默认的如下:
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
我们只需要把”-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited“这条用”#“号注释掉。就可以打开icmp的相关功能了。
测试如下:
[[email protected] 23:00 ~] #nmap -sA -p 53,80,3306 192.168.10.129 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-10-04 23:00 PDT Interesting ports on CentOS.2 (192.168.10.129): PORT STATE SERVICE 53/tcp UNfiltered domain 80/tcp UNfiltered http 3306/tcp UNfiltered mysql MAC Address: 00:0C:29:42:99:CF (VMware) Nmap finished: 1 IP address (1 host up) scanned in 0.084 seconds
----------------------------------------------------全文完-----------------------------------------------
相关推荐
安得情怀似旧时 2020-06-11
yshlovelx 2020-05-27
fenxinzi 2020-03-03
sapliang 2020-02-14
Wytheme 2020-01-11
84467015 2013-03-30
kevinli 2019-12-23
咏月东南 2019-12-08
hackerlpy 2015-01-28
89421950 2015-08-03
JiangMengYa 2020-07-30
xiaohouye 2020-06-28
Aveiox 2020-06-25
wys 2020-06-18
clamzxf 2020-06-16
linuxalienyan 2020-06-11
Proudoffaith 2020-05-30