iptables 无法连外网

 

[root@v01-svn-test-server ~]# service iptables status
Table: filter
Chain INPUT (policy DROP)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
3    ACCEPT     all  --  127.0.0.1            127.0.0.1           
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 

Chain FORWARD (policy DROP)
num  target     prot opt source               destination         

Chain OUTPUT (policy DROP)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:3306 
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:22 state ESTABLISHED 
3    ACCEPT     all  --  127.0.0.1            0.0.0.0/0           
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:80 state ESTABLISHED

 

[root@v01-svn-test-server ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Wed Jun  1 22:15:41 2016
*filter
:INPUT DROP [24:3081]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT 
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT 
COMMIT
# Completed on Wed Jun  1 22:15:41 2016

 

[root@v01-svn-test-server sysconfig]# ping 192.168.1.17
PING 192.168.1.17 (192.168.1.17) 56(84) bytes of data.
ping: sendmsg: Operation not permitted

 

[root@v01-svn-test-server sysconfig]# cat iptables
# Generated by iptables-save v1.4.7 on Wed Jun  1 22:15:41 2016
*filter
:INPUT DROP [24:3081]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 3306 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT #增加这两行可以ping
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT 
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT 
COMMIT
# Completed on Wed Jun  1 22:15:41 2016

 

[root@v01-svn-test-server sysconfig]# ping -c 2 192.168.1.17
PING 192.168.1.17 (192.168.1.17) 56(84) bytes of data.
64 bytes from 192.168.1.17: icmp_seq=1 ttl=64 time=0.862 ms
64 bytes from 192.168.1.17: icmp_seq=2 ttl=64 time=0.585 ms

--- 192.168.1.17 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.585/0.723/0.862/0.141 ms

 

[root@v01-svn-test-server sysconfig]# ping www.baidu.com
ping: unknown host www.baidu.com

[root@v01-svn-test-server sysconfig]# ping -c 2 211.155.89.150
PING 211.155.89.150 (211.155.89.150) 56(84) bytes of data.
64 bytes from 211.155.89.150: icmp_seq=1 ttl=52 time=2.78 ms
64 bytes from 211.155.89.150: icmp_seq=2 ttl=52 time=2.58 ms

--- 211.155.89.150 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1004ms
rtt min/avg/max/mdev = 2.581/2.683/2.786/0.114 ms

 

[root@v01-svn-test-server sysconfig]# ping -c 2 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=41 time=60.1 ms

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 1 received, 50% packet loss, time 2001ms
rtt min/avg/max/mdev = 60.178/60.178/60.178/0.000 ms
[root@v01-svn-test-server sysconfig]# ping -c 2 8.8.4.4
PING 8.8.4.4 (8.8.4.4) 56(84) bytes of data.
64 bytes from 8.8.4.4: icmp_seq=1 ttl=48 time=51.4 ms
64 bytes from 8.8.4.4: icmp_seq=2 ttl=48 time=55.5 ms

--- 8.8.4.4 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1057ms
rtt min/avg/max/mdev = 51.484/53.517/55.551/2.046 ms
#8.8.8.8 和 8.8.4.4 是Google提供的免费DNS服务器的IP地址

 

[root@v01-svn-test-server sysconfig]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 52:54:00:38:04:CA  
          inet addr:192.168.1.35  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::5054:ff:fe38:4ca/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14664740 errors:0 dropped:12405 overruns:0 frame:0
          TX packets:24212 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1575721510 (1.4 GiB)  TX bytes:3561803 (3.3 MiB)
          Interrupt:11 Base address:0x2000 

[root@v01-svn-test-server sysconfig]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
link-local      *               255.255.0.0     U     1002   0        0 eth0
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

 DNS 端口53的设置:

[root@v01-svn-test-server sysconfig]# grep domain /etc/services
domain          53/tcp                          # name-domain server
domain          53/udp
domaintime      9909/tcp                # domaintime
domaintime      9909/udp                # domaintime

 

[root@v01-svn-test-server sysconfig]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Wed Jun  1 22:15:41 2016
*filter
:INPUT DROP [24:3081]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 3306 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT #增加这两行可以ping
-A INPUT -p udp --sport 53 -j ACCEPT #DNS端口53设置
-A OUTPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT 
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT 
COMMIT
# Completed on Wed Jun  1 22:15:41 2016

 注意:上面的注释去掉,不然报错

[root@v01-svn-test-server sysconfig]# ping -c 2 www.baidu.com
PING www.a.shifen.com (61.135.169.121) 56(84) bytes of data.
64 bytes from 61.135.169.121: icmp_seq=1 ttl=54 time=2.19 ms
64 bytes from 61.135.169.121: icmp_seq=2 ttl=54 time=1.88 ms

--- www.a.shifen.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 1.880/2.035/2.190/0.155 ms

 

[root@v01-svn-test-server sysconfig]# service iptables status
Table: filter
Chain INPUT (policy DROP)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
3    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:53 
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
5    ACCEPT     all  --  127.0.0.1            127.0.0.1           
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 

Chain FORWARD (policy DROP)
num  target     prot opt source               destination         

Chain OUTPUT (policy DROP)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:3306 
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
3    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53 
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:22 state ESTABLISHED 
5    ACCEPT     all  --  127.0.0.1            0.0.0.0/0           
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:80 state ESTABLISHED

 

posted @ 2016-06-07 14:45  bass  阅读(474)  评论(0编辑  收藏  举报