无法在我的ubuntu服务器上打开80 & 8000端口的iptables

Question

我无法在我的服务器上打开8080端口，尽管iptables设置似乎是正确的

以下是iptables保存的结果

iptables保存

# Generated by iptables-save v1.4.21 on Thu May  7 21:31:19 2015
*filter
:INPUT DROP [5:224]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -s 5.9.82.45/32 -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3005 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3010 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4567 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 2222 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3000 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3005 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3010 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 4000 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 4001 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 4567 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 8081 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 8983 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT
COMMIT
# Completed on Thu May  7 21:31:19 2015
debug2: channel 0: window 998247 sent adjust 50329

以及端口80 & 8080的一些故障日志

May  7 21:37:08 Ubuntu-1404-trusty-64-minimal kernel: [ 1374.734953] iptables denied: IN=eth0 OUT= MAC=44:8a:5b:29:e8:c9:3c:61:04:71:0f:98:08:00 SRC=66.249.64.133 DST=myserverIp LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=27902 PROTO=TCP SPT=57512 DPT=80 WINDOW=42900 RES=0x00 SYN URGP=0
May  7 21:23:56 Ubuntu-1404-trusty-64-minimal kernel: [  583.502680] iptables denied: IN=eth0 OUT= MAC=44:8a:5b:29:e8:c9:3c:61:04:71:0f:98:08:00 SRC=82.224.93.129 DST=myserverIp LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=31263 DF PROTO=TCP SPT=53035 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0

奇怪的是，这是iptables的结果--列表没有提到80或8080端口正常吗？

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  static.45.82.9.5.clients.your-server.de  anywhere             tcp dpt:mysql
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2222
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:3000
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:3005
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:3010
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4000
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4001
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4567
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:tproxy
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:ftp-data:ftp
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2222
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ntp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:3000
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:3005
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:3010
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4000
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4001
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4567
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:tproxy
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8983
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:ftp-data:ftp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s

Answer 1

谢谢你的回答，但我不是一个可修复的问题，而是一个apache问题。

我在8080端口上安装了清漆，port.conf配置直接阻塞了8080上的任何连接。

我已经写好了

NameVirtualHost *:8080:127.0
Listen 8080

在那之前

NameVirtualHost 127.0.0.1:8080
Listen 127.0.0.1:8080

Answer 2

加上：

-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

规则位于输入链的末尾，而不是靠近顶部。它将允许所有允许的端口通过，然后limit+log任何不必要的流量。