设置guarddog防火墙之后,ssh协议不能用了,请教
如题我上个星期按照《请检查下Guarddog安全规则有没有真正起作用》一文设置了自己的防火墙,设置之后发现无法使用ssh协议了
就是说以前用# ssh usr@202.38.223.***是可以登录的
sftp也可以,但是设置之后无法登录了。
我在windows下用secureCRT试过,主机没问题
但是在linux下就上不去
目前lftp协议可以用,所以我觉得会不会是ip规则的问题?
请各位指教
应该如何修改
才能在既保持防火墙功能的同时又能用ssh协议
现在用ssh就显示:
ssh: connect to host 202.38.223.*** port 22: Connection timed out
附:
# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all--anywhere anywhere
ACCEPT udp--anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT udp--anywhere anywhere udp spt:bootpc dpt:bootps
ACCEPT all--211.66.15.*** 211.66.15.255
logabortedtcp--anywhere anywhere state RELATED,ESTABLISHED tcp flags:RST/RST
ACCEPT all--anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp --anywhere anywhere icmp destination-unreachable
ACCEPT icmp --anywhere anywhere icmp time-exceeded
ACCEPT icmp --anywhere anywhere icmp parameter-problem
nicfilt all--anywhere anywhere
srcfilt all--anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all--anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp --anywhere anywhere icmp destination-unreachable
ACCEPT icmp --anywhere anywhere icmp time-exceeded
ACCEPT icmp --anywhere anywhere icmp parameter-problem
srcfilt all--anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all--anywhere anywhere
ACCEPT udp--anywhere anywhere udp spt:bootpc dpt:bootps
ACCEPT udp--anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT all--anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp --anywhere anywhere icmp destination-unreachable
ACCEPT icmp --anywhere anywhere icmp time-exceeded
ACCEPT icmp --anywhere anywhere icmp parameter-problem
s1 all--anywhere anywhere
Chain f0to1 (3 references)
target prot opt source destination
ACCEPT tcp--anywhere anywhere tcp spts:1024:65535 dpt:1723 state NEW
ACCEPT gre--anywhere anywhere
ACCEPT tcp--anywhere anywhere tcp dpt:sunrpc state NEW
ACCEPT udp--anywhere anywhere udp dpt:sunrpc
ACCEPT tcp--anywhere anywhere tcp dpts:1024:cvsup state NEW
ACCEPT udp--anywhere anywhere udp
ACCEPT tcp--anywhere anywhere tcp dpt:nfs state NEW
ACCEPT udp--anywhere anywhere udp dpt:nfs
ACCEPT tcp--anywhere anywhere tcp spts:1024:65535 dpt:socks state NEW
ACCEPT udp--anywhere anywhere udp dpt:socks
ACCEPT udp--anywhere anywhere udp dpt:syslog
ACCEPT tcp--anywhere anywhere tcp spts:1024:65535 dpt:1241 state NEW
ACCEPT tcp--anywhere anywhere tcp spts:1024:65535 dpt:finger state NEW
ACCEPT udp--anywhere anywhere udp dpt:finger
ACCEPT tcp--anywhere anywhere tcp dpt:sunrpc state NEW
ACCEPT udp--anywhere anywhere udp dpt:sunrpc
ACCEPT tcp--anywhere anywhere tcp dpts:1024:cvsup state NEW
ACCEPT udp--anywhere anywhere udp dpts:1024:cvsup
ACCEPT tcp--anywhere anywhere tcp spts:1024:65535 dpts:x11:6063 state NEW
ACCEPT tcp--anywhere anywhere tcp dpt:sunrpc state NEW
ACCEPT udp--anywhere anywhere udp dpt:sunrpc
ACCEPT tcp--anywhere anywhere tcp spts:1024:65535 dpt:linuxconf state NEW
ACCEPT udp--anywhere anywhere udp dpt:xdmcp
ACCEPT tcp--anywhere anywhere tcp dpts:1411:1415 state NEW
ACCEPT udp--anywhere anywhere udp dpts:1411:1415
ACCEPT udp--anywhere anywhere udp dpts:6970:7170
ACCEPT icmp --anywhere anywhere icmp redirect
ACCEPT udp--anywhere anywhere udp spts:1024:65535 dpt:icpv2
ACCEPT tcp--anywhere anywhere tcp spts:1024:65535 dpt:4662 state NEW
ACCEPT udp--anywhere anywhere udp spts:1024:65535 dpt:4666
ACCEPT udp--anywhere anywhere udp spts:1024:65535 dpt:41170
ACCEPT icmp --anywhere anywhere icmp echo-reply
ACCEPT tcp--anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state NEW
logdrop all--anywhere anywhere
Chain f1to0 (1 references)
target prot opt source destination
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpt:1723 state NEW
ACCEPT gre--anywhere anywhere
ACCEPT tcp--anywhere anywhere tcp dpt:sunrpc state NEW
ACCEPT udp--anywhere anywhere udp dpt:sunrpc
ACCEPT tcp--anywhere anywhere tcp dpts:1024:65535 state NEW
ACCEPT udp--anywhere anywhere udp
ACCEPT tcp--anywhere anywhere tcp dpt:nfs state NEW
ACCEPT udp--anywhere anywhere udp dpt:nfs
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpts:411:415 state NEW
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpts:1411:1415 state NEW
ACCEPT udp--anywhere anywhere udp spts:1024:cvsup dpts:411:415
ACCEPT udp--anywhere anywhere udp spts:1024:cvsup dpts:1411:1415
ACCEPT tcp--anywhere anywhere tcp spts:1411:1415 state NEW
ACCEPT udp--anywhere anywhere udp spts:1411:1415
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpt:auth state NEW
ACCEPT udp--anywhere anywhere udp dpt:auth
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpt:socks state NEW
ACCEPT udp--anywhere anywhere udp dpt:socks
ACCEPT tcp--anywhere anywhere tcp dpt:rtsp state NEW
ACCEPT tcp--anywhere anywhere tcp dpt:7070 state NEW
ACCEPT udp--anywhere anywhere udp dpt:syslog
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpt:1241 state NEW
ACCEPT udp--anywhere anywhere udp spts:1024:65535 dpt:icpv2
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpt:4661 state NEW
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpt:4662 state NEW
ACCEPT udp--anywhere anywhere udp spts:1024:cvsup dpt:4665
ACCEPT udp--anywhere anywhere udp spts:1024:cvsup dpt:4666
ACCEPT udp--anywhere anywhere udp spts:1024:65535 dpt:41170
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpt:ftp state NEW
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpt:pop3s state NEW
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpt:finger state NEW
ACCEPT udp--anywhere anywhere udp dpt:finger
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpt:5222 state NEW
ACCEPT tcp--anywhere anywhere tcp dpt:sunrpc state NEW
ACCEPT udp--anywhere anywhere udp dpt:sunrpc
ACCEPT tcp--anywhere anywhere tcp dpts:1024:65535 state NEW
ACCEPT udp--anywhere anywhere udp dpts:1024:65535
ACCEPT icmp --anywhere anywhere icmp source-quench
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpts:x11:6063 state NEW
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpt:pop3 state NEW
ACCEPT ipv6-crypt--anywhere anywhere
ACCEPT icmp --anywhere anywhere icmp echo-request
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpt:squid state NEW
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpt:http state NEW
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpt:webcache state NEW
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpt:http-alt state NEW
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpt:8000 state NEW
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpt:8888 state NEW
ACCEPT tcp--anywhere anywhere tcp dpt:sunrpc state NEW
ACCEPT udp--anywhere anywhere udp dpt:sunrpc
ACCEPT udp--anywhere anywhere udp dpt:4000
ACCEPT tcp--anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state NEW
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpt:smtp state NEW
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpt:1214 state NEW
ACCEPT udp--anywhere anywhere udp spts:1024:cvsup dpt:1214
ACCEPT udp--anywhere anywhere udp dpt:isakmp
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpt:8118 state NEW
ACCEPT tcp--anywhere anywhere tcp dpt:domain state NEW
ACCEPT udp--anywhere anywhere udp dpt:domain
ACCEPT tcp--anywhere anywhere tcp spts:1024:cvsup dpt:linuxconf state NEW
ACCEPT udp--anywhere anywhere udp dpt:xdmcp
ACCEPT ipv6-auth--anywhere anywhere
logdrop all--anywhere anywhere
Chain logaborted (1 references)
target prot opt source destination
logaborted2all--anywhere anywhere limit: avg 1/sec burst 10
LOG all--anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
Chain logaborted2 (1 references)
target prot opt source destination
LOG all--anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `ABORTED '
ACCEPT all--anywhere anywhere state RELATED,ESTABLISHED
Chain logdrop (4 references)
target prot opt source destination
logdrop2 all--anywhere anywhere limit: avg 1/sec burst 10
LOG all--anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
DROP all--anywhere anywhere
Chain logdrop2 (1 references)
target prot opt source destination
LOG all--anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `DROPPED '
DROP all--anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
logreject2all--anywhere anywhere limit: avg 1/sec burst 10
LOG all--anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
REJECT tcp--anywhere anywhere reject-with tcp-reset
REJECT udp--anywhere anywhere reject-with icmp-port-unreachable
DROP all--anywhere anywhere
Chain logreject2 (1 references)
target prot opt source destination
LOG all--anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `REJECTED '
REJECT tcp--anywhere anywhere reject-with tcp-reset
REJECT udp--anywhere anywhere reject-with icmp-port-unreachable
DROP all--anywhere anywhere
Chain nicfilt (1 references)
target prot opt source destination
RETURN all--anywhere anywhere
RETURN all--anywhere anywhere
RETURN all--anywhere anywhere
logdrop all--anywhere anywhere
Chain s0 (1 references)
target prot opt source destination
f0to1 all--anywhere 211.66.15.158
f0to1 all--anywhere 211.66.15.255
f0to1 all--anywhere MagicLinux2.0
logdrop all--anywhere anywhere
Chain s1 (1 references)
target prot opt source destination
f1to0 all--anywhere anywhere
Chain srcfilt (2 references)
target prot opt source destination
s0 all--anywhere anywhere 请多多帮忙
自己顶下 Sorry,如果对iptables和网络协议不了解,还是暂时停掉iptables服务吧,而且对iptables了解的朋友实在是不多,如有兴趣可以到自由软件区找到相关资料学习一下。 呵呵
可是没有防火墙不放心阿
现在在学C++和python
一时没空去看iptables的资料
但是做生物信息学又要上我们实验室的主机
所以才请教 那么用一些直观点的防火墙
比如firestarter或者kmyfirewall行吗?
和原来的guarddog有冲突吗?
谢谢 解决了:)
真是骑马找马
其实guarddog就有设置的项目
打个勾就可以了
但是一直没看见选项后面的复选框
页:
[1]