请小心CentOS里的默认iptables规则

今天在做nmap实验的时候，发现iptables一开起来，所有的探测都成了filtered：

[root@CentOS.1 23:00 ~]
#nmap -sA -p 53,80,3306 192.168.10.129

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-10-04 23:01 PDT
Interesting ports on CentOS.2 (192.168.10.129):
PORT     STATE    SERVICE
53/tcp   filtered domain
80/tcp   filtered http
3306/tcp filtered mysql
MAC Address: 00:0C:29:42:99:CF (VMware)

Nmap finished: 1 IP address (1 host up) scanned in 0.094 seconds

查看iptables后发现默认的规则里有这么一条：

[root@CentOS.2 23:06 ~]
#iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255 
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

就是“REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited ‘这句，屏蔽了nmap探测的icmp回应。

我们需要修改/etc/sysconfig/iptables的参数，默认的如下：

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

我们只需要把”-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited“这条用”#“号注释掉。就可以打开icmp的相关功能了。

测试如下：

[root@CentOS.1 23:00 ~]
#nmap -sA -p 53,80,3306 192.168.10.129

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-10-04 23:00 PDT
Interesting ports on CentOS.2 (192.168.10.129):
PORT     STATE      SERVICE
53/tcp   UNfiltered domain
80/tcp   UNfiltered http
3306/tcp UNfiltered mysql
MAC Address: 00:0C:29:42:99:CF (VMware)

Nmap finished: 1 IP address (1 host up) scanned in 0.084 seconds

----------------------------------------------------全文完-----------------------------------------------

请小心CentOS里的默认iptables规则

相关推荐