당신이 도울 수 있기를 바랍니다. DevOps 직원은 기관 사무실 외부에 있으며 파트너는 FTP에 액세스해야 합니다. 사무실 안에 잠겨 있지만 파트너의 개발 작업이 완료되는 동안 사무실 외부의 사람들이 몇 주 동안 연결할 수 있도록 켜야 합니다.
불행하게도 서버 측에 대한 지식은 제한되어 있으며 아직 배우는 중입니다.
우리는 centos 7과 iptables를 실행하고 있습니다. 현재 규칙은 다음과 같습니다.
sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
60692 98M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
138 8258 ACCEPT all -- lo any anywhere anywhere
1943 90860 INPUT_direct all -- any any anywhere anywhere
1943 90860 INPUT_ZONES_SOURCE all -- any any anywhere any where
1943 90860 INPUT_ZONES all -- any any anywhere anywhere
465 18696 DROP all -- any any anywhere anywhere ctstate INVALID
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 FORWARD_direct all -- any any anywhere anywher e
0 0 FORWARD_IN_ZONES_SOURCE all -- any any anywhere anywhere
0 0 FORWARD_IN_ZONES all -- any any anywhere anywh ere
0 0 FORWARD_OUT_ZONES_SOURCE all -- any any anywhere anywhere
0 0 FORWARD_OUT_ZONES all -- any any anywhere anyw here
0 0 DROP all -- any any anywhere anywhere ctstate INVALID
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 60733 packets, 193M bytes)
pkts bytes target prot opt in out source destination
60757 193M OUTPUT_direct all -- any any anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- eth0 any anywhere anywhere [goto]
0 0 FWDI_public all -- + any anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- any eth0 anywhere anywhere [goto]
0 0 FWDO_public all -- any + anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- any any anywhere anywhe re
0 0 FWDI_public_deny all -- any any anywhere anywh ere
0 0 FWDI_public_allow all -- any any anywhere anyw here
0 0 ACCEPT icmp -- any any anywhere anywhere
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- any any anywhere anywhe re
0 0 FWDO_public_deny all -- any any anywhere anywh ere
0 0 FWDO_public_allow all -- any any anywhere anyw here
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
1943 90860 IN_public all -- eth0 any anywhere anywhere [goto]
0 0 IN_public all -- + any anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (2 references)
pkts bytes target prot opt in out source destination
1943 90860 IN_public_log all -- any any anywhere anywhere
1943 90860 IN_public_deny all -- any any anywhere anywher e
1943 90860 IN_public_allow all -- any any anywhere anywhe re
0 0 ACCEPT icmp -- any any anywhere anywhere
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
1 52 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh ctstate NEW
498 22176 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http ctstate NEW
979 49936 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https ctstate NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp ctstate NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:webcache ctstate NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpts:ndmps:50000 ctstate NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp ctstate NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp-data ctstate NEW
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
24 1224 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp
답변1
CentOS 시스템은 Firewalld를 사용하고 있으므로 방화벽 구성을 업데이트하려면 이를 사용해야 합니다. 이 firewall-cmd명령을 사용할 수 있습니다규칙 수정. 예를 들어 공개 영역에서 FTP 서비스를 허용하려면 다음을 사용합니다.
# firewall-cmd --add-service=ftp --zone=public
명령 출력에서 방화벽을 사용하여 규칙이 정의되었음을 확인할 수 있습니다 iptables. 따라서 이름에 "_public"이 포함된 모든 테이블이 표시됩니다.