Fatal编程技术网
  • centos/
  • windows网络上的centos iptables

windows网络上的centos iptables

centos

windows网络上的centos iptables,centos,iptables,centos6,Centos,Iptables,Centos6,我有一台运行Centos的机器,它连接到windows网络。当我试图查看网络时,出现错误“无法从服务器连接共享列表”。一旦我关掉iptables,一切都很好。我怎样才能解决这个问题。我当前的iptables配置是 # Generated by iptables-save v1.4.7 on Sat Nov 16 11:06:35 2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [6:360] -A INP

我有一台运行Centos的机器,它连接到windows网络。当我试图查看网络时,出现错误“无法从服务器连接共享列表”。一旦我关掉iptables,一切都很好。我怎样才能解决这个问题。我当前的iptables配置是

# Generated by iptables-save v1.4.7 on Sat Nov 16 11:06:35 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6:360]
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -m state --state NEW -m udp -p udp --dport 445 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
  COMMIT
# Completed on Sat Nov 16 11:06:35 2013
您可以为被拒绝的流量临时添加日志规则:

-A INPUT -j LOG --log-prefix "Rejected: "
在申请前:

-A INPUT -j REJECT --reject-with icmp-host-prohibited
您将看到哪些流量被拒绝

a]首先记录丢弃的ip表,例如

#----------
# Logs to messages.log
#----------
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: INPUT " --log-level 4
-A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: OUTPUT " --log-level 4
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables denied: FORWARD " --log-level 4
b] 从消息中删除表的尾部

tomas@raspirarium:~ $ tail -f /var/log/messages |grep "iptables denied"
c] 在message.log中动态写入ip表规则,超出拒绝的规则,如下面的示例所示

#----------
# Windows Samba
#----------
# incoming request
-A INPUT -i eth0 -p tcp -s 192.168.79.0/24 -m multiport --dports 139,445 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -d 192.168.79.0/24 -m multiport --sports 1024:65535 -m state --state ESTABLISHED -j ACCEPT
# outgoing laso handler
-A OUTPUT -o eth0 -p tcp -s 192.168.79.0/24 -m multiport --dports 139,445 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -s 192.168.79.0/24 -m multiport --sports 1024:65535 -m state --state ESTABLISHED -j ACCEPT