透明防火墙无法访问http和https
Transparent firewall can't access http and https
iptables -L 输出:
[root@itsys ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere state INVALID
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in eth0
ACCEPT tcp -- 172.16.16.113 anywhere tcp dpt:http
ACCEPT tcp -- 172.16.16.113 anywhere tcp dpt:https
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
这里是Linux透明网桥设置:eth0连接交换机,eth1连接测试机(172.16.16.113)。我无法在测试机上逐个站点访问 http 网站,但可以通过 ip 地址访问同一站点。 https站点也无法访问
添加dns转发就ok了
iptables -A FORWARD -p tcp -s 172.16.16.0/24 --dport 53 -j ACCEPT
iptables -L 输出:
[root@itsys ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere state INVALID
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in eth0
ACCEPT tcp -- 172.16.16.113 anywhere tcp dpt:http
ACCEPT tcp -- 172.16.16.113 anywhere tcp dpt:https
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
这里是Linux透明网桥设置:eth0连接交换机,eth1连接测试机(172.16.16.113)。我无法在测试机上逐个站点访问 http 网站,但可以通过 ip 地址访问同一站点。 https站点也无法访问
添加dns转发就ok了
iptables -A FORWARD -p tcp -s 172.16.16.0/24 --dport 53 -j ACCEPT