Redhat enterprise linux 4 192.168.100.126 ,FC5 192.168.100.200,互相可以ping 通,Redhat 4上面可以ssh localhost,服务是开的,nestat –l ssh在listening,Redhat 4可以ssh到100.200上面,但是100.200 ssh不能到100.126上面,no route to host.
此时很可能就是防火墙的问题了。
Iptables –L 查看规则:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
这是它的默认规则,开始一看ACCEPT all -- anywhere anywhere,应该是都可以通过的。在打开默认的配置文件:/etc/sysconfig/iptables:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
原来只是lo 回环的数据包全部接受。
Iptable –v –L:
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
4369 1452K ACCEPT all -- lo any anywhere anywhere
8 624 ACCEPT icmp -- any any anywhere anywhere icmp any
0 0 ACCEPT ipv6-crypt-- any any anywhere anywhere
0 0 ACCEPT ipv6-auth-- any any anywhere anywhere
0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ipp
211 23737 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:smtp
1068 143K REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
可以看到in是lo。这个防火墙规则中并没有允许ssh可以登录,所以得手动添加:
iptables -I RH-Firewall-1-INPUT 2 -m state --state NEW -s 192.168.100.0/24 -p tcp --dport 22 -j ACCEPT
这样,就将允许ssh登录这条规则加到RH-Firewall-1-INPUT里面了。
此时:ssh登录126就没有问题了。