求助 iptables 开放端口无效

系统是 centos7 ，firewall 关闭了的

[root@localhost init.d]# systemctl status firewalld.service
● firewalld.service
   Loaded: masked (/dev/null; bad)
   Active: inactive (dead) since 四 2022-10-27 15:08:38 CST; 2 months 7 days ago
 Main PID: 7533 (code=exited, status=0/SUCCESS)

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

有一个 iptables 可以使用，但并不是 service

[root@localhost init.d]# service iptables save
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.


[root@localhost init.d]# iptables -nvL
Chain INPUT (policy ACCEPT 382K packets, 216M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3307
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1881

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 206K packets, 190M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:9000
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.3           tcp dpt:6379
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.4           tcp dpt:9000

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

诡异的是扫描端口，发现 1881 和 3307 没有通，1880 通了的如果 yum 重新安装 iptables.service ，配置开通 3307 和 1881 后再扫描端口，发现 1880 和 1881 、3307 的 tcp 全部是关闭状态求大佬解惑

kestrelBright

2023-01-05 09:39:54 +08:00

@AS4694lAS4808 请教回环是什么意思？ loopback 么？

@gesse
```
[root@localhost ~]# iptables-save
# Generated by iptables-save v1.4.21 on Thu Jan 5 09:33:51 2023
*nat
:PREROUTING ACCEPT [312443:27129720]
:INPUT ACCEPT [312443:27129720]
:OUTPUT ACCEPT [383787:24152445]
:POSTROUTING ACCEPT [383789:24152565]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 6379 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 9000 -j DNAT --to-destination 172.17.0.2:9000
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 6379 -j DNAT --to-destination 172.17.0.3:6379
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 9001 -j DNAT --to-destination 172.17.0.4:9000
COMMIT
# Completed on Thu Jan 5 09:33:51 2023
# Generated by iptables-save v1.4.21 on Thu Jan 5 09:33:51 2023
*filter
:INPUT ACCEPT [14664149:7555216414]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8199559:6986569057]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -p tcp -m tcp --dport 3307 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1881 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 6379 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
```

@old9
```
[root@localhost ~]# ss -nat
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:18090 *:*
LISTEN 0 128 *:3307 *:*
LISTEN 0 128 *:3308 *:*
LISTEN 0 128 *:3309 *:*
LISTEN 0 128 *:21453 *:*
LISTEN 0 128 *:21454 *:*
LISTEN 0 128 *:111 *:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:6000 *:*
LISTEN 0 5 192.168.122.1:53 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 *:24631 *:*
LISTEN 0 128 127.0.0.1:631 *:*
LISTEN 0 128 *:24632 *:*
LISTEN 0 128 *:1880 *:*
LISTEN 0 128 *:1881 *:*
LISTEN 0 128 *:801 *:*
LISTEN 0 128 *:10050 *:*
TIME-WAIT 0 0 1.1.5.19:35706 4.1.8.8:1880
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58260
ESTAB 0 0 1.1.5.19:80 1.2.5.2:50305
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58640
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58526
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58508
TIME-WAIT 0 0 1.1.5.19:36360 4.1.8.8:1880
ESTAB 0 0 1.1.5.19:80 1.2.5.2:50308
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58368
ESTAB 0 0 1.1.5.19:80 1.2.5.2:50309
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58288
ESTAB 0 0 1.1.5.19:22 10.10.4.139:53924
TIME-WAIT 0 0 1.1.5.19:80 2.2.8.176:50335
TIME-WAIT 0 0 1.1.5.19:80 2.2.8.176:50340
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58272
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58656
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58320
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58452
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58304
ESTAB 0 0 1.1.5.19:80 1.2.5.2:50307
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58462
TIME-WAIT 0 0 1.1.5.19:80 2.2.8.176:50341
ESTAB 0 0 1.1.5.19:33678 4.1.8.8:1723
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58432
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58482
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58384
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58606
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58470
TIME-WAIT 0 0 1.1.5.19:36356 4.1.8.8:1880
ESTAB 0 0 1.1.5.19:80 1.2.5.2:50306
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58410
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58676
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58536
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58440
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58338
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58422
TIME-WAIT 0 0 1.1.5.19:36358 4.1.8.8:1880
ESTAB 0 0 1.1.5.19:80 8.1.1.2:58354
LISTEN 0 128 :::9000 :::*
LISTEN 0 128 :::9001 :::*
LISTEN 0 128 :::6379 :::*
LISTEN 0 128 :::111 :::*
LISTEN 0 128 :::6000 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 128 ::1:631 :::*
```
@chunrix 保存了的
-rw-r--r-- 1 root root 2171 1 月 3 16:57 iptables

@YaakovZiv 非云主机，idc 机房的，没有宝塔

@oneisall8955 非云主机