iptables - CentOS 6 防火墙阻止tcp第二次握手ACK SYN数据包？-Fragen und Antworten zum chinesischen PHP-Netzwerk

我的vps防火墙挡住了wget，curl，连yum update都会超时。
主机是Vultr的，不像阿里云，Vultr没有面板可以管理网络，应该全靠本机防火墙。
但ping命令没有问题，安装的网络转发服务，go语言的ss manyuser也没问题。

关闭防火墙即可正常下载,开启防火墙后wget会超时。

--2017-01-28 08:46:06-- (try: 2) http://dldir1.qq.com/qqfile/qq/QQ8.9/19990/QQ8.9.exe Connecting to dldir1.qq.com|174.35.24.138|:80... failed: Connection timed out. Connecting to dldir1.qq.com|174.35.25.7|:80... failed: Connection timed out. Retrying.

我按照教程重新该配置了规则，已删掉楼下朋友说的drop all条目。input的最后一条记录应该就是把drop掉的数据记录下来。

[root@www ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:20160 ACCEPT tcp -- anywhere anywhere tcp dpts:50001:50100 ACCEPT tcp -- anywhere anywhere tcp dpts:11024:11120 ACCEPT icmp -- anywhere anywhere icmp any ACCEPT all -- localhost localhost ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT tcp -- 一个ip anywhere LOG all -- anywhere anywhere limit: avg 10/sec burst 5 LOG level warning Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination

运行wget后，查看防火墙日志/var/log/messages会出现这个。同时还有很多访问80和443的记录。也不知道他们访问成功了没有。我自己测试访问80端口没问题。

Jan 28 08:44:06 www kernel: IN=eth0 OUT= MAC= SRC=174.35.24.138 DST=我的ip LEN=44 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=TCP SPT=80 DPT=47754 WINDOW=65535 RES=0x00 ACK SYN URGP=0

TCP三次握手是我发一个syn，对方发一个syn ack，我再发一个ack回去。这里似乎是把对方发的ack syn挡住了，求各位指点。

系统版本:

[root@www ~]# cat /proc/version Linux version 2.6.32-573.22.1.el6.x86_64 (mockbuild@c6b8.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) ) #1 SMP Wed Mar 23 03:35:39 UTC 2016 [root@www ~]# uname -a Linux 2.6.32-573.22.1.el6.x86_64 #1 SMP Wed Mar 23 03:35:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux [root@www ~]# cat /etc/issue CentOS release 6.8 (Final) Kernel \r on an \m [root@www ~]# cat /etc/redhat-release CentOS release 6.8 (Final) [root@www ~]# iptables --version iptables v1.4.7