如何设置我的iptables以允许Web流量到我的Spring Boot应用程序?

时间:2015-07-01 15:56:20

标签: linux spring-boot vps iptables

我正在尝试在Arvixe的VPS Lite上托管我的Spring Boot应用程序。没有CPanel,只是命令行。

当我启动Spring Boot应用程序并导航到服务器的IP地址时,我看到了ERR_CONNECTION_REFUSED错误。

这是我的iptables配置。我按照http://crm.vpscheap.net/knowledgebase.php?action=displayarticle&id=29

中的步骤进行操作 
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
-A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
-A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

-A INPUT -j DROP
COMMIT

以上是上述创建的政策

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http state ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http limit: avg 25/min burst 100
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain

1 个答案:

答案 0 :(得分:0)

在您的iptables配置中,您打开了端口80和443,但是弹出启动应用程序默认从端口8080开始。所以你有两个选择:

  1. 通过在启动参数中添加--server.port=80或在application.properties中设置server.port=80,在端口80上启动应用列表。这将有效,但您必须以root启动应用程序,因为它尝试绑定到一个众所周知的端口。我不推荐这个。

  2. 使用iptables将外部端口80重定向到内部转发到端口8080,方法是在iptables config中添加如下所示的行

    iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
相关问题
最新问题