Iptables
看似可接受的 iptables 規則阻止 NIS (ypbind) 執行
我不是 iptables 專家。
我有一個案例來阻止所有不發往 10.0.0.0/8 或 167.114.0.0/16 的傳出流量。我有兩台 NIS 伺服器(10.57.132.11、10.57.132.40)。我生成了以下我認為可以工作的 iptables 規則集,但是如果我執行service iptables start,我也無法讓ypbind載入。它在訪問兩個 NIS 伺服器時超時。除了超時,我在日誌中什麼都看不到。
# Generated by iptables-save v1.4.7 on Fri Jul 17 11:08:39 2015 *filter :INPUT ACCEPT [78622:10507056] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -I OUTPUT -d 10.57.132.11 -j ACCEPT -I OUTPUT -d 10.57.132.40 -j ACCEPT -I OUTPUT -d 167.114.0.0/16 -j ACCEPT -I OUTPUT -d 10.0.0.0/8 -j ACCEPT -P OUTPUT DROP COMMIT # Completed on Fri Jul 17 11:08:39 2015
對我做錯了什麼有任何想法嗎?謝謝,傑克。
更新:為了澄清,ypbind 在 iptables 關閉時綁定,但在我打開上述規則集時不會綁定。由於它只是過濾 OUTPUT 並且這些規則看起來是正確的,所以我不明白這個問題,我在日誌中找不到任何有用的東西。
tl;dr: iptables 真的是字面意思,不要忘記 localhost 規則。
好的!知道了。Michael Hampton 給了我使用日誌規則的想法(這是我的第一次)。所以我做了以下事情:
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.0.0.0/8 anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere 10.0.0.0/8 ACCEPT all -- anywhere 167.114.0.0/16 ACCEPT all -- anywhere nis1.example.com ACCEPT all -- anywhere nis2.example.com LOGGING all -- anywhere anywhere Chain LOGGING (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level warning prefix `IPTables-Dropped: ' DROP all -- anywhere anywhere
從那裡,我啟動了 iptables,然後嘗試重新啟動 ypbind 並立即看到:
Jul 22 22:53:04 host1 ypbind[9844]: Unable to register (YPBINDPROG, YPBINDVERS, udp). Jul 22 22:53:31 host1 kernel: IPTables-Dropped: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=1476 DF PROTO=TCP SPT=18660 DPT=7606 WINDOW=2305 RES=0x00 ACK URGP=0 Jul 22 22:53:50 host1 ypbind: NIS server for domain example is not responding. Jul 22 22:54:01 host1 kernel: IPTables-Dropped: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=1506 DF PROTO=TCP SPT=18660 DPT=7606 WINDOW=2305 RES=0x00 ACK URGP=0
不好了!它阻止了本地主機。我將其添加到輸出規則並得到:
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.0.0.0/8 anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- localhost localhost ACCEPT all -- localhost localhost ACCEPT all -- localhost localhost ACCEPT all -- localhost localhost ACCEPT all -- anywhere 10.0.0.0/8 ACCEPT all -- anywhere 167.114.0.0/16 ACCEPT all -- anywhere nis1.example.com ACCEPT all -- anywhere nis2.example.com LOGGING all -- anywhere anywhere Chain LOGGING (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level warning prefix `IPTables-Dropped: ' DROP all -- anywhere anywhere
再重新啟動一次ypbind和
Jul 22 22:54:38 host1 ypbind: NIS domain: example, NIS server: nis1.example.com
你有它!