Iptables

看似可接受的 iptables 規則阻止 NIS (ypbind) 執行

  • July 22, 2015

我不是 iptables 專家。

我有一個案例來阻止所有不發往 10.0.0.0/8 或 167.114.0.0/16 的傳出流量。我有兩台 NIS 伺服器(10.57.1​​32.11、10.57.1​​32.40)。我生成了以下我認為可以工作的 iptables 規則集,但是如果我執行service iptables start,我也無法讓ypbind載入。它在訪問兩個 NIS 伺服器時超時。除了超時,我在日誌中什麼都看不到。

# Generated by iptables-save v1.4.7 on Fri Jul 17 11:08:39 2015
*filter
:INPUT ACCEPT [78622:10507056]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-I OUTPUT -d 10.57.132.11 -j ACCEPT
-I OUTPUT -d 10.57.132.40 -j ACCEPT
-I OUTPUT -d 167.114.0.0/16 -j ACCEPT 
-I OUTPUT -d 10.0.0.0/8 -j ACCEPT 
-P OUTPUT DROP

COMMIT
# Completed on Fri Jul 17 11:08:39 2015

對我做錯了什麼有任何想法嗎?謝謝,傑克。

更新:為了澄清,ypbind 在 iptables 關閉時綁定,但在我打開上述規則集時不會綁定。由於它只是過濾 OUTPUT 並且這些規則看起來是正確的,所以我不明白這個問題,我在日誌中找不到任何有用的東西。

tl;dr: iptables 真的是字面意思,不要忘記 localhost 規則。

好的!知道了。Michael Hampton 給了我使用日誌規則的想法(這是我的第一次)。所以我做了以下事情:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  10.0.0.0/8           anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             10.0.0.0/8
ACCEPT     all  --  anywhere             167.114.0.0/16
ACCEPT     all  --  anywhere             nis1.example.com
ACCEPT     all  --  anywhere             nis2.example.com
LOGGING    all  --  anywhere             anywhere

Chain LOGGING (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 2/min burst 5 LOG level warning prefix `IPTables-Dropped: '
DROP       all  --  anywhere             anywhere

從那裡,我啟動了 iptables,然後嘗試重新啟動 ypbind 並立即看到:

Jul 22 22:53:04 host1 ypbind[9844]: Unable to register (YPBINDPROG, YPBINDVERS, udp).
Jul 22 22:53:31 host1 kernel: IPTables-Dropped: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=1476 DF PROTO=TCP SPT=18660 DPT=7606 WINDOW=2305 RES=0x00 ACK URGP=0 
Jul 22 22:53:50 host1 ypbind: NIS server for domain example is not responding.
Jul 22 22:54:01 host1 kernel: IPTables-Dropped: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=1506 DF PROTO=TCP SPT=18660 DPT=7606 WINDOW=2305 RES=0x00 ACK URGP=0

不好了!它阻止了本地主機。我將其添加到輸出規則並得到:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  10.0.0.0/8           anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  localhost            localhost
ACCEPT     all  --  localhost            localhost
ACCEPT     all  --  localhost            localhost
ACCEPT     all  --  localhost            localhost
ACCEPT     all  --  anywhere             10.0.0.0/8
ACCEPT     all  --  anywhere             167.114.0.0/16
ACCEPT     all  --  anywhere             nis1.example.com
ACCEPT     all  --  anywhere             nis2.example.com
LOGGING    all  --  anywhere             anywhere

Chain LOGGING (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 2/min burst 5 LOG level warning prefix `IPTables-Dropped: '
DROP       all  --  anywhere             anywhere

再重新啟動一次ypbind

Jul 22 22:54:38 host1 ypbind: NIS domain: example, NIS server: nis1.example.com

你有它!

引用自:https://serverfault.com/questions/707746