Linux

防火牆阻止 ssh 從 openVz 容器輸出

  • April 26, 2013

我在 HN 上使用防火牆直接從 HN 打開/關閉容器的埠。我正在使用openvz wiki中的 iptables 腳本。

一切正常,但我無法從 VPS 中退出。我可以通過 ssh 進入容器,但如果我嘗試從 VPS 到另一台伺服器的 ssh 連接,防火牆會阻止它。

我應該添加 iptables 腳本以允許傳出 ssh 連接的規則是什麼?這是腳本:

#!/bin/sh
# firewall      Start iptables firewall
# chkconfig: 2345 97 87
# description:  Starts, stops and saves iptables firewall
# This script sets up the firewall for the INPUT chain (which is for
# the HN itself) and then processes the config files under
# /etc/firewall.d to set up additional rules in the FORWARD chain
# to allow access to containers' services.
# http://wiki.openvz.org/Setting_up_an_iptables_firewall

. /etc/init.d/functions

# the IP block allocated to this server
SEGMENT="192.168.0.0/24"
# the IP used by the hosting server itself
THISHOST="192.168.0.1"
# services that should be allowed to the HN;
# services for containers are configured in /etc/firewall.d/*
OKPORTS="53"
# hosts allowed full access through the firewall,
# to all containers and to this server
DMZS="12.34.56.78 90.123.45.67"

purge() {
 echo -n "Firewall: Purging and allowing all traffic"
 iptables -P OUTPUT ACCEPT
 iptables -P FORWARD ACCEPT
 iptables -P INPUT ACCEPT
 iptables -F
 success ; echo
}

setup() {
 echo -n "Firewall: Setting default policies to DROP"
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -I INPUT   -j ACCEPT -m state --state ESTABLISHED,RELATED
 iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
 iptables -I INPUT -j ACCEPT -i lo
 iptables -I FORWARD -j ACCEPT --source $SEGMENT
 success ; echo

 echo "Firewall: Allowing access to HN"
 for port in $OKPORTS ; do
   echo -n "          port $port"
   iptables -I INPUT -j ACCEPT -s $SEGMENT -d $THISHOST --protocol tcp --destination-port $port
   iptables -I INPUT -j ACCEPT -s $SEGMENT -d $THISHOST --protocol udp --destination-port $port
   success ; echo
 done
 for ip in $DMZS ; do
   echo -n "          DMZ $ip"
   iptables -I INPUT   -i eth0 -j ACCEPT -s $ip
   iptables -I FORWARD -i eth0 -j ACCEPT -s $ip
   success ; echo
 done

 CTSETUPS=`echo /etc/firewall.d/*`
 if [ "$CTSETUPS" != "/etc/firewall.d/*" ] ; then
 echo "Firewall: Setting up container firewalls"
 for i in $CTSETUPS ; do
   . $i
   echo -n "          $CTNAME CT$CTID"
   if [ -n "$BANNED" ]; then
     for source in $BANNED ;  do iptables -I FORWARD -j DROP --destination $CTIP --source $source ; done
   fi
   if [ -n "$OPENPORTS" ]; then
     for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $CTIP --destination-port $port ; done
     for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $CTIP --destination-port $port ; done
   fi
   if [ -n "$DMZS" ]; then
     for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $CTIP --source $source ; done
     for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $CTIP --source $source ; done
   fi
   [ $? -eq 0 ] && success || failure
   echo
 done
 fi
}

case "$1" in
 start)
   echo "Starting firewall..."
   purge
   setup
   ;;
 stop)
   echo "Stopping firewall..."
   purge
   ;;
 restart)
   $0 stop
   $0 start
   ;;
 status)
   iptables -n -L
   ;;
 *)
   echo "Usage: $0 <start|stop|restart|status>"
   ;;
esac

這是從防火牆腳本解析的單個容器配置的範例。

# This file is processed by /etc/init.d/firewall
CTID="1"            # the container's ID#
CTNAME="Customer1"      # A human-friendly label for the container
CTIP="192.168.1.34"     # the IP address for this container 
OPENPORTS="80 443 22"       # ports that should be universally opened
               # to the entire Internet
DMZS="1.2.3.0/24 5.6.7.8/32"    # IPs and blocks that should have full access
               # to the container's services
BANNED=""           # IPs and blocks that should be entirely
               # blocked from the container's services

在我看來,您可以通過在其中創建另一個文件/etc/firewall.d/並濫用來解決此問題 $ CTIP and $ 非軍事區。你只要把它們轉過來,使 $ DMZS the IP of the container and $ CTIP 網際網路:CTIP=0/0

引用自:https://serverfault.com/questions/502791