Linux
防火牆阻止 ssh 從 openVz 容器輸出
我在 HN 上使用防火牆直接從 HN 打開/關閉容器的埠。我正在使用openvz wiki中的 iptables 腳本。
一切正常,但我無法從 VPS 中退出。我可以通過 ssh 進入容器,但如果我嘗試從 VPS 到另一台伺服器的 ssh 連接,防火牆會阻止它。
我應該添加 iptables 腳本以允許傳出 ssh 連接的規則是什麼?這是腳本:
#!/bin/sh # firewall Start iptables firewall # chkconfig: 2345 97 87 # description: Starts, stops and saves iptables firewall # This script sets up the firewall for the INPUT chain (which is for # the HN itself) and then processes the config files under # /etc/firewall.d to set up additional rules in the FORWARD chain # to allow access to containers' services. # http://wiki.openvz.org/Setting_up_an_iptables_firewall . /etc/init.d/functions # the IP block allocated to this server SEGMENT="192.168.0.0/24" # the IP used by the hosting server itself THISHOST="192.168.0.1" # services that should be allowed to the HN; # services for containers are configured in /etc/firewall.d/* OKPORTS="53" # hosts allowed full access through the firewall, # to all containers and to this server DMZS="12.34.56.78 90.123.45.67" purge() { echo -n "Firewall: Purging and allowing all traffic" iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P INPUT ACCEPT iptables -F success ; echo } setup() { echo -n "Firewall: Setting default policies to DROP" iptables -P INPUT DROP iptables -P FORWARD DROP iptables -I INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED iptables -I INPUT -j ACCEPT -i lo iptables -I FORWARD -j ACCEPT --source $SEGMENT success ; echo echo "Firewall: Allowing access to HN" for port in $OKPORTS ; do echo -n " port $port" iptables -I INPUT -j ACCEPT -s $SEGMENT -d $THISHOST --protocol tcp --destination-port $port iptables -I INPUT -j ACCEPT -s $SEGMENT -d $THISHOST --protocol udp --destination-port $port success ; echo done for ip in $DMZS ; do echo -n " DMZ $ip" iptables -I INPUT -i eth0 -j ACCEPT -s $ip iptables -I FORWARD -i eth0 -j ACCEPT -s $ip success ; echo done CTSETUPS=`echo /etc/firewall.d/*` if [ "$CTSETUPS" != "/etc/firewall.d/*" ] ; then echo "Firewall: Setting up container firewalls" for i in $CTSETUPS ; do . $i echo -n " $CTNAME CT$CTID" if [ -n "$BANNED" ]; then for source in $BANNED ; do iptables -I FORWARD -j DROP --destination $CTIP --source $source ; done fi if [ -n "$OPENPORTS" ]; then for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $CTIP --destination-port $port ; done for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $CTIP --destination-port $port ; done fi if [ -n "$DMZS" ]; then for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $CTIP --source $source ; done for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $CTIP --source $source ; done fi [ $? -eq 0 ] && success || failure echo done fi } case "$1" in start) echo "Starting firewall..." purge setup ;; stop) echo "Stopping firewall..." purge ;; restart) $0 stop $0 start ;; status) iptables -n -L ;; *) echo "Usage: $0 <start|stop|restart|status>" ;; esac
這是從防火牆腳本解析的單個容器配置的範例。
# This file is processed by /etc/init.d/firewall CTID="1" # the container's ID# CTNAME="Customer1" # A human-friendly label for the container CTIP="192.168.1.34" # the IP address for this container OPENPORTS="80 443 22" # ports that should be universally opened # to the entire Internet DMZS="1.2.3.0/24 5.6.7.8/32" # IPs and blocks that should have full access # to the container's services BANNED="" # IPs and blocks that should be entirely # blocked from the container's services
在我看來,您可以通過在其中創建另一個文件
/etc/firewall.d/
並濫用來解決此問題 $ CTIP and $ 非軍事區。你只要把它們轉過來,使 $ DMZS the IP of the container and $ CTIP 網際網路:CTIP=0/0