Iptables и проблема Deny
Я настроил iptables с FWBuilder, и по некоторым причинам существует правило, которое постоянно отбрасывается, и я не знаю, почему, потому что весь IP адреса от и до 10.208.x.x (первый сервер) и 10.210.x.x (это - второй сервер) позволяются, и порт, в котором я нуждаюсь к используемому также "3306":
Это - сообщение, что я имею в системном журнале:
RULE 7 -- DENY IN= OUT=eth1 SRC=10.208.x.x DST=10.210.x.x LEN=52 TOS=0x08 PREC=0x00 TTL=64 ID=23943 DF PROTO=TCP SPT=48850 DPT=3306 WINDOW=237 RES=0x00 ACK PSH FIN URGP=0
Однако как Вы видите, IP и порт хорошо работают:
root@xxx:~# telnet 10.210.x.x 3306 (from first and second server)
Trying 10.210.x.x...
Connected to 10.210.x.x.
root@xxx:~# ping 10.210.x.x
PING 10.210.x.x (10.210.x.x) 56(84) bytes of data.
64 bytes from 10.210.x.x: icmp_seq=1 ttl=61 time=0.443 ms
64 bytes from 10.210.x.x: icmp_seq=2 ttl=61 time=0.392 ms
64 bytes from 10.210.x.x: icmp_seq=3 ttl=61 time=0.445 ms
64 bytes from 10.210.x.x: icmp_seq=4 ttl=61 time=0.454 ms
Версия Linux:
::::::::::::::
/etc/lsb-release
::::::::::::::
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.2 LTS"
::::::::::::::
/etc/os-release
::::::::::::::
NAME="Ubuntu"
VERSION="14.04.2 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.2 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
Кто-то мог дать мне руку с этим? Я думаю, могли быть немного неправильные настроенный или возможно существует ошибка.
root@*:~# sudo iptables -v -x -n -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
437254327 92783258843 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 In_RULE_0 all -- eth0 * 10.208.*.* 0.0.0.0/0
0 0 In_RULE_0 all -- eth0 * 67.192.*.* 0.0.0.0/0
0 0 In_RULE_0 all -- eth0 * 192.168.33.172 0.0.0.0/0
56849 3410940 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW
250823 15126338 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 67.192.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.172 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.40.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.99.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.176.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.178.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.178.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.178.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.178.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.179.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.179.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.179.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.181.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.182.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.183.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.210.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.210.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.223.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.223.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.223.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.223.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 23.253.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 23.253.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 23.253.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 23.253.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 23.253.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 23.253.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 23.253.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 23.253.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 23.253.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 23.253.*.* 0.0.0.0/0 state NEW
7 3767 ACCEPT all -- eth0 * 50.56.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 50.56.*.* 0.0.0.0/0 state NEW
81855 4256460 ACCEPT all -- eth0 * 50.56.*.* 0.0.0.0/0 state NEW
53187 2765724 ACCEPT all -- eth0 * 50.56.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 50.56.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 50.56.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 108.171.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 108.171.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 136.243.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 148.251.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 166.78.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 166.78.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 174.143.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 179.27.*.*/29 0.0.0.0/0 state NEW
1088 47984 ACCEPT all -- eth0 * 190.64.*.*/29 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 190.64.*.*/29 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.1 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.2 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.3 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.4 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.19 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.24 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.41 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.42 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.50 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.55 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.101 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.102 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.103 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.106 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.107 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.108 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.121 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.161 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.163 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.164 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.165 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.166 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.167 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.168 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.169 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.170 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.171 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.173 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.174 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.175 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.176 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.181 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.182 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.200 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.201 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.219 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.220 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.246 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.247 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.237.218.99 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 198.101.222.83 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 198.101.251.56 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 198.101.251.97 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 200.57.*.*/28 0.0.0.0/0 state NEW
11992 719520 ACCEPT all -- eth0 * 200.57.*.*/28 0.0.0.0/0 state NEW
10 600 ACCEPT all -- eth0 * 201.131.*.*/24 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * * 67.192.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * * 192.168.33.172 0.0.0.0/0 state NEW
779 44456 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
90410 8134061 DROP icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmptype 255
3620 267644 RULE_7 all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 In_RULE_0 all -- eth0 * 10.208.*.* 0.0.0.0/0
0 0 In_RULE_0 all -- eth0 * 67.192.*.* 0.0.0.0/0
0 0 In_RULE_0 all -- eth0 * 192.168.33.172 0.0.0.0/0
0 0 DROP icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmptype 255
0 0 RULE_7 all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
487779276 80687509431 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
56849 3410940 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * eth1 0.0.0.0/0 10.208.*.* state NEW
0 0 ACCEPT all -- * eth1 0.0.0.0/0 67.192.*.* state NEW
0 0 ACCEPT all -- * eth1 0.0.0.0/0 192.168.33.172 state NEW
0 0 ACCEPT all -- * eth2 0.0.0.0/0 10.208.*.* state NEW
0 0 ACCEPT all -- * eth2 0.0.0.0/0 67.192.*.* state NEW
0 0 ACCEPT all -- * eth2 0.0.0.0/0 192.168.33.172 state NEW
0 0 Cid30714X20128.0 all -- * eth0 10.208.*.* 0.0.0.0/0 state NEW
2928645 175735100 Cid30714X20128.0 all -- * eth0 67.192.*.* 0.0.0.0/0 state NEW
0 0 Cid30714X20128.0 all -- * eth0 192.168.33.172 0.0.0.0/0 state NEW
58835947 3530679635 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
21733 1117948 RULE_7 all -- * * 0.0.0.0/0 0.0.0.0/0
Chain Cid30714X20128.0 (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 10.208.*.*
0 0 ACCEPT all -- * * 0.0.0.0/0 67.192.*.*
0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.33.172
Chain In_RULE_0 (6 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "RULE 0 --fwb-- DENY "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain RULE_7 (3 references)
pkts bytes target prot opt in out source destination
25353 1385592 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "RULE 7 -- DENY "
25353 1385592 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
0
задан Doug Smythies
13 January 2016 в 08:22
поделиться
1 ответ
Ваши хиты правила 7 не являются действительно проблемой. Для соединений TCP Linux имеет тенденцию использовать "полудуплексную" близкую последовательность, где любая сторона сессии может инициировать завершение соединения через единственные 2 пути квитирование FIN-ACK (который помещает соединение в состояние CLOSE_WAIT), вместо полных 4 путей квитирование FIN-ACK. Одно правило 7, что Вы отправили, вероятно перенесенный FIN пакет от того, после того, как соединение уже закрыли и забыли, таким образом это не пересекло Ваш RELATED,ESTABLISHED правило и закончилось в правиле 7.
0
ответ дан Doug Smythies
26 July 2019 в 09:48
поделиться