我已经使用 FWBuilder 配置了 iptables,并且由于某种原因,有一条规则不断被丢弃,我不知道为什么,因为来自和到 10.208.xx(第一个服务器)和 10.210.xx(这是第二个服务器)的所有地址 IP 都被允许,并且我需要使用的端口也是“3306”:
这是我在系统日志中看到的消息:
RULE 7 -- DENY IN= OUT=eth1 SRC=10.208.x.x DST=10.210.x.x LEN=52 TOS=0x08 PREC=0x00 TTL=64 ID=23943 DF PROTO=TCP SPT=48850 DPT=3306 WINDOW=237 RES=0x00 ACK PSH FIN URGP=0
但是,如您所见,IP 和端口工作正常:
root@xxx:~# telnet 10.210.x.x 3306 (from first and second server)
Trying 10.210.x.x...
Connected to 10.210.x.x.
root@xxx:~# ping 10.210.x.x
PING 10.210.x.x (10.210.x.x) 56(84) bytes of data.
64 bytes from 10.210.x.x: icmp_seq=1 ttl=61 time=0.443 ms
64 bytes from 10.210.x.x: icmp_seq=2 ttl=61 time=0.392 ms
64 bytes from 10.210.x.x: icmp_seq=3 ttl=61 time=0.445 ms
64 bytes from 10.210.x.x: icmp_seq=4 ttl=61 time=0.454 ms
Linux 版本:
::::::::::::::
/etc/lsb-release
::::::::::::::
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.2 LTS"
::::::::::::::
/etc/os-release
::::::::::::::
NAME="Ubuntu"
VERSION="14.04.2 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.2 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
有人能帮我解决这个问题吗?我认为可能是配置错误,或者可能有错误。
root@*:~# sudo iptables -v -x -n -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
437254327 92783258843 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 In_RULE_0 all -- eth0 * 10.208.*.* 0.0.0.0/0
0 0 In_RULE_0 all -- eth0 * 67.192.*.* 0.0.0.0/0
0 0 In_RULE_0 all -- eth0 * 192.168.33.172 0.0.0.0/0
56849 3410940 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW
250823 15126338 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 67.192.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.172 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.40.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.99.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.176.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.178.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.178.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.178.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.178.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.179.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.179.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.179.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.181.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.182.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.183.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.209.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.210.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.210.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.223.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.223.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.223.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 10.223.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 23.253.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 23.253.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 23.253.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 23.253.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 23.253.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 23.253.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 23.253.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 23.253.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 23.253.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 23.253.*.* 0.0.0.0/0 state NEW
7 3767 ACCEPT all -- eth0 * 50.56.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 50.56.*.* 0.0.0.0/0 state NEW
81855 4256460 ACCEPT all -- eth0 * 50.56.*.* 0.0.0.0/0 state NEW
53187 2765724 ACCEPT all -- eth0 * 50.56.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 50.56.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 50.56.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.130.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 104.239.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 108.171.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 108.171.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 136.243.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 148.251.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 166.78.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 166.78.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 174.143.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 179.27.*.*/29 0.0.0.0/0 state NEW
1088 47984 ACCEPT all -- eth0 * 190.64.*.*/29 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 190.64.*.*/29 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.1 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.2 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.3 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.4 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.19 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.24 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.41 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.42 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.50 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.55 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.101 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.102 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.103 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.106 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.107 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.108 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.121 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.161 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.163 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.164 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.165 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.166 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.167 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.168 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.169 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.170 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.171 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.173 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.174 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.175 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.176 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.181 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.182 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.200 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.201 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.219 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.220 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.246 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.168.33.247 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 192.237.218.99 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 198.101.222.83 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 198.101.251.56 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 198.101.251.97 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 200.57.*.*/28 0.0.0.0/0 state NEW
11992 719520 ACCEPT all -- eth0 * 200.57.*.*/28 0.0.0.0/0 state NEW
10 600 ACCEPT all -- eth0 * 201.131.*.*/24 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * * 10.208.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * * 67.192.*.* 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * * 192.168.33.172 0.0.0.0/0 state NEW
779 44456 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
90410 8134061 DROP icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmptype 255
3620 267644 RULE_7 all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 In_RULE_0 all -- eth0 * 10.208.*.* 0.0.0.0/0
0 0 In_RULE_0 all -- eth0 * 67.192.*.* 0.0.0.0/0
0 0 In_RULE_0 all -- eth0 * 192.168.33.172 0.0.0.0/0
0 0 DROP icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmptype 255
0 0 RULE_7 all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
487779276 80687509431 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
56849 3410940 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * eth1 0.0.0.0/0 10.208.*.* state NEW
0 0 ACCEPT all -- * eth1 0.0.0.0/0 67.192.*.* state NEW
0 0 ACCEPT all -- * eth1 0.0.0.0/0 192.168.33.172 state NEW
0 0 ACCEPT all -- * eth2 0.0.0.0/0 10.208.*.* state NEW
0 0 ACCEPT all -- * eth2 0.0.0.0/0 67.192.*.* state NEW
0 0 ACCEPT all -- * eth2 0.0.0.0/0 192.168.33.172 state NEW
0 0 Cid30714X20128.0 all -- * eth0 10.208.*.* 0.0.0.0/0 state NEW
2928645 175735100 Cid30714X20128.0 all -- * eth0 67.192.*.* 0.0.0.0/0 state NEW
0 0 Cid30714X20128.0 all -- * eth0 192.168.33.172 0.0.0.0/0 state NEW
58835947 3530679635 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
21733 1117948 RULE_7 all -- * * 0.0.0.0/0 0.0.0.0/0
Chain Cid30714X20128.0 (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 10.208.*.*
0 0 ACCEPT all -- * * 0.0.0.0/0 67.192.*.*
0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.33.172
Chain In_RULE_0 (6 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "RULE 0 --fwb-- DENY "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain RULE_7 (3 references)
pkts bytes target prot opt in out source destination
25353 1385592 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "RULE 7 -- DENY "
25353 1385592 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
答案1
规则 7 命中实际上不是问题。对于 TCP 连接,Linux 倾向于使用“半双工”关闭序列,其中会话的任何一方都可以通过一次双向 FIN-ACK 握手(将连接置于 CLOSE_WAIT 状态)来启动连接终止,而不是完整的 4 次 FIN-ACK 握手。您发布的一个规则 7 可能是在连接FIN
已经关闭并被遗忘后留下的数据包,因此它没有遍历您的RELATED,ESTABLISHED
规则并最终到达规则 7。