Iptables 和 Deny 问题

Iptables 和 Deny 问题

我已经使用 FWBuilder 配置了 iptables,并且由于某种原因,有一条规则不断被丢弃,我不知道为什么,因为来自和到 10.208.xx(第一个服务器)和 10.210.xx(这是第二个服务器)的所有地址 IP 都被允许,并且我需要使用的端口也是“3306”:

这是我在系统日志中看到的消息:

RULE 7 -- DENY IN= OUT=eth1 SRC=10.208.x.x DST=10.210.x.x LEN=52 TOS=0x08 PREC=0x00 TTL=64 ID=23943 DF PROTO=TCP SPT=48850 DPT=3306 WINDOW=237 RES=0x00 ACK PSH FIN URGP=0

但是,如您所见,IP 和端口工作正常:

root@xxx:~# telnet 10.210.x.x 3306 (from first and second server)
Trying 10.210.x.x...
Connected to 10.210.x.x.

root@xxx:~# ping 10.210.x.x
PING 10.210.x.x (10.210.x.x) 56(84) bytes of data.
64 bytes from 10.210.x.x: icmp_seq=1 ttl=61 time=0.443 ms
64 bytes from 10.210.x.x: icmp_seq=2 ttl=61 time=0.392 ms
64 bytes from 10.210.x.x: icmp_seq=3 ttl=61 time=0.445 ms
64 bytes from 10.210.x.x: icmp_seq=4 ttl=61 time=0.454 ms

Linux 版本:

::::::::::::::
/etc/lsb-release
::::::::::::::
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.2 LTS"
::::::::::::::
/etc/os-release
::::::::::::::
NAME="Ubuntu"
VERSION="14.04.2 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.2 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

有人能帮我解决这个问题吗?我认为可能是配置错误,或者可能有错误。

root@*:~# sudo iptables -v -x -n -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
437254327 92783258843 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
       0        0 In_RULE_0  all  --  eth0   *       10.208.*.*        0.0.0.0/0           
       0        0 In_RULE_0  all  --  eth0   *       67.192.*.*        0.0.0.0/0           
       0        0 In_RULE_0  all  --  eth0   *       192.168.33.172       0.0.0.0/0           
   56849  3410940 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            state NEW
  250823 15126338 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.208.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       67.192.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.172       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.40.*.*            0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.99.*.*           0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.176.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.178.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.178.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.178.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.178.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.179.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.179.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.179.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.181.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.182.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.183.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.208.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.208.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.208.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.208.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.208.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.208.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.208.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.208.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.208.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*          0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.210.*.*          0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.210.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.223.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.223.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.223.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.223.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       23.253.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       23.253.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       23.253.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       23.253.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       23.253.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       23.253.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       23.253.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       23.253.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       23.253.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       23.253.*.*       0.0.0.0/0            state NEW
       7     3767 ACCEPT     all  --  eth0   *       50.56.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       50.56.*.*        0.0.0.0/0            state NEW
   81855  4256460 ACCEPT     all  --  eth0   *       50.56.*.*        0.0.0.0/0            state NEW
   53187  2765724 ACCEPT     all  --  eth0   *       50.56.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       50.56.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       50.56.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       108.171.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       108.171.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       136.243.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       148.251.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       166.78.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       166.78.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       174.143.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       179.27.*.*/29      0.0.0.0/0            state NEW
    1088    47984 ACCEPT     all  --  eth0   *       190.64.*.*/29    0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       190.64.*.*/29     0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.1         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.2         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.3         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.4         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.19        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.24        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.41        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.42        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.50        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.55        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.101       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.102       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.103       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.106       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.107       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.108       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.121       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.161       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.163       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.164       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.165       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.166       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.167       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.168       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.169       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.170       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.171       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.173       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.174       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.175       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.176       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.181       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.182       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.200       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.201       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.219       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.220       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.246       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.247       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.237.218.99       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       198.101.222.83       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       198.101.251.56       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       198.101.251.97       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       200.57.*.*/28     0.0.0.0/0            state NEW
   11992   719520 ACCEPT     all  --  eth0   *       200.57.*.*/28    0.0.0.0/0            state NEW
      10      600 ACCEPT     all  --  eth0   *       201.131.*.*/24       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  *      *       10.208.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  *      *       67.192.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  *      *       192.168.33.172       0.0.0.0/0            state NEW
     779    44456 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW
   90410  8134061 DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0            icmptype 255
    3620   267644 RULE_7     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
       0        0 In_RULE_0  all  --  eth0   *       10.208.*.*        0.0.0.0/0           
       0        0 In_RULE_0  all  --  eth0   *       67.192.*.*        0.0.0.0/0           
       0        0 In_RULE_0  all  --  eth0   *       192.168.33.172       0.0.0.0/0           
       0        0 DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0            icmptype 255
       0        0 RULE_7     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
487779276 80687509431 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   56849  3410940 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  *      eth1    0.0.0.0/0            10.208.*.*        state NEW
       0        0 ACCEPT     all  --  *      eth1    0.0.0.0/0            67.192.*.*        state NEW
       0        0 ACCEPT     all  --  *      eth1    0.0.0.0/0            192.168.33.172       state NEW
       0        0 ACCEPT     all  --  *      eth2    0.0.0.0/0            10.208.*.*        state NEW
       0        0 ACCEPT     all  --  *      eth2    0.0.0.0/0            67.192.*.*        state NEW
       0        0 ACCEPT     all  --  *      eth2    0.0.0.0/0            192.168.33.172       state NEW
       0        0 Cid30714X20128.0  all  --  *      eth0    10.208.*.*        0.0.0.0/0            state NEW
 2928645 175735100 Cid30714X20128.0  all  --  *      eth0    67.192.*.*        0.0.0.0/0            state NEW
       0        0 Cid30714X20128.0  all  --  *      eth0    192.168.33.172       0.0.0.0/0            state NEW
58835947 3530679635 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
   21733  1117948 RULE_7     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain Cid30714X20128.0 (3 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            10.208.*.*       
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            67.192.*.*       
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.33.172      

Chain In_RULE_0 (6 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "RULE 0 --fwb-- DENY "
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain RULE_7 (3 references)
    pkts      bytes target     prot opt in     out     source               destination         
   25353  1385592 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "RULE 7 -- DENY "
   25353  1385592 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   

答案1

规则 7 命中实际上不是问题。对于 TCP 连接,Linux 倾向于使用“半双工”关闭序列,其中会话的任何一方都可以通过一次双向 FIN-ACK 握手(将连接置于 CLOSE_WAIT 状态)来启动连接终止,而不是完整的 4 次 FIN-ACK 握手。您发布的一个规则 7 可能是在连接FIN已经关闭并被遗忘后留下的数据包,因此它没有遍历您的RELATED,ESTABLISHED规则并最终到达规则 7。

相关内容