我有 2 台正在运行的服务器Ubuntu 16.04。服务器 1 有 ip 10.100.100.101,服务器 2 有 ip 10.100.100.102。服务器 1 启用了 Ufw,应该接受8080来自服务器 2 的所有端口流量。(服务器 2 有 Apache,它将流量代理到服务器 1。)出于某种原因,Ufw 有时会阻止进入端口 8080 的包。Ufw 的版本是0.35。我尝试过重置 Ufw 设置并重新启动服务器,但没有什么区别。服务器 2 上的 Apache 日志没有显示与被阻止请求的时间匹配的错误。
什么原因导致这些包裹被丢弃?
服务器配置:
Web page (Server 2 Apache) -> Ruby http application (Server 1)
服务器 1 Ufw 设置:
user@server1:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: allow (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
80/tcp DENY IN Anywhere
80/tcp (v6) DENY IN Anywhere (v6)
因此,只应阻止到端口的流量80。但在 Ufw 日志中看到以下消息:
2021-01-11 23:13:00 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=38424 DF PROTO=TCP SPT=33158 DPT=8080 WINDOW=1157 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:00 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=53629 DF PROTO=TCP SPT=33084 DPT=8080 WINDOW=2160 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:00 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=38425 DF PROTO=TCP SPT=33158 DPT=8080 WINDOW=1157 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:01 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=53630 DF PROTO=TCP SPT=33084 DPT=8080 WINDOW=2160 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:01 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=38426 DF PROTO=TCP SPT=33158 DPT=8080 WINDOW=1157 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:02 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=53631 DF PROTO=TCP SPT=33084 DPT=8080 WINDOW=2160 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:02 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=38427 DF PROTO=TCP SPT=33158 DPT=8080 WINDOW=1157 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:03 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=53632 DF PROTO=TCP SPT=33084 DPT=8080 WINDOW=2160 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:03 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=38428 DF PROTO=TCP SPT=33158 DPT=8080 WINDOW=1157 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:06 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=38429 DF PROTO=TCP SPT=33158 DPT=8080 WINDOW=1157 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:26 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=38431 DF PROTO=TCP SPT=33158 DPT=8080 WINDOW=1157 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:52 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=38432 DF PROTO=TCP SPT=33158 DPT=8080 WINDOW=1157 RES=0x00 ACK FIN URGP=0
活动的 Iptables 规则:
Chain INPUT (policy ACCEPT 4 packets, 144 bytes)
num pkts bytes target prot opt in out source destination
1 6082K 99G ufw-before-logging-input all -- any any anywhere anywhere
2 6082K 99G ufw-before-input all -- any any anywhere anywhere
3 14402 875K ufw-after-input all -- any any anywhere anywhere
4 13502 805K ufw-after-logging-input all -- any any anywhere anywhere
5 13502 805K ufw-reject-input all -- any any anywhere anywhere
6 13502 805K ufw-track-input all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ufw-before-logging-forward all -- any any anywhere anywhere
2 0 0 ufw-before-forward all -- any any anywhere anywhere
3 0 0 ufw-after-forward all -- any any anywhere anywhere
4 0 0 ufw-after-logging-forward all -- any any anywhere anywhere
5 0 0 ufw-reject-forward all -- any any anywhere anywhere
6 0 0 ufw-track-forward all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 5789K 101G ufw-before-logging-output all -- any any anywhere anywhere
2 5789K 101G ufw-before-output all -- any any anywhere anywhere
3 339K 21M ufw-after-output all -- any any anywhere anywhere
4 339K 21M ufw-after-logging-output all -- any any anywhere anywhere
5 339K 21M ufw-reject-output all -- any any anywhere anywhere
6 339K 21M ufw-track-output all -- any any anywhere anywhere
Chain ufw-after-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
num pkts bytes target prot opt in out source destination
1 900 70416 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-ns
2 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-dgm
3 0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:netbios-ssn
4 0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:microsoft-ds
5 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootps
6 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootpc
7 0 0 ufw-skip-to-policy-input all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-after-logging-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
3 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
4 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
5 0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
6 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
7 0 0 ufw-user-forward all -- any any anywhere anywhere
Chain ufw-before-input (1 references)
num pkts bytes target prot opt in out source destination
1 4656K 99G ACCEPT all -- lo any anywhere anywhere
2 1345K 323M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
3 66677 3467K ufw-logging-deny all -- any any anywhere anywhere ctstate INVALID
4 66677 3467K DROP all -- any any anywhere anywhere ctstate INVALID
5 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
6 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
7 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
8 0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
9 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
10 0 0 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
11 14402 875K ufw-not-local all -- any any anywhere anywhere
12 0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns
13 0 0 ACCEPT udp -- any any anywhere 239.255.255.250 udp dpt:1900
14 14402 875K ufw-user-input all -- any any anywhere anywhere
Chain ufw-before-logging-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
num pkts bytes target prot opt in out source destination
1 4656K 99G ACCEPT all -- any lo anywhere anywhere
2 794K 2513M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
3 339K 21M ufw-user-output all -- any any anywhere anywhere
Chain ufw-logging-allow (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
num pkts bytes target prot opt in out source destination
1 40662 2114K RETURN all -- any any anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
2 19126 995K LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
num pkts bytes target prot opt in out source destination
1 13498 805K RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
2 4 144 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type MULTICAST
3 900 70416 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
4 0 0 ufw-logging-deny all -- any any anywhere anywhere limit: avg 3/min burst 10
5 0 0 DROP all -- any any anywhere anywhere
Chain ufw-reject-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- any any anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
num pkts bytes target prot opt in out source destination
1 900 70416 ACCEPT all -- any any anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- any any anywhere anywhere
Chain ufw-track-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
num pkts bytes target prot opt in out source destination
1 13498 805K ACCEPT tcp -- any any anywhere anywhere ctstate NEW
2 0 0 ACCEPT udp -- any any anywhere anywhere ctstate NEW
Chain ufw-track-output (1 references)
num pkts bytes target prot opt in out source destination
1 113K 6771K ACCEPT tcp -- any any anywhere anywhere ctstate NEW
2 226K 14M ACCEPT udp -- any any anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- any any anywhere anywhere tcp dpt:80
Chain ufw-user-limit (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
2 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- any any anywhere anywhere
Chain ufw-user-logging-forward (0 references)
num pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
num pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
num pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
num pkts bytes target prot opt in out source destination
服务器 2 上的 Apache 代理配置:
<Location /app>
ProxyPass http://10.100.100.101:8080/app retry=3
ProxyPassReverse http://10.100.100.101:8080/app
Require all granted
</Location>
答案1
我刚刚发现另一个问题可以解释这种现象:为什么 ufw 会记录有关已配置为“允许”连接的端口的“BLOCK”消息?
这与旧连接关闭有关,而不是实际客户端连接被阻止。这解释了为什么被阻止的连接在代理服务器的访问日志中没有匹配的条目。