我无法 ping www.google.com。但是我可以 ping 通 IP 地址:
ping 74.125.237.142
一开始我以为是我的DNS设置的问题。但我仔细检查了我的resolv.conf、hosts、hostname。他们都是正确的。
当我使用以下命令清除所有防火墙规则时:
iptables -F
然后ping www.google.com工作
所以问题仍然出在防火墙或NAT设置上。
有人可以提供一些想法吗?我该如何制定iptables规则?
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
13 1476 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1 80 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
34 6030 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
34 6030 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
34 6030 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 17 packets, 2694 bytes)
pkts bytes target prot opt in out source destination
82 9498 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- A * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public all -- p2p1 * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- * A 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public all -- * p2p1 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (3 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_external (0 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_external_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_external_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_external_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_external_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_external_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_external_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (3 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 IN_public all -- A * 0.0.0.0/0 0.0.0.0/0
16 3011 IN_public all -- p2p1 * 0.0.0.0/0 0.0.0.0/0
18 3019 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_dmz (0 references)
pkts bytes target prot opt in out source destination
0 0 IN_dmz_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_dmz_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_dmz_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_dmz_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_dmz_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_dmz_log (1 references)
pkts bytes target prot opt in out source destination
Chain IN_external (0 references)
pkts bytes target prot opt in out source destination
0 0 IN_external_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_external_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_external_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_external_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_external_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_external_log (1 references)
pkts bytes target prot opt in out source destination
Chain IN_home (0 references)
pkts bytes target prot opt in out source destination
0 0 IN_home_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_home_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_home_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_home_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW
Chain IN_home_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_home_log (1 references)
pkts bytes target prot opt in out source destination
Chain IN_internal (0 references)
pkts bytes target prot opt in out source destination
0 0 IN_internal_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_internal_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_internal_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_internal_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW
Chain IN_internal_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_internal_log (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (3 references)
pkts bytes target prot opt in out source destination
34 6030 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
34 6030 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
34 6030 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
34 6030 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain IN_work (0 references)
pkts bytes target prot opt in out source destination
0 0 IN_work_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_work_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_work_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_work_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ctstate NEW
Chain IN_work_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_work_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
答案1
我没有看到允许 UDP 端口 53 的规则。如果没有 UDP 端口 53,您就无法获得 DNS,因此名称解析失败也就不足为奇了。
您需要添加一条规则以允许来自端口 53 的传入 UDP 流量(至少来自 Internet 访问提供商的 DNS 服务器)。就像是
iptables -A INPUT -p udp --sport 53 -j ACCEPT
可能有额外的限制,可能在不同的规则中(我不明白你的防火墙的组织)。由于您的防火墙规则似乎是自动生成的,因此您可能希望更改防火墙配置工具的设置,而不是iptables直接调用。
答案2
补充之前的答案,尝试添加一条规则,允许像之前的答案一样的 UDP 流量和 TCP 连接,如下所示:
# iptables -A INPUT -p tcp --sport 53 -j ACCEPT
当响应数据大小超过512字节时使用TCP连接,这是正常的。