Mysql 复制的 iptable 有什么问题

Question

我很惊讶你对 db1 和 db2 使用完全相同的脚本！当然它不能工作。

似乎您搞错了源/目标主机和源/目标端口，以及哪个服务器发起与其他服务器的连接。此外，您定义的变量不能因您所在的位置（db1 或 db2）而相同。

我已经在实验室中测试过它并且有效：

DB1 端：

#!/bin/sh
# ---------------
# DB1 side script
# ---------------

# My system IP/set ip address of server
SERVER_IP="1.1.1.1"
ALLOWED_IP="2.2.2.2,3.3.3.3,4.4.4.4"

# Flushing all rules
iptables -F
iptables -X

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow incoming ssh only
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 -m state --state ESTABLISHED -j ACCEPT

# Allow replication from DB1 to DB2
iptables -A INPUT -p tcp -s $ALLOWED_IP --sport 1024:65535 -d $SERVER_IP --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 3306 -d $ALLOWED_IP --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow replication from DB2 to DB1
iptables -A INPUT -p tcp -s $ALLOWED_IP --sport 3306 -d $SERVER_IP --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 1024:65535 -d $ALLOWED_IP --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT

# make sure nothing comes or goes out of this box
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

DB2 端：

#!/bin/sh
# ---------------
# DB2 side script
# ---------------

# My system IP/set ip address of server
SERVER_IP="2.2.2.2"
ALLOWED_IP="1.1.1.1,3.3.3.3,4.4.4.4"

# Flushing all rules
iptables -F
iptables -X

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow incoming ssh only
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 -m state --state ESTABLISHED -j ACCEPT

# Allow replication from DB1 to DB2
iptables -A INPUT -p tcp -s $ALLOWED_IP --sport 3306 -d $SERVER_IP --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 1024:65535 -d $ALLOWED_IP --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow replication from DB2 to DB1
iptables -A INPUT -p tcp -s $ALLOWED_IP --sport 1024:65535 -d $SERVER_IP --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 3306 -d $ALLOWED_IP --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT

# make sure nothing comes or goes out of this box
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

Answer 1

我很惊讶你对 db1 和 db2 使用完全相同的脚本！当然它不能工作。

似乎您搞错了源/目标主机和源/目标端口，以及哪个服务器发起与其他服务器的连接。此外，您定义的变量不能因您所在的位置（db1 或 db2）而相同。

我已经在实验室中测试过它并且有效：

DB1 端：

#!/bin/sh
# ---------------
# DB1 side script
# ---------------

# My system IP/set ip address of server
SERVER_IP="1.1.1.1"
ALLOWED_IP="2.2.2.2,3.3.3.3,4.4.4.4"

# Flushing all rules
iptables -F
iptables -X

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow incoming ssh only
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 -m state --state ESTABLISHED -j ACCEPT

# Allow replication from DB1 to DB2
iptables -A INPUT -p tcp -s $ALLOWED_IP --sport 1024:65535 -d $SERVER_IP --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 3306 -d $ALLOWED_IP --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow replication from DB2 to DB1
iptables -A INPUT -p tcp -s $ALLOWED_IP --sport 3306 -d $SERVER_IP --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 1024:65535 -d $ALLOWED_IP --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT

# make sure nothing comes or goes out of this box
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

DB2 端：

#!/bin/sh
# ---------------
# DB2 side script
# ---------------

# My system IP/set ip address of server
SERVER_IP="2.2.2.2"
ALLOWED_IP="1.1.1.1,3.3.3.3,4.4.4.4"

# Flushing all rules
iptables -F
iptables -X

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow incoming ssh only
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 -m state --state ESTABLISHED -j ACCEPT

# Allow replication from DB1 to DB2
iptables -A INPUT -p tcp -s $ALLOWED_IP --sport 3306 -d $SERVER_IP --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 1024:65535 -d $ALLOWED_IP --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow replication from DB2 to DB1
iptables -A INPUT -p tcp -s $ALLOWED_IP --sport 1024:65535 -d $SERVER_IP --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 3306 -d $ALLOWED_IP --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT

# make sure nothing comes or goes out of this box
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

Mysql 复制的 iptable 有什么问题

答案1

相关内容