IPTables 阻止虚拟机的 FTP

tag-icon tag-icon iptables centos5 solusvm
IPTables 阻止虚拟机的 FTP

我已安装并运行 CentOS 5 SolusVM 节点。VPS 单元运行良好,一切似乎都正常。直到昨天我发现没有单个 VPS 可以通过 FTP 访问。我反复检查了 VPS 单元的 FTP 配置。一切都很好。

我甚至可以通过以下步骤从主节点连接到每个单个 VPS 单元 FTP:

ftp IP
User:
Pass:

它可以正常连接并列出目录。但如果我从节点之外的任何其他机器尝试连接到节点内的 FTP,它就无法工作。它在目录列表上超时:

425 Unable to build data connection: No route to host

现在,我尝试禁用每个 VPS 内的 IPTables,但没有任何效果。而且由于 Node 可以正常连接,所以问题不大。

所以我检查了节点上的 IPTables,看看那里发生了什么。如果我禁用主机节点的 IPTables,FTP 就可以从任何地方运行到任何 VPS!

service iptables stop

所以我检查了 IPTables 规则集,这是最奇怪的部分。IPTables 有两个规则集!

如果我运行:

iptables -L

我得到一个规则集:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
SOLUSVM_TRAFFIC_IN  all  --  anywhere             anywhere            
SOLUSVM_TRAFFIC_OUT  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain SOLUSVM_TRAFFIC_IN (1 references)
target     prot opt source               destination         
           all  --  anywhere             worldopportunitiesunlimited.com 
           all  --  anywhere             worldopportunitiesunlimited.com 

Chain SOLUSVM_TRAFFIC_OUT (1 references)
target     prot opt source               destination         
           all  --  worldopportunitiesunlimited.com  anywhere            
           all  --  worldopportunitiesunlimited.com  anywhere

出现的那个域名,我不知道它是什么,我以前从未见过。所以我运行了 grep 来查找该域名,/etc/sysconfig但没有找到任何与该域名相关的内容。

于是我跑了:

service iptables status

此命令为我提供了 SolusVM 的标准 IPTables 规则集:

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Table: mangle
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    SOLUSVM_TRAFFIC_IN  all  --  0.0.0.0/0            0.0.0.0/0           
2    SOLUSVM_TRAFFIC_OUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain SOLUSVM_TRAFFIC_IN (1 references)
num  target     prot opt source               destination         
1               all  --  0.0.0.0/0            IP1        
2               all  --  0.0.0.0/0            IP2

Chain SOLUSVM_TRAFFIC_OUT (1 references)
num  target     prot opt source               destination         
1               all  --  IP1         0.0.0.0/0           
2               all  --  IP2         0.0.0.0/0

如果我运行,iptables -F它会刷新正常。但 FTP 仍然无法运行。只有运行 才能访问 FTP service iptables stop

现在,当我重新启动 IPTables 时,将显示以下模块列表:

Loading additional iptables modules: ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ipt_ow

当我重新启动 IPTables 时,即使在刷新之后,第一个规则集也会恢复。

我检查了文件/etc/sysconfig/iptables,里面有第二个规则集。我也试过了,iptables-restore < /etc/sysconfig/iptables但这似乎不能取代第一个奇怪的规则集。

话虽如此,这台机器只有我使用过。它是两天前全新安装的。

编辑

# Generated by iptables-save v1.3.5 on Tue Feb 11 07:21:08 2014
*filter
:INPUT ACCEPT [17254:1825032]
:FORWARD ACCEPT [735270:692897288]
:OUTPUT ACCEPT [19783:3216097]
:SOLUSVM_TRAFFIC_IN - [0:0]
:SOLUSVM_TRAFFIC_OUT - [0:0]
-A FORWARD -j SOLUSVM_TRAFFIC_IN 
-A FORWARD -j SOLUSVM_TRAFFIC_OUT 
-A SOLUSVM_TRAFFIC_IN -d IP1 
-A SOLUSVM_TRAFFIC_IN -d IP2 
-A SOLUSVM_TRAFFIC_OUT -s IP1 
-A SOLUSVM_TRAFFIC_OUT -s IP2 
COMMIT
# Completed on Tue Feb 11 07:21:08 2014
# Generated by iptables-save v1.3.5 on Tue Feb 11 07:21:08 2014
*mangle
:PREROUTING ACCEPT [751388:694616048]
:INPUT ACCEPT [17254:1825032]
:FORWARD ACCEPT [735270:692897288]
:OUTPUT ACCEPT [19785:3216361]
:POSTROUTING ACCEPT [755055:696113649]
COMMIT
# Completed on Tue Feb 11 07:21:08 2014
# Generated by iptables-save v1.3.5 on Tue Feb 11 07:21:08 2014
*nat
:PREROUTING ACCEPT [21350:1445366]
:POSTROUTING ACCEPT [21818:1488532]
:OUTPUT ACCEPT [1876:127401]
COMMIT
# Completed on Tue Feb 11 07:21:08 2014

答案1

SolusVM 加载了一堆只有 OpenVZ 需要但 Xen 单元不需要的模块。要解决此问题,请编辑文件“/etc/sysconfig/iptables-config”并删除此行:

IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ipt_owner ipt_REDIRECT"

并将其替换为以下行:

IPTABLES_MODULES="ip_conntrack_netbios_ns"

完成后重新启动IPTables:

service iptables restart

这解决了问题。

致谢:被动 FTP 和 SolusVM

相关内容