我已安装并运行 CentOS 5 SolusVM 节点。VPS 单元运行良好,一切似乎都正常。直到昨天我发现没有单个 VPS 可以通过 FTP 访问。我反复检查了 VPS 单元的 FTP 配置。一切都很好。
我甚至可以通过以下步骤从主节点连接到每个单个 VPS 单元 FTP:
ftp IP
User:
Pass:
它可以正常连接并列出目录。但如果我从节点之外的任何其他机器尝试连接到节点内的 FTP,它就无法工作。它在目录列表上超时:
425 Unable to build data connection: No route to host
现在,我尝试禁用每个 VPS 内的 IPTables,但没有任何效果。而且由于 Node 可以正常连接,所以问题不大。
所以我检查了节点上的 IPTables,看看那里发生了什么。如果我禁用主机节点的 IPTables,FTP 就可以从任何地方运行到任何 VPS!
service iptables stop
所以我检查了 IPTables 规则集,这是最奇怪的部分。IPTables 有两个规则集!
如果我运行:
iptables -L
我得到一个规则集:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
SOLUSVM_TRAFFIC_IN all -- anywhere anywhere
SOLUSVM_TRAFFIC_OUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain SOLUSVM_TRAFFIC_IN (1 references)
target prot opt source destination
all -- anywhere worldopportunitiesunlimited.com
all -- anywhere worldopportunitiesunlimited.com
Chain SOLUSVM_TRAFFIC_OUT (1 references)
target prot opt source destination
all -- worldopportunitiesunlimited.com anywhere
all -- worldopportunitiesunlimited.com anywhere
出现的那个域名,我不知道它是什么,我以前从未见过。所以我运行了 grep 来查找该域名,/etc/sysconfig
但没有找到任何与该域名相关的内容。
于是我跑了:
service iptables status
此命令为我提供了 SolusVM 的标准 IPTables 规则集:
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 SOLUSVM_TRAFFIC_IN all -- 0.0.0.0/0 0.0.0.0/0
2 SOLUSVM_TRAFFIC_OUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain SOLUSVM_TRAFFIC_IN (1 references)
num target prot opt source destination
1 all -- 0.0.0.0/0 IP1
2 all -- 0.0.0.0/0 IP2
Chain SOLUSVM_TRAFFIC_OUT (1 references)
num target prot opt source destination
1 all -- IP1 0.0.0.0/0
2 all -- IP2 0.0.0.0/0
如果我运行,iptables -F
它会刷新正常。但 FTP 仍然无法运行。只有运行 才能访问 FTP service iptables stop
。
现在,当我重新启动 IPTables 时,将显示以下模块列表:
Loading additional iptables modules: ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ipt_ow
当我重新启动 IPTables 时,即使在刷新之后,第一个规则集也会恢复。
我检查了文件/etc/sysconfig/iptables
,里面有第二个规则集。我也试过了,iptables-restore < /etc/sysconfig/iptables
但这似乎不能取代第一个奇怪的规则集。
话虽如此,这台机器只有我使用过。它是两天前全新安装的。
编辑
# Generated by iptables-save v1.3.5 on Tue Feb 11 07:21:08 2014
*filter
:INPUT ACCEPT [17254:1825032]
:FORWARD ACCEPT [735270:692897288]
:OUTPUT ACCEPT [19783:3216097]
:SOLUSVM_TRAFFIC_IN - [0:0]
:SOLUSVM_TRAFFIC_OUT - [0:0]
-A FORWARD -j SOLUSVM_TRAFFIC_IN
-A FORWARD -j SOLUSVM_TRAFFIC_OUT
-A SOLUSVM_TRAFFIC_IN -d IP1
-A SOLUSVM_TRAFFIC_IN -d IP2
-A SOLUSVM_TRAFFIC_OUT -s IP1
-A SOLUSVM_TRAFFIC_OUT -s IP2
COMMIT
# Completed on Tue Feb 11 07:21:08 2014
# Generated by iptables-save v1.3.5 on Tue Feb 11 07:21:08 2014
*mangle
:PREROUTING ACCEPT [751388:694616048]
:INPUT ACCEPT [17254:1825032]
:FORWARD ACCEPT [735270:692897288]
:OUTPUT ACCEPT [19785:3216361]
:POSTROUTING ACCEPT [755055:696113649]
COMMIT
# Completed on Tue Feb 11 07:21:08 2014
# Generated by iptables-save v1.3.5 on Tue Feb 11 07:21:08 2014
*nat
:PREROUTING ACCEPT [21350:1445366]
:POSTROUTING ACCEPT [21818:1488532]
:OUTPUT ACCEPT [1876:127401]
COMMIT
# Completed on Tue Feb 11 07:21:08 2014
答案1
SolusVM 加载了一堆只有 OpenVZ 需要但 Xen 单元不需要的模块。要解决此问题,请编辑文件“/etc/sysconfig/iptables-config”并删除此行:
IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ipt_owner ipt_REDIRECT"
并将其替换为以下行:
IPTABLES_MODULES="ip_conntrack_netbios_ns"
完成后重新启动IPTables:
service iptables restart
这解决了问题。