我正在尝试为托管 Java 应用程序和 ES 的服务器设置防火墙。两者都在同一台服务器上,并相互通信。我遇到的问题是我的防火墙配置阻止 Java 连接到 ES。不知道为什么......我尝试了很多方法,例如将端口范围 9200:9400 开放到服务器 IP,但没有任何效果,但据我所知,使用此配置应该允许服务器内部的所有通信。
这个想法是,ES 不应该从外部访问,但应该可以从这个 java 应用程序访问,并且 ES 使用端口范围 9200:9400。
这是我的 iptables 脚本:
echo -e Deleting rules for INPUT chain
iptables -F INPUT
echo -e Deleting rules for OUTPUT chain
iptables -F OUTPUT
echo -e Deleting rules for FORWARD chain
iptables -F FORWARD
echo -e Setting by default the drop policy on each chain
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
echo -e Open all ports from/to localhost
iptables -A INPUT -i lo -j ACCEPT
echo -e Open SSH port 22 with brute force security
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 30 --hitcount 4 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j LOG --log-prefix "SSH brute force "
iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
echo -e Open NGINX port 80
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
echo -e Open NGINX SSL port 443
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
echo -e Enable DNS
iptables -A INPUT -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
当此配置到位时,我在 Java 应用程序中获得了它:
org.elasticsearch.cluster.block.ClusterBlockException: blocked by: [SERVICE_UNAVAILABLE/1/state not recovered / initialized];[SERVICE_UNAVAILABLE/2/no master];
at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:292)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1185)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:537)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:475)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:304)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:228)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:300)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:195)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:700)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:760)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:482)
at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:403)
你们有人发现这个配置和 ES 有问题吗?
提前致谢
答案1
添加此项可修复该问题:
-A INPUT -m pkttype --pkt-type multicast -j ACCEPT