以下规则是什么意思?这些规则是由系统管理员设置的,似乎可以正常工作,但我认为其中存在一些冗余。我的目标是允许端口 11211 上的连接。这是在从各种 Web 服务器连接的 memcache 服务器上。
memcache 服务器内部 ip: 10.181.16.192
memcache 服务器外部 ip: 166.78.9.65
# Generated by iptables-save v1.4.7 on Sat Sep 27 14:15:42 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [198925:147304500]
:RH-Firewall-1-INPUT - [0:0]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -s 10.181.16.192/32 -p tcp -m tcp --dport 11211 -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i eth1 -p tcp -m tcp --dport 11211 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.181.26.42/32 -p tcp -m tcp --dport 11211 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.181.16.192/32 -p tcp -m tcp --dport 11211 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m comment --comment "SSH" -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 -m comment --comment "HTTPS" -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m comment --comment "HTTP" -j ACCEPT
-A RH-Firewall-1-INPUT -s 67.222.16.43/32 -p tcp -m tcp --dport 3306 -m comment --comment "MySQL" -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -p tcp -m tcp --dport 3306 -m comment --comment "MySQL" -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.181.16.33/32 -i eth1 -p tcp -m tcp --dport 11211 -m comment --comment "memcached" -j ACCEPT
-A RH-Firewall-1-INPUT -s 166.78.10.99/32 -i eth1 -p tcp -m tcp --dport 11211 -m comment --comment "memcached" -j ACCEPT
-A RH-Firewall-1-INPUT -s 174.143.23.0/25 -m comment --comment "Rackspace monitoring" -j ACCEPT
-A RH-Firewall-1-INPUT -s 174.143.23.0/25 -m comment --comment "Rackspace monitoring" -j ACCEPT
-A RH-Firewall-1-INPUT -s 50.56.142.128/26 -m comment --comment "Rackspace monitoring" -j ACCEPT
-A RH-Firewall-1-INPUT -s 180.150.149.64/26 -m comment --comment "Rackspace monitoring" -j ACCEPT
-A RH-Firewall-1-INPUT -s 69.20.52.192/26 -m comment --comment "Rackspace monitoring" -j ACCEPT
-A RH-Firewall-1-INPUT -s 78.136.44.0/26 -m comment --comment "Rackspace monitoring" -j ACCEPT
-A RH-Firewall-1-INPUT -s 50.57.61.0/26 -m comment --comment "Rackspace monitoring" -j ACCEPT
-A RH-Firewall-1-INPUT -s 173.241.208.122/32 -m comment --comment "developer" -j ACCEPT
-A RH-Firewall-1-INPUT -s 204.232.241.45/32 -m comment --comment "developer" -j ACCEPT
-A RH-Firewall-1-INPUT -s 184.106.252.94/32 -m comment --comment "developer" -j ACCEPT
-A RH-Firewall-1-INPUT -s 178.219.251.50/32 -m comment --comment "developer" -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -m comment --comment "localhost" -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -m comment --comment "ping" -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Sat Sep 27 14:15:42 2014
答案1
唯一重复的定义是:
-A 输入 -s 10.181.16.192/32 -p tcp -m tcp --dport 11211 -j 接受
相同的定义也在RH-Firewall-1-INPUT链中,该链在普通的INPUT链之后使用。
假设这是eth1
用于内部网络并且eth0
是外部网络。
但有一个问题:ICMP 防火墙配置错误。只有 Ping 数据包可以通过,这意味着路径 MTU 发现无法正常工作,并且可能会导致一些问题。还Destination Unreachable
应该允许数据包通过。