我最近安装了一台运行 Centos 6.5 的 VPS 服务器以及 Web Host Manager。我目前的问题是我无法通过命令行上的 nslookup 或 ping 来解析主机名。但当我使用 root 登录时,我可以 ping 并执行 nslookups 等
当以非 root 用户身份登录时,我执行以下命令但没有得到任何结果:
user@server [~]# ping google.com
ping: unknown host google.com
user@server [~]# nslookup google.com
;; connection timed out; trying next origin
user@server [~]# ping 74.125.230.226
ping: icmp open socket: Operation not permitted
user@server [~]# nslookup 74.125.230.226
;; connection timed out; trying next origin
;; connection timed out; no servers could be reached
然而,当我以 root 身份登录时,所有上述命令均按预期工作:
root@server [~]# ping google.com
PING google.com (74.125.230.224) 56(84) bytes of data.
64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=1 ttl=52 time=198 ms
64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=2 ttl=52 time=196 ms
64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=3 ttl=52 time=196 ms
64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=4 ttl=52 time=196 ms
64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=5 ttl=52 time=198 ms
nslookup google.com
Server: 196.7.7.7
Address: 196.7.7.7#53
Non-authoritative answer:
Name: google.com
Address: 74.125.230.233
Name: google.com
Address: 74.125.230.238
Name: google.com
Address: 74.125.230.227
Name: google.com
Address: 74.125.230.229
Name: google.com
Address: 74.125.230.225
Name: google.com
Address: 74.125.230.228
Name: google.com
Address: 74.125.230.232
Name: google.com
Address: 74.125.230.224
Name: google.com
Address: 74.125.230.226
Name: google.com
Address: 74.125.230.231
Name: google.com
Address: 74.125.230.230
我可以使用非 root 用户读取文件 /etc/resolv.conf 和 /etc/nsswitch.conf,
我使用 suExec 运行 Apache,mod security,se linux 设置为 permissive。
当我从网站运行某些命令时,我收到如下消息:
Curl/fopen php 给出以下消息
* , referer: http://www.domain
Hostname was NOT found in DNS cache, referer: http://www.domain
getaddrinfo(3) failed
我对服务器设置还很陌生,我无论如何也想不出问题出在哪里。
更新:
内容/etc/resolv.conf
nameserver 196.7.7.7
nameserver 196.7.8.9
IPTABLES 输出 - iptables -nvL -t filter
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1546 201K cP-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
1533 200K acctboth all -- * * 0.0.0.0/0 0.0.0.0/0
561 94135 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 120 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:1023,2082:2083,3306,2086:2087,2095:2096,30000:32760
689 59006 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:1023
0 0 ACCEPT tcp -- * * 41.76.213.0/24 0.0.0.0/0 multiport dports 5666
0 0 ACCEPT tcp -- * * 41.86.112.0/24 0.0.0.0/0 multiport dports 5666
0 0 ACCEPT tcp -- * * 197.242.159.6 0.0.0.0/0 multiport dports 1167
0 0 ACCEPT tcp -- * * 197.242.150.150 0.0.0.0/0 multiport dports 1167
0 0 ACCEPT tcp -- * * 196.33.227.219 0.0.0.0/0 multiport dports 1167
0 0 ACCEPT tcp -- * * 197.242.144.0/21 0.0.0.0/0 multiport dports 9999
0 0 ACCEPT tcp -- * * 196.33.227.0/24 0.0.0.0/0 multiport dports 9999
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
278 46670 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:0x17/0x02 limit: avg 3/hour burst 5 LOG flags 8 level 4 prefix `in-new:'
2 72 LOG !tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW limit: avg 3/hour burst 5 LOG flags 8 level 4 prefix `in-new:'
3 116 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 cP-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
588 112K acctboth all -- * * 0.0.0.0/0 0.0.0.0/0
569 111K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
7 604 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 12
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20
3 180 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
9 640 out-bad all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 110,143,995,80,443,21
0 0 ACCEPT all -- * * 0.0.0.0/0 197.242.155.155
0 0 ACCEPT all -- * * 0.0.0.0/0 197.242.144.144
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:0x17/0x02 LOG flags 8 level 4 prefix `out-new:'
8 568 LOG !tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 8 level 4 prefix `out-new:'
9 640 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain acctboth (2 references)
pkts bytes target prot opt in out source destination
Chain cP-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2078
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2082
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2077
9 492 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:26
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8080
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2086
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2087
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2095
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2096
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2083
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
Chain out-bad (1 references)
pkts bytes target prot opt in out source destination
答案1
规则很多,限制也相当严格。找到创建此内容的规则:
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 0
还要匹配您的“普通”用户 ID 或/和 apache 用户 ID,并使其适应接受传出的 UDP 流量端口 53。
例如对于用户“apache”,在上一条规则之后立即添加:
/sbin/iptables -A OUTPUT -p udp -m owner --uid-owner apache --dport 53 -j ACCEPT
答案2
嗯...我怀疑 /etc/resolv.conf 文件的权限不正确。