我正在运行一个小型 apache2/iRedMail 服务器,但遇到了 iptables 问题。正常工作一段时间后(数小时),我的服务器无法访问编辑:从我家的互联网连接在某些端口(测试了端口 80、443,编辑:apache?)上,直到我重新启动 iptables 服务(sudo service iptables restart)。这样做可以让一切恢复正常!我不知道是什么原因导致了这个问题,特别是因为它在重新启动 iptables 服务数小时后才出现。
我可以查看哪些日志文件?该kern.log文件没有显示任何明显的信息(我读到它包含有关 iptables 的信息)。
所有 iptables 规则均在 iRedMail 使用的标准文件中配置/etc/default/iptables。
提前致谢!
edit1:输出iptables -L -n -v
user@server:~$ sudo iptables -L -n -v
Chain INPUT (policy DROP 102 packets, 19966 bytes)
pkts bytes target prot opt in out source destination
9500 2164K fail2ban-dovecot tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,25,587,110,9
95,143,993,4190
18543 6112K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
229 13256 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
33 1628 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8888
109 6520 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
14 808 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
18 1104 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:17655
1 60 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 16026 packets, 9143K bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-dovecot (1 references)
pkts bytes target prot opt in out source destination
9500 2164K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
编辑2:看来我的 iptables 文件在 12 月 15 日被更改了:现在的情况是这样的:
# Generated by iptables-save v1.4.14 on Mon Dec 15 23:35:36 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [137:211520]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8888 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 17655 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
COMMIT
# Completed on Mon Dec 15 23:35:36 2014
这是以前的样子,从旧备份中提取的:除了评论之外,还有差异。
#---------------------------------------------------------------------
# This file is part of iRedMail, which is an open source mail server
# solution for Red Hat(R) Enterprise Linux, CentOS, Debian and Ubuntu.
#
# iRedMail is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# iRedMail is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with iRedMail. If not, see <http://www.gnu.org/licenses/>.
#---------------------------------------------------------------------
#
# Sample iptables rules. It should be localted at:
# /etc/sysconfig/iptables
#
# Shipped within iRedMail project:
# * http://iRedMail.googlecode.com/
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Keep state.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Loop device.
-A INPUT -i lo -j ACCEPT
# http, https
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 8888 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# smtp, submission
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
# pop3, pop3s
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT
# imap, imaps
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
# ssh
-A INPUT -p tcp --dport 17655 -j ACCEPT
#-A INPUT -p tcp --dport 9999 -j ACCEPT
# Allow PING from remote hosts.
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# ejabberd
#-A INPUT -p tcp --dport 5222 -j ACCEPT
#-A INPUT -p tcp --dport 5223 -j ACCEPT
#-A INPUT -p tcp --dport 5280 -j ACCEPT
# ldap/ldaps
#-A INPUT -p tcp --dport 389 -j ACCEPT
#-A INPUT -p tcp --dport 636 -j ACCEPT
# ftp.
#-A INPUT -p tcp --dport 20 -j ACCEPT
#-A INPUT -p tcp --dport 21 -j ACCEPT
COMMIT
新产出iptables -L -n -v
user@server:~$ sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 1879 packets, 840K bytes)
pkts bytes target prot opt in out source destination
694 227K fail2ban-postfix tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,25,587,110,9
95,143,993,4190
694 227K fail2ban-dovecot tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,25,587,110,9
95,143,993,4190
694 227K fail2ban-roundcube tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,25,587,110
,995,143,993,4190
0 0 fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1706 packets, 707K bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-dovecot (1 references)
pkts bytes target prot opt in out source destination
694 227K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-postfix (1 references)
pkts bytes target prot opt in out source destination
694 227K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-roundcube (1 references)
pkts bytes target prot opt in out source destination
694 227K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
编辑3:输出sudo cat /proc/net/nf_conntrack,服务器IP被替换。似乎很短。
ipv4 2 udp 17 145 src=<SERVERIP> dst=213.239.239.166 sport=123 dport=123 src=213.239.239.166 dst=<SERVERIP> sport=123 dport=123 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 429127 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=39571 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=39571 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 100 TIME_WAIT src=92.121.32.40 dst=<SERVERIP> sport=4707 dport=443 src=<SERVERIP> dst=92.121.32.40 sport=443 dport=4707 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431999 ESTABLISHED src=92.121.32.40 dst=<SERVERIP> sport=4709 dport=443 src=<SERVERIP> dst=92.121.32.40 sport=443 dport=4709 [ASSURED] mark=0 zone=0
use=2
ipv4 2 tcp 6 431291 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=46386 dport=389 src=127.0.0.1 dst=127.0.0.1 sport=389 dport=46386 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 429127 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=39572 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=39572 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431999 ESTABLISHED src=92.121.32.40 dst=<SERVERIP> sport=4705 dport=443 src=<SERVERIP> dst=92.121.32.40 sport=443 dport=4705 [ASSURED] mark=0 zone=0
use=2
ipv4 2 tcp 6 431975 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=50519 dport=4200 src=127.0.0.1 dst=127.0.0.1 sport=4200 dport=50519 [ASSURED] mark=0 zone=0 use=2
ipv4 2 udp 17 112 src=<SERVERIP> dst=213.239.239.164 sport=123 dport=123 src=213.239.239.164 dst=<SERVERIP> sport=123 dport=123 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431999 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=50515 dport=4200 src=127.0.0.1 dst=127.0.0.1 sport=4200 dport=50515 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 100 TIME_WAIT src=92.121.32.40 dst=<SERVERIP> sport=4704 dport=443 src=<SERVERIP> dst=92.121.32.40 sport=443 dport=4704 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431999 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=50517 dport=4200 src=127.0.0.1 dst=127.0.0.1 sport=4200 dport=50517 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 429127 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=39573 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=39573 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431975 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=50523 dport=4200 src=127.0.0.1 dst=127.0.0.1 sport=4200 dport=50523 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431975 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=50521 dport=4200 src=127.0.0.1 dst=127.0.0.1 sport=4200 dport=50521 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 100 TIME_WAIT src=92.121.32.40 dst=<SERVERIP> sport=4701 dport=443 src=<SERVERIP> dst=92.121.32.40 sport=443 dport=4701 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431975 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=50525 dport=4200 src=127.0.0.1 dst=127.0.0.1 sport=4200 dport=50525 [ASSURED] mark=0 zone=0 use=2
ipv4 2 udp 17 113 src=<SERVERIP> dst=213.239.239.165 sport=123 dport=123 src=213.239.239.165 dst=<SERVERIP> sport=123 dport=123 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 100 TIME_WAIT src=92.121.32.40 dst=<SERVERIP> sport=4706 dport=443 src=<SERVERIP> dst=92.121.32.40 sport=443 dport=4706 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 429127 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=39570 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=39570 [ASSURED] mark=0 zone=0 use=2
答案1
听起来你已经达到了 conntrack 表的限制。
iptables 在名为“conntrack”的表中跟踪您“接受”的每个 TCP 连接。使用此表可以自动允许未来的数据包(发送和接收)。即,它保留每个连接的“状态”。因为它跟踪使用了哪个临时端口,所以这比无状态防火墙更安全。 http://conntrack-tools.netfilter.org/manual.html
这些连接存储在内存中(“conntrack”表或状态表)。表的大小是有限的。一旦表满了,即使您有与之匹配的“APPROVE”规则,也不会接受任何新连接。
您可以通过读取文件来查看表格/proc/net/nf_conntrack:
cat /proc/net/nf_conntrack
您可以计算表中的行数来了解其有多满:
wc -l /proc/net/nf_conntrack
您可以通过读取 sysctl 变量来查看最大表大小:
# sysctl net.netfilter.nf_conntrack_max net.netfilter.nf_conntrack_max = 4194304
您可以使用 sysctl 设置大小。请务必进行更新,/etc/sysctl.conf以便在重启时也能进行设置。
我猜你已将其设置为默认值,该值非常小。
我的建议:
- 增加表的尺寸。
- 您的监控系统应该跟踪表中有多少个连接,以便您可以看到它随着时间的推移如何增加。
- 设置您的监控系统,当其接近满载时发出警报,这样您就可以在出现问题之前增加它。