这些是我当前的 iptables 设置:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
问题是,当我 ping 服务器时,得到以下结果:
PING XX.XX.XX.XX (XX.XX.XX.XX): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
ETC...
所以我猜想这与iptables。如你所见,服务器内部的站点运行正常:
nmap -p 80 XX.XX.XX.XX
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-27 09:44 CDT
Nmap scan report for XX.XX.XX.XX
Host is up (0.0019s latency).
PORT STATE SERVICE
80/tcp open http
因此,问题是:我该怎么做才能避免 ping 超时?(返回 ping 超时有什么缺点?)
答案1
您需要允许 ICMP 请求入站,类似这样的操作应该可以做到:
iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
答案2
您的 iptables 规则中不允许 ICMP。
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
答案3
允许 ICMP,您的 ICMP 回显请求将到达服务器,允许其回复。