我正在使用 puppetlabs 防火墙模块,但在为简单的网络主机设置 iptables 时遇到了麻烦。
我正在遵循本指南并想设置其他规则。 https://sysadmincasts.com/episodes/18-managing-iptables-with-puppet
例如,我添加了规则以允许使用 git 和 mysql 端口的传出流量:
firewall { '200 allow outgoing mysql':
chain => 'OUTPUT',
state => ['NEW'],
proto => 'tcp',
dport => '3306',
action => 'accept',
}
firewall { '200 allow outgoing git':
chain => 'OUTPUT',
state => ['NEW'],
dport => '9418',
proto => 'tcp',
action => 'accept',
}
查看 iptables,我可以看到以下规则:
root@app01:~/geppetto# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 /* 000 accept all icmp */
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* 001 accept all to lo interface */
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* 003 accept related established rules */ state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80 /* 200 allow incoming http */ state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 /* 200 allow openssh */ state NEW
LOG all -- 0.0.0.0/0 0.0.0.0/0 /* 900 log dropped input chain */ LOG flags 0 level 6 prefix "[IPTABLES INPUT] dropped "
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* 910 deny all other input requests */
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 /* 900 log dropped forward chain */ LOG flags 0 level 6 prefix "[IPTABLES FORWARD] dropped "
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* 910 deny all other forward requests */
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* 004 accept related established rules */ state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 53 /* 200 allow outgoing dns lookups */ state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 9418 /* 200 allow outgoing git */ state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80 /* 200 allow outgoing http */ state NEW
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 /* 200 allow outgoing icmp type 8 (ping) */ icmptype 8
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 3306 /* 200 allow outgoing mysql */ state NEW
LOG all -- 0.0.0.0/0 0.0.0.0/0 /* 900 log dropped output chain */ LOG flags 0 level 6 prefix "[IPTABLES OUTPUT] dropped "
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* 910 deny all other output requests */
但是,我无法使用 git 从机器访问任何东西。运行 git fetch origin 时会超时。我是否也必须为传出源端口设置一些规则?提前致谢!
答案1
Git 可以使用多种协议,包括:记录在这里- 其中最常见的是 SSH,它在 GitHub(公共和企业版本)以及 Gitosis 和 Gitolite 上使用。
要通过 SSH 使用 Git,您需要打开出站端口 22;要使用少见的 Git 协议,您需要打开端口 9418(您已经拥有该端口),因此您实际上很可能正在使用 SSH Git URL。
例子:[email protected]:craigwatson/puppet-vmwaretools.git