看似可以接受的 iptables 规则阻止 NIS(ypbind)运行

看似可以接受的 iptables 规则阻止 NIS(ypbind)运行

我不是 iptables 专家。

我有一个用例来阻止所有不以 10.0.0.0/8 或 167.114.0.0/16 为目的地的传出流量。我有两个 NIS 服务器(10.57.1​​32.11、10.57.1​​32.40)。我生成了下面的 iptables 规则集,我认为它可以工作,但如果我运行服务 iptables 启动,我也无法得到ypbind加载。它在访问两个 NIS 服务器时超时。除了超时之外,我在日志中没有看到任何其他内容。

# Generated by iptables-save v1.4.7 on Fri Jul 17 11:08:39 2015
*filter
:INPUT ACCEPT [78622:10507056]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-I OUTPUT -d 10.57.132.11 -j ACCEPT
-I OUTPUT -d 10.57.132.40 -j ACCEPT
-I OUTPUT -d 167.114.0.0/16 -j ACCEPT 
-I OUTPUT -d 10.0.0.0/8 -j ACCEPT 
-P OUTPUT DROP

COMMIT
# Completed on Fri Jul 17 11:08:39 2015

您对我做错什么有什么看法?谢谢,杰克。

更新:澄清一下,当 iptables 关闭时,ypbind 会绑定,但当我打开上述规则集时,它不会绑定。由于它只过滤 OUTPUT,而且这些规则似乎是正确的,所以我不明白问题所在,在日志中也找不到任何有用的东西。

答案1

tl;dr:iptables 确实是字面意思,不要忘记本地主机规则。

好的!明白了。Michael Hampton 给了我使用日志记录规则的想法(这是我第一次这样做)。所以我做了以下事情:

 Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  10.0.0.0/8           anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             10.0.0.0/8
ACCEPT     all  --  anywhere             167.114.0.0/16
ACCEPT     all  --  anywhere             nis1.example.com
ACCEPT     all  --  anywhere             nis2.example.com
LOGGING    all  --  anywhere             anywhere

Chain LOGGING (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 2/min burst 5 LOG level warning prefix `IPTables-Dropped: '
DROP       all  --  anywhere             anywhere

从那里,我启动了 iptables,然后尝试重新启动 ypbind 并立即看到以下内容:

Jul 22 22:53:04 host1 ypbind[9844]: Unable to register (YPBINDPROG, YPBINDVERS, udp).
Jul 22 22:53:31 host1 kernel: IPTables-Dropped: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=1476 DF PROTO=TCP SPT=18660 DPT=7606 WINDOW=2305 RES=0x00 ACK URGP=0 
Jul 22 22:53:50 host1 ypbind: NIS server for domain example is not responding.
Jul 22 22:54:01 host1 kernel: IPTables-Dropped: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=1506 DF PROTO=TCP SPT=18660 DPT=7606 WINDOW=2305 RES=0x00 ACK URGP=0

哦不!它阻止了 localhost。我将其添加到输出规则中,并得到:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  10.0.0.0/8           anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  localhost            localhost
ACCEPT     all  --  localhost            localhost
ACCEPT     all  --  localhost            localhost
ACCEPT     all  --  localhost            localhost
ACCEPT     all  --  anywhere             10.0.0.0/8
ACCEPT     all  --  anywhere             167.114.0.0/16
ACCEPT     all  --  anywhere             nis1.example.com
ACCEPT     all  --  anywhere             nis2.example.com
LOGGING    all  --  anywhere             anywhere

Chain LOGGING (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 2/min burst 5 LOG level warning prefix `IPTables-Dropped: '
DROP       all  --  anywhere             anywhere

多一个ypbind重新启动并

Jul 22 22:54:38 host1 ypbind: NIS domain: example, NIS server: nis1.example.com

你有它!

相关内容