我发现我的 Puppet 客户端运行过程中数据包经常被丢弃。我不明白这是什么原因造成的。我应该提到 Puppet 通过 puppetlabs/firewall 模块管理防火墙规则。但规则似乎没有改变。根据该声明,Puppet 调试不会显示规则被删除然后添加,数据包计数从 Puppet 代理运行之前继续,并且在 Puppet 代理运行期间查看规则不会显示运行期间的任何规则更改。
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 /* 000 accept all icmp */
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* 001 accept all to lo interface */
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* 002 accept related established rules */ state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 22 /* 100 allow ssh access */
ACCEPT tcp -- 172.xx.xx.xx 0.0.0.0/0 multiport ports 5666 /* 101 allow nrpe access from 172.xx.xx.xx */
ACCEPT tcp -- 69.xx.xx.xx 0.0.0.0/0 multiport ports 5666 /* 101 allow nrpe access from 69.xx.xx.xx */
ACCEPT tcp -- 192.168.116.0/24 192.168.116.0/24 multiport ports 3306 /* 300 allow MySQL BackNet */
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 /* 301 log all other BackNet requests */ LOG flags 0 level 6 prefix "[IPTABLES INPUT] dropped "
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 /* 302 drop all other BackNet requests */
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 /* 998 log all other requests */ LOG flags 0 level 6 prefix "[IPTABLES INPUT] dropped "
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 /* 999 drop all other requests */
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* 002 accept related established rules OUT */ state RELATED,ESTABLISHED
ACCEPT tcp -- 172.31.100.0/23 172.31.100.0/23 multiport ports 389,636 /* 351 allow LDAPNet OUT */
ACCEPT tcp -- 192.168.116.0/24 192.168.116.0/24 multiport ports 3306 /* 351 allow MySQL BackNet OUT */
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 /* 352 drop all other BackNet requests OUT */ LOG flags 0 level 6 prefix "[IPTABLES OUTPUT] dropped "
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 /* 352 drop all other LDAPNet requests OUT */ LOG flags 0 level 6 prefix "[IPTABLES OUTPUT] dropped "
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 /* 353 drop all other BackNet requests OUT */
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 /* 353 drop all other LDAPNet requests OUT */
并且我看到 Puppet 客户端上丢弃了来自 Puppet Master 的数据包。记录为:
Aug 13 14:22:19 int-vs-repo kernel: [91935.669812] [IPTABLES INPUT] dropped IN=eth0 OUT= MAC=00:50:56:bc:0c:4c:00:e0:b6:00:44:f6:08:00 SRC=PuppetMasterIP DST=Local_IP LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=48739 DF PROTO=TCP SPT=8140 DPT=40069 WINDOW=749 RES=0x00 ACK URGP=0
Aug 13 14:22:19 int-vs-repo kernel: [91935.670108] [IPTABLES INPUT] dropped IN=eth0 OUT= MAC=00:50:56:bc:0c:4c:00:e0:b6:00:44:f6:08:00 SRC=PuppetMasterIP DST=Local_IP LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=48740 DF PROTO=TCP SPT=8140 DPT=40069 WINDOW=749 RES=0x00 ACK URGP=0
Aug 13 14:22:19 int-vs-repo kernel: [91935.670134] [IPTABLES INPUT] dropped IN=eth0 OUT= MAC=00:50:56:bc:0c:4c:00:e0:b6:00:44:f6:08:00 SRC=PuppetMasterIP DST=Local_IP LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=48741 DF PROTO=TCP SPT=8140 DPT=40069 WINDOW=749 RES=0x00 ACK URGP=0
Aug 13 14:22:19 int-vs-repo kernel: [91935.670409] [IPTABLES INPUT] dropped IN=eth0 OUT= MAC=00:50:56:bc:0c:4c:00:e0:b6:00:44:f6:08:00 SRC=PuppetMasterIP DST=Local_IP LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=48742 DF PROTO=TCP SPT=8140 DPT=40069 WINDOW=749 RES=0x00 ACK URGP=0
我并不太关心这些特定的数据包,但计划移动更多机器以拥有集中控制的 iptables 规则,并担心这是一个不容忽视的问题的迹象。似乎所有像这样丢弃的数据包都是 ACK,并且它们的 ID 加一,也就是说,在我看来,连接在中间丢失了,而 ESTABLISHED,RELATED 规则应该允许这些数据包。
Aug 14 21:52:19 int-vs-repo kernel: [205448.464080] [IPTABLES INPUT 998] dropped IN=eth0 OUT= MAC=00:50:56:bc:0c:4c:00:e0:b6:00:44:f6:08:00 SRC=PuppetMasterIP DST=PuppetClientIP LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40139 DF PROTO=TCP SPT=8140 DPT=52532 WINDOW=726 RES=0x00 ACK URGP=0
Aug 14 21:52:19 int-vs-repo kernel: [205448.464110] [IPTABLES INPUT 998] dropped IN=eth0 OUT= MAC=00:50:56:bc:0c:4c:00:e0:b6:00:44:f6:08:00 SRC=PuppetMasterIP DST=PuppetAgentIP LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40140 DF PROTO=TCP SPT=8140 DPT=52532 WINDOW=726 RES=0x00 ACK URGP=0