我似乎遇到了一个奇怪的问题,似乎与 iptables 有关,尽管我不完全确定。
该机器是无头服务器,运行 squid3、bind9 和其他次要服务。从 Ubuntu 16.04.1 升级到 16.04.2 后立即出现此问题。
iptables 规则已经好几个月没有改变过了,并且一直被应用在这台机器的 /etc/network/interfaces 中,就像这样:
$ cat /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback
allow-hotplug p4p1
iface p4p1 inet static
address 192.168.1.254
netmask 255.255.255.0
gateway xxx.xxx.xxx.xxx
allow-hotplug p5p1
iface p5p1 inet static
address xxx.xxx.xxx.xxx
netmask 255.255.255.0
gateway xxx.xxx.xxx.xxx
dns-nameservers xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
pre-up iptables-restore < /etc/iptables.rules
但是,更新之后,当文件中存在 pre-up 行时,启动时没有互联网连接(p5p1)可以工作。桥接 p4p1 和 p5p1 的 squid 返回 DNS 错误。iptables -L -v 正确打印出规则,没有规则具有异常高的拒绝率。
注释掉该行并重新启动系统后,一切正常(没有防火墙)。如果我手动运行 iptables-restore < /etc/iptables.rules,所有规则都会正确填充,一切仍然正常。
# iptables-restore < /etc/iptables.rules
# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 REJECT all -- !lo any anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
6 436 ACCEPT all -- p4p1 any anywhere anywhere
0 0 ACCEPT tcp -- p5p1 any anywhere anywhere state NEW tcp dpt:ssh
0 0 ACCEPT tcp -- p5p1 any anywhere anywhere state NEW tcp dpt:26
0 0 ACCEPT tcp -- p5p1 any anywhere anywhere state NEW tcp dpt:http
0 0 ACCEPT tcp -- p5p1 any anywhere anywhere state NEW tcp dpt:https
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 LOG all -- any any anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- p4p1 any 192.168.1.54 anywhere
... snip
0 0 ACCEPT all -- p4p1 any 192.168.1.246 anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
1 60 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5 600 ACCEPT all -- any any anywhere anywhere
我正在使用的 iptables.rules 文件是:
*filter
-A OUTPUT -j ACCEPT
#
# Allows all loopback (lo0) traffic and
# reject all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i !lo -d 127.0.0.0/8 -j REJECT
#
# Accept everything from internal network
-A INPUT -i p4p1 -j ACCEPT
#
# Accept new connections only for ssh, http, and https
# from external network
-A INPUT -i p5p1 -p tcp -m state --state NEW --dport 22 -j ACCEPT
-A INPUT -i p5p1 -p tcp -m state --state NEW --dport 26 -j ACCEPT
-A INPUT -i p5p1 -p tcp -m state --state NEW --dport 80 -j ACCEPT
-A INPUT -i p5p1 -p tcp -m state --state NEW --dport 443 -j ACCEPT
#
# Accepts all established inbound traffics
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Reject everything else
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT
#
#
# Packet forwarding
#
#
# Allow new connection forwarding from 192.168.1.xx
-A FORWARD -i p4p1 -s 192.168.1.54 -j ACCEPT
... snip ..
-A FORWARD -i p4p1 -s 192.168.1.246 -j ACCEPT
#
# Allow forwarding of established connections
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Reject everything else
-A FORWARD -j REJECT
COMMIT
#
# Network address translation
*nat
#
# Enable masquerade
-A POSTROUTING -o p5p1 -j MASQUERADE
如果您能提供任何关于正在发生的事情的见解,我们将不胜感激。