启动时出现 iptables - 更新时出现问题

启动时出现 iptables - 更新时出现问题

我似乎遇到了一个奇怪的问题,似乎与 iptables 有关,尽管我不完全确定。

该机器是无头服务器,运行 squid3、bind9 和其他次要服务。从 Ubuntu 16.04.1 升级到 16.04.2 后立即出现此问题。

iptables 规则已经好几个月没有改变过了,并且一直被应用在这台机器的 /etc/network/interfaces 中,就像这样:

$ cat /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback

allow-hotplug p4p1
iface p4p1 inet static
    address 192.168.1.254
    netmask 255.255.255.0
    gateway xxx.xxx.xxx.xxx

allow-hotplug p5p1
iface p5p1 inet static
    address xxx.xxx.xxx.xxx
    netmask 255.255.255.0
    gateway xxx.xxx.xxx.xxx
    dns-nameservers xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
    pre-up iptables-restore < /etc/iptables.rules

但是,更新之后,当文件中存在 pre-up 行时,启动时没有互联网连接(p5p1)可以工作。桥接 p4p1 和 p5p1 的 squid 返回 DNS 错误。iptables -L -v 正确打印出规则,没有规则具有异常高的拒绝率。

注释掉该行并重新启动系统后,一切正常(没有防火墙)。如果我手动运行 iptables-restore < /etc/iptables.rules,所有规则都会正确填充,一切仍然正常。

# iptables-restore < /etc/iptables.rules
# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source   destination         
    0     0 ACCEPT     all  --  lo     any     anywhere  anywhere            
    0     0 REJECT     all  --  !lo    any     anywhere  127.0.0.0/8 reject-with icmp-port-unreachable
    6   436 ACCEPT     all  --  p4p1   any     anywhere   anywhere            
    0     0 ACCEPT     tcp  --  p5p1   any     anywhere   anywhere state NEW tcp dpt:ssh
    0     0 ACCEPT     tcp  --  p5p1   any     anywhere   anywhere state NEW tcp dpt:26
    0     0 ACCEPT     tcp  --  p5p1   any     anywhere   anywhere state NEW tcp dpt:http
    0     0 ACCEPT     tcp  --  p5p1   any     anywhere   anywhere state NEW tcp dpt:https
    0     0 ACCEPT     all  --  any    any     anywhere   anywhere state RELATED,ESTABLISHED
    0     0 LOG        all  --  any    any     anywhere   anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
    0     0 REJECT     all  --  any    any     anywhere   anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source     destination         
    0     0 ACCEPT     all  --  p4p1   any     192.168.1.54   anywhere            
    ... snip
    0     0 ACCEPT     all  --  p4p1   any     192.168.1.246  anywhere            
    0     0 ACCEPT     all  --  any    any     anywhere       anywhere state RELATED,ESTABLISHED
    1    60 REJECT     all  --  any    any     anywhere       anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source      destination         
    5   600 ACCEPT     all  --  any    any     anywhere         anywhere

我正在使用的 iptables.rules 文件是:

*filter 

-A OUTPUT -j ACCEPT

#
# Allows all loopback (lo0) traffic and
# reject all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i !lo -d 127.0.0.0/8 -j REJECT

#
# Accept everything from internal network
-A INPUT -i p4p1 -j ACCEPT

#
# Accept new connections only for ssh, http, and https
# from external network
-A INPUT -i p5p1 -p tcp -m state --state NEW --dport 22  -j ACCEPT
-A INPUT -i p5p1 -p tcp -m state --state NEW --dport 26  -j ACCEPT
-A INPUT -i p5p1 -p tcp -m state --state NEW --dport 80  -j ACCEPT
-A INPUT -i p5p1 -p tcp -m state --state NEW --dport 443 -j ACCEPT

#
# Accepts all established inbound traffics
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Reject everything else
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT

#
#
# Packet forwarding
#

#
# Allow new connection forwarding from 192.168.1.xx
-A FORWARD -i p4p1 -s 192.168.1.54  -j ACCEPT
... snip ..
-A FORWARD -i p4p1 -s 192.168.1.246 -j ACCEPT 

#
# Allow forwarding of established connections
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Reject everything else
-A FORWARD -j REJECT

COMMIT
#
# Network address translation
*nat

#
# Enable masquerade
-A POSTROUTING -o p5p1 -j MASQUERADE

如果您能提供任何关于正在发生的事情的见解,我们将不胜感激。

相关内容