设置 ping 回复

tag-icon tag-icon networking firewall ping aws
设置 ping 回复

我的 Ubuntu 机器在 AWS 云上运行。系统不响应来自 Internet 端的 ping。如何启用此功能?

我已经在入站规则中启用了 UDP 端口 7,但这没有帮助。

/etc/ufw/before.rules 的内容

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

操作系统:描述:Ubuntu 18.04.3 LTS 发布:18.04 代号:bionic

答案1

AWS 服务默认禁用 ICMP。您启用了吗?

要使 ping 正常工作:

  • 您和实例之间的每一次跳跃都必须允许 icmp 数据包。
  • 必须使用以下命令打开实例的 EC2 防火墙以接收 icmp 数据包ec2-authorize(-> EC2 实例 -> 安全组 -> 入站规则“允许 0.0.0.0/0” ICMP
  • 必须配置实例以响应 ping 请求。

只有最后一个与 Ubuntu 相关。

我建议使用ssh来测试连接性。使用ec2-authorize授予端口访问权限tcp/22并尝试连接到您的实例。

答案2

您可能有一条默认拒绝此操作的规则。尝试删除它,看看是否有效。

sudo iptables -D INPUT -p icmp --icmp-type echo-request -j REJECT

相关内容