我的 Ubuntu 机器在 AWS 云上运行。系统不响应来自 Internet 端的 ping。如何启用此功能?
我已经在入站规则中启用了 UDP 端口 7,但这没有帮助。
/etc/ufw/before.rules 的内容
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local
# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
操作系统:描述:Ubuntu 18.04.3 LTS 发布:18.04 代号:bionic
答案1
AWS 服务默认禁用 ICMP。您启用了吗?
要使 ping 正常工作:
- 您和实例之间的每一次跳跃都必须允许 icmp 数据包。
- 必须使用以下命令打开实例的 EC2 防火墙以接收 icmp 数据包
ec2-authorize
(-> EC2 实例 -> 安全组 -> 入站规则“允许 0.0.0.0/0”ICMP
) - 必须配置实例以响应 ping 请求。
只有最后一个与 Ubuntu 相关。
我建议使用ssh
来测试连接性。使用ec2-authorize
授予端口访问权限tcp/22
并尝试连接到您的实例。
答案2
您可能有一条默认拒绝此操作的规则。尝试删除它,看看是否有效。
sudo iptables -D INPUT -p icmp --icmp-type echo-request -j REJECT