一次解決虛擬機內的服務不能訪問經歷
阿新 • • 發佈:2017-05-30
不能訪問 recv 被拒 curl with tar 信息 通過 防火墻
一次解決虛擬機內的服務不能訪問經歷
問題是這樣的,在virtualbox中安裝了centos系統,然後部署了一個自己的服務,在虛擬機內通過“127*”地址和“192*”地址都能正常訪問,但是虛擬機外訪問被拒絕
虛擬機內
[[email protected] dsp]# curl http://192.168.199.184:7050/debug/pprof/heap heap profile: 141: 4782544 [1677: 16456768] @ heap/1048576 1: 1376256 [1: 1376256] @ 0x40e5420x40d3f2 0x52859e 0x5427cf 0x4014b5 0x4323d0 0x462b61 1: 1376256 [1: 1376256] @ 0x40e542 0x40d3f2 0x52859e 0x542846 0x4014b5 0x4323d0 0x462b61 1: 688128 [1: 688128] @ 0x40e542 0x40d3f2 0x52859e 0x5427cf 0x4014b5 0x4323d0 0x462b61 1: 688128 [1: 688128] @ 0x40e542 0x40d3f2 0x52859e 0x542846 0x4014b5 0x4323d0 0x462b61 1: 524288 [1: 524288] @ 0x5493e6 0x54185e 0x4014b5 0x4323d0 0x462b61 3: 26112 [3: 26112] @ 0x40e542 0x40d3f2 0x549c50 0x54185e 0x4014b5 0x4323d0 0x462b61 27: 19008 [27: 19008] @ 0x40c424 0x5279a1 0x542846 0x4014b5 0x4323d0 0x462b61 1: 17664 [1: 17664] @ 0x40e542 0x40d3f2 0x549c50 0x54185e 0x4014b5 0x4323d0 0x462b61 7: 16128 [12: 27648] @ 0x40e542 0x40d3f2 0x549c500x54185e 0x4014b5 0x4323d0 0x462b61 21: 14784 [21: 14784] @ 0x40c424 0x5279a1 0x5427cf 0x4014b5 0x4323d0 0x462b61 3: 13824 [4: 18432] @ 0x40e542 0x40d3f2 0x549c50 0x54185e 0x4014b5 0x4323d0 0x462b61
虛擬機外
? dsp curl http://192.168.199.184:7050/debug/pprof/heap curl: (7) Failed to connect to 192.168.199.184 port 7050: Connection refused ? dsp ? dsp
於是乎,檢查網絡端口監聽是正常;7050端口確實監聽正常,並且所有網絡地址都監聽了
[[email protected] dsp]# netstat -ltn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:6380 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:8888 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp6 0 0 :::7050 :::* LISTEN tcp6 0 0 :::6379 :::* LISTEN tcp6 0 0 :::10383 :::* LISTEN tcp6 0 0 :::7089 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 ::1:25 :::* LISTEN tcp6 0 0 :::8000 :::* LISTEN [[email protected] dsp]# [[email protected] dsp]#
到這裏,開始懷疑是不是防火墻拒絕了訪問,於是通過iptables查看防火墻規慮規則
-L|--list [CHAIN [RULENUM]] //列出指定鏈或所有鏈中指定規則或所有規則
-v|--verbose (x3) //查看規則列表時,顯示更詳細的信息
pkts 是被接受/拒絕的包的數量,
這裏,第5條規則拒絕了75個包,現在問題已經明確了。需要去修改iptable的過濾規則
[[email protected] dsp]# iptables -L -v -n Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1646 119K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 1 84 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 7 445 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 75 17712 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8088 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:7050 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10383 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:7089 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8000 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 1609 packets, 175K bytes) pkts bytes target prot opt in out source destination
iptables中的規則如下,
[[email protected] dsp]# [[email protected] dsp]# cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited # COMMIT [[email protected] dsp]#
大致意思是
1.只要是封包狀態為 RELATED,ESTABLISHED 就予以接受
2.只要封包協議是 icmp 類型的,就予以放行
3.網絡接口是lo的,無論任何來源 (0.0.0.0/0) 且要去任何目標的封包,不論任何封包格式 (prot 為 all),通通都接受
4.只要是傳給 port 22 的主動式聯機 tcp 封包就接受
5.全部的封包信息通通拒絕,並且發送一條host prohibited的消息給被拒絕的主機。
iptables的規則是按照順序逐個拿來匹配數據包的,匹配成功則去執行相應的動作(accept/reject),如果一個數據包不能被前4個匹配到,那麽一定會在第5個規則的時候匹配成功,按照第5個規則數據會被拒絕掉
回到本次問題中,我們的7050端口被執行了第5條規則。要解決此問題,我們只需要在第5個規則之前增加一條規則即可
-A INPUT -p tcp -m state --state NEW -m tcp --dport 7050 -j ACCEPT
[[email protected] dsp]# [[email protected] dsp]# cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 7050 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited # COMMIT [[email protected] dsp]#
然後
systemctl restart iptables
問題解決:
? dsp curl http://192.168.199.184:7050/debug/pprof/heap heap profile: 141: 4782544 [1682: 16457312] @ heap/1048576 1: 1376256 [1: 1376256] @ 0x40e542 0x40d3f2 0x52859e 0x5427cf 0x4014b5 0x4323d0 0x462b61 1: 1376256 [1: 1376256] @ 0x40e542 0x40d3f2 0x52859e 0x542846 0x4014b5 0x4323d0 0x462b61 1: 688128 [1: 688128] @ 0x40e542 0x40d3f2 0x52859e 0x5427cf 0x4014b5 0x4323d0 0x462b61 1: 688128 [1: 688128] @ 0x40e542 0x40d3f2 0x52859e 0x542846 0x4014b5 0x4323d0 0x462b61 1: 524288 [1: 524288] @ 0x5493e6 0x54185e 0x4014b5 0x4323d0 0x462b61 3: 26112 [3: 26112] @ 0x40e542 0x40d3f2 0x549c50 0x54185e 0x4014b5 0x4323d0 0x462b61 27: 19008 [27: 19008] @ 0x40c424 0x5279a1 0x542846 0x4014b5 0x4323d0 0x462b61 1: 17664 [1: 17664] @ 0x40e542 0x40d3f2 0x549c50 0x54185e 0x4014b5
參考資料
http://cn.linux.vbird.org/linux_server/0250simple_firewall.php
http://www.cnblogs.com/pixy/p/5156739.html
https://wiki.archlinux.org/index.php/Iptables_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)
http://0x1.im/blog/server/use-linux-ubuntu-iptables.html
一次解決虛擬機內的服務不能訪問經歷