我似乎遇到了一个似乎与iptables有关的奇怪问题,尽pipe我并不完全确定。
该机器是无头服务器运行squid3,bind9和其他小型服务。 从Ubuntu 16.04.1升级到16.04.2后,这个问题立即出现。
iptables规则在很久以前一直在/ etc / network / interfaces中应用在这台机器上,如下所示:
$ cat /etc/network/interfaces # The loopback network interface auto lo iface lo inet loopback allow-hotplug p4p1 iface p4p1 inet static address 192.168.1.254 netmask 255.255.255.0 gateway xxx.xxx.xxx.xxx allow-hotplug p5p1 iface p5p1 inet static address xxx.xxx.xxx.xxx netmask 255.255.255.0 gateway xxx.xxx.xxx.xxx dns-nameservers xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx pre-up iptables-restore < /etc/iptables.rules 在更新之后,虽然在文件中存在前导行,但是没有互联网连接(p5p1)在引导时起作用。 鱿鱼,桥接p4p1和p5p1返回DNS错误。 iptables -L -v正确打印规则,没有规则具有exception高的拒绝率。
当该行被注释掉,系统重新启动时,一切正常(没有防火墙)。 如果我然后手动运行iptables-restore </etc/iptables.rules>,则规则全部正确填充,一切仍然有效。
# iptables-restore < /etc/iptables.rules # iptables -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 REJECT all -- !lo any anywhere 127.0.0.0/8 reject-with icmp-port-unreachable 6 436 ACCEPT all -- p4p1 any anywhere anywhere 0 0 ACCEPT tcp -- p5p1 any anywhere anywhere state NEW tcp dpt:ssh 0 0 ACCEPT tcp -- p5p1 any anywhere anywhere state NEW tcp dpt:26 0 0 ACCEPT tcp -- p5p1 any anywhere anywhere state NEW tcp dpt:http 0 0 ACCEPT tcp -- p5p1 any anywhere anywhere state NEW tcp dpt:https 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 LOG all -- any any anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: " 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- p4p1 any 192.168.1.54 anywhere ... snip 0 0 ACCEPT all -- p4p1 any 192.168.1.246 anywhere 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 1 60 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 5 600 ACCEPT all -- any any anywhere anywhere
我正在使用的iptables.rules文件是:
*filter -A OUTPUT -j ACCEPT # # Allows all loopback (lo0) traffic and # reject all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT -i !lo -d 127.0.0.0/8 -j REJECT # # Accept everything from internal network -A INPUT -i p4p1 -j ACCEPT # # Accept new connections only for ssh, http, and https # from external network -A INPUT -i p5p1 -p tcp -m state --state NEW --dport 22 -j ACCEPT -A INPUT -i p5p1 -p tcp -m state --state NEW --dport 26 -j ACCEPT -A INPUT -i p5p1 -p tcp -m state --state NEW --dport 80 -j ACCEPT -A INPUT -i p5p1 -p tcp -m state --state NEW --dport 443 -j ACCEPT # # Accepts all established inbound traffics -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # # Reject everything else -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A INPUT -j REJECT # # # Packet forwarding # # # Allow new connection forwarding from 192.168.1.xx -A FORWARD -i p4p1 -s 192.168.1.54 -j ACCEPT ... snip .. -A FORWARD -i p4p1 -s 192.168.1.246 -j ACCEPT # # Allow forwarding of established connections -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # # Reject everything else -A FORWARD -j REJECT COMMIT # # Network address translation *nat # # Enable masquerade -A POSTROUTING -o p5p1 -j MASQUERADE
任何深入了解可能会发生的事情将不胜感激。