我有一个奇怪的问题。 问题是,系统日志包含(每12秒)一个logging/阻止连接,例如这一个logging到谷歌:
iptables denied: IN=eth0 OUT= SRC=66.249.66.52 DST=<MY_SERVER_IP> LEN=60 TOS=0x00 PREC=0x40 TTL=55 ID=49488 DF PROTO=TCP SPT=47902 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 或者这个到Opera Mini:
iptables denied: IN=eth0 OUT= SRC=141.0.8.219 DST=<MY_SERVER_IP> LEN=60 TOS=0x00 PREC=0x40 TTL=58 ID=41251 DF PROTO=TCP SPT=50426 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
iptables规则(删除ssh规则):
# Generated by iptables-save v1.4.12 on Sat Sep 29 14:25:22 2012 *filter :INPUT DROP [28:2605] :FORWARD DROP [0:0] :OUTPUT ACCEPT [54305:39093682] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -i lo -j ACCEPT COMMIT # Completed on Sat Sep 29 14:25:22 2012
有谁知道发生了什么事?
这是第三个INPUT规则,它logging所有stream量的样本。
它实际上并没有阻止stream量,日志消息只是给你的印象。
从iptablespipe理
限制
This module matches at a limited rate using a token bucket filter. A rule using this extension will match until this limit is reached (unless the '!' flag is used). It can be used in combination with the LOG target to give limited logging, for example.