对不起,我是这个服务器的新东西,如此裸露,如果我错过任何信息让我知道!
我试图设置我的Ubuntu 14.04.2 LTS服务器有一个坚实的iptables防火墙。 现在我认为它是相当不错的,但是,当iptables处于活动状态时,我无法在服务器上执行任何git …因此,解决方法是closures防火墙,执行pull操作,然后重新激活防火墙。 这很烦人,并引入了人为的错误,不重新打开防火墙。
我从几个资源做了我的iptables,并从这里git规则: http : //www.nigeldunn.com/2011/06/29/iptables-rules-to-allow-git/
我试图把日志logging,看看哪些数据包被git pull阻塞,但没有出现在/var/log/kern.log(尽pipe其他东西login在那里无关,所以我知道它的工作)。
当做一个混帐拉我得到这个:
ssh: Could not resolve hostname equity1.projectlocker.com: Name or service not known fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. 这是我的iptablesconfiguration:
#!/bin/sh echo "Flushing iptable rules" iptables -F iptables -t nat -F iptables -t mangle -F iptables -X echo "Setting default drop rules" # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP echo "Enabling loopback" # Allow unlimited traffic on loopback #iptables -A INPUT -i lo -j ACCEPT #iptables -A OUTPUT -o lo -j ACCEPT echo "Allowing new and established incoming connections to port 22,80,443,3000, and 9418" # Multiport - Allow incoming + outgoing # SSH (22), # Web Traffic (80, 3000), # Secure Web Traffic (443) # Git (9418) iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443,3000,9418 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443,3000,9418 -m state --state ESTABLISHED -j ACCEPT echo "Port forwarding from port 3000 to 80" # Port Forward to 3000 iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3000 echo "Enabling ICMP (Pings, echos)" iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT echo "Preventing DDOS attacks" # Prevent DOS Attacks iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT echo "Enabling logging" iptables -N LOGGING iptables -A INPUT -j LOGGING iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7 iptables -A LOGGING -j DROP # lastly: # make sure nothing comes or goes out of this box iptables -A INPUT -j DROP iptables -A OUTPUT -j DROP
更新:
echo "Flushing iptable rules" iptables -F iptables -t nat -F iptables -t mangle -F iptables -X echo "Setting default drop rules" # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # Allow DNS Queries for Git iptables -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT ...
您忘记了允许传出的DNS查询,因此ssh无法find主机名的IP地址。
您需要允许传出stream量到TCP端口53和UDP端口53。
除了允许DNS查询之外,您还需要通过端口9418允许通信。
Git使用端口9418进行通信。 你不想打开外部的端口,所以我只有在build立连接时才使用状态检查来打开端口。
# allow git sudo iptables -A OUTPUT -o eth0 -p tcp --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT sudo iptables -A INPUT -i eth0 -p tcp --sport 9418 -m state --state ESTABLISHED -j ACCEPT
在我的情况下,我用了一个微小的变化(我用conntrack而不是状态)。
sudo iptables -A OUTPUT -o eth0 -p tcp --dport 9418 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT sudo iptables -A INPUT -i eth0 -p tcp --sport 9418 -m conntrack --ctstate ESTABLISHED -j ACCEPT
参考: http : //www.nigeldunn.com/2011/06/29/iptables-rules-to-allow-git/