我有一个2远程服务器,称为LAMPserver和DBserver(都在Ubuntu 14.04)。 我可以通过ssh从本地机器连接到两台服务器,并可以通过SSH从DBserver连接到LAMPserver,但不能从LAMPserver连接到DBserver。
我运行了基本的testing: – 指向正确的服务器(我可以通过SSH从本地机器访问LAMPserver)
– 防火墙:在DB服务器上没有任何iptables -L在LAMP服务器上返回:
Chain INPUT (policy DROP) target prot opt source destination fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpts:ftp-data:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:submission ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ACCEPT tcp -- anywhere anywhere tcp spt:domain ACCEPT udp -- anywhere anywhere udp spt:domain ACCEPT icmp -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 ACCEPT udp -- anywhere anywhere limit: avg 1/sec burst 5 ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp spt:ssh ACCEPT tcp -- anywhere anywhere tcp dpts:ftp-data:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:submission ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT icmp -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpt:ntp Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere
– 端口22开放麻烦LAMPserver和DB服务器(检查使用: http ://mxtoolbox.com)
– 两台服务器都在端口22上侦听(通过ssh config nano /etc/ssh/sshd_config )
– 两台服务器上都启动了ssh服务器
我的LAMPserver上的防火墙:
#!/bin/sh # Remove all rules iptables -t filter -F iptables -t filter -X # Forbid all traffic iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT DROP # Allow established connection iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow loopback iptables -t filter -A INPUT -i lo -j ACCEPT iptables -t filter -A OUTPUT -o lo -j ACCEPT # Allow HTTP iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT # Allow HTTPS iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT # Allow SSH iptables -t filter -A OUTPUT -p tcp --sport 22 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT # Allow FTP iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT # Allow SMTP iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT # Allow POP3 iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT # Allow POPS iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT # Allow IMAP iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT # Allow IMAPS iptables -t filter -A OUTPUT -p tcp --dport 993 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 993 -j ACCEPT # Allow DNS iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT iptables -t filter -A INPUT -p tcp --sport 53 -j ACCEPT iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -t filter -A INPUT -p udp --sport 53 -j ACCEPT # Allow ICMP (ping) iptables -t filter -A INPUT -p icmp -j ACCEPT iptables -t filter -A OUTPUT -p icmp -j ACCEPT # NTP (horloge du serveur) sudo iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT # Prevent Flood or Ddos iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT # Limit port scan iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
LAMPserver使用SSL进行设置。 任何想法将非常欢迎…
在你的OUTPUT链中,你看起来像犯了一个小错误:
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
当连接到远程SSH服务器时,源端口应该是随机的(范围:1024-65535),目标端口是22。
尝试将您的“#允许SSH”块更改为以下内容:
# Allow SSH iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT