• Azure上Linux VM误配防火墙的恢复方法


    在实际运维中,防火墙把自己挡在机器外面的情况会时有发生。如何快速的恢复对运维人员是很重要的。

    本文将介绍如何用Azure Extension实现不通过ssh对VM进行操作的方法。

    之前写过一遍Blog介绍如何部署Azure的CustomScriptExtension:

    http://www.cnblogs.com/hengwei/p/5862200.html

    在CustomScriptExtension的基础上,如果实现关闭防火墙。

    1.添加防火墙规则

    通过添加iptables规则关闭外部访问该VM的ssh:

    iptables -A INPUT -p tcp --dport 22 -j DROP

    所有22端口都被关闭了。

    通过psping进行观察VM 22端口的情况:

    psping -t 139.219.237.69:22
    Connecting to 139.219.237.69:22: 177.94ms
    Connecting to 139.219.237.69:22: 201.50ms
    Connecting to 139.219.237.69:22: 200.93ms
    Connecting to 139.219.237.69:22: 196.51ms
    Connecting to 139.219.237.69:22: 200.42ms
    Connecting to 139.219.237.69:22: 175.54ms
    Connecting to 139.219.237.69:22: 178.16ms
    Connecting to 139.219.237.69:22: This operation returned because the timeout period expired.
    Connecting to 139.219.237.69:22: This operation returned because the timeout period expired.
    Connecting to 139.219.237.69:22: This operation returned because the timeout period expired.
    Connecting to 139.219.237.69:22: This operation returned because the timeout period expired.

    为防止出现脚本不成功,导致再不能访问VM的情况,执行如下脚本,过5分钟自动去除防火墙:

    [root@hwcentos ~]#./remove_iptables.sh &
    #!/bin/bash while true   do   sleep 300   iptables -F   echo `date` >> a.txt done

    2.通过CustomScriptExtension去除防火墙规则

    运行PowerShell脚本:

    $mycred = Get-Credential -UserName admin@xxx.partner.onmschina.cn -Message hello
    Login-AzureRmAccount -EnvironmentName AzureChinaCloud -Credential $mycred
     
    #定义Resource Group、VM和Location变量
    $RGName = 'hwextensiontest'
    $VmName = 'hwcentos'
    $Location = 'China East'
     
    #定义Extension相关信息
    $ExtensionName = 'CustomScriptForLinux'
    $Publisher = 'Microsoft.OSTCExtensions'
    $version = '1.5'
     
    $PublicConf = '{"commandToExecute": "iptables -F"}' 
     
    #执行Set-AzureRmVMExtension命令,安装extension:
    Set-AzureRmVMExtension -ResourceGroupName $RGName -VMName $VmName -Location $Location `
      -Name $ExtensionName -Publisher $Publisher `
      -ExtensionType $ExtensionName -TypeHandlerVersion $Version `
    -Settingstring $PublicConf

    RequestId IsSuccessStatusCode StatusCode ReasonPhrase --------- ------------------- ---------- ------------ True OK OK

    通过iptables -F的命令关闭所有的防火墙。

    PsPing的输出结果如下:

    Connecting to 139.219.237.69:22: This operation returned because the timeout period expired.
    Connecting to 139.219.237.69:22: This operation returned because the timeout period expired.
    Connecting to 139.219.237.69:22: This operation returned because the timeout period expired.
    Connecting to 139.219.237.69:22: This operation returned because the timeout period expired.
    Connecting to 139.219.237.69:22: This operation returned because the timeout period expired.
    Connecting to 139.219.237.69:22: 3210.12ms
    Connecting to 139.219.237.69:22: 197.16ms
    Connecting to 139.219.237.69:22: 202.64ms

    这时已经可以通过ssh登录这台VM。

    观察extension的日志:

    [root@hwcentos 1.5.2.0]# pwd
    /var/log/azure/Microsoft.OSTCExtensions.CustomScriptForLinux/1.5.2.0
    [root@hwcentos 1.5.2.0]# less extension.log
    ..........
    2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Config decoded correctly. 2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Will try to download files, number of retries = 10, wait SECONDS between retrievals = 20s 2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Command to execute:iptables -F 2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]fileUris value provided is empty or invalid. Continue with executing command... 2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Succeeded to download files, retry count = 0 2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Internal DNS is ready, retry count = 0 2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Command to execute:iptables -F 2016/10/22 03:04:50 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Command is finished. 2016/10/22 03:04:50 ---stdout--- 2016/10/22 03:04:50 2016/10/22 03:04:50 ---errout--- 2016/10/22 03:04:50 2016/10/22 03:04:50 2016/10/22 03:04:50 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Daemon,success,0,Command is finished. 2016/10/22 03:04:50 ---stdout--- 2016/10/22 03:04:50 2016/10/22 03:04:50 ---errout--- 2016/10/22 03:04:50

     查看防火墙状态:

    [root@hwcentos ~]# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination  

    防火墙已经关闭。

    3.延展

    有时客户VM没有响应的原因并不是因为防火墙,但原因并不是防火墙。此时我们可以通过收集sosreport的信息,通过复制到其他VM等方法获得这个文件后,进行分析。

    当然也可以通过ping其它VM,并在另外一台VM上抓包,看这台VM是否网络存活,以进行下一步的分析和动作。

    4.需要注意的问题

    当多次执行CustomScript时,这个extension会判断内容是否相同,如果相同extension会认为是重复执行,脚本将不再执行。

    更新:

    Azure VM的Extension的通讯机制是通过HTTPS对外发起的。如下的输出:

    [root@hwcentos ~]# netstat -tunp
    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
    tcp        0      0 10.3.0.4:22                 167.220.255.53:65428        SYN_RECV    -                   
    tcp        0      0 10.3.0.4:51542              168.63.129.16:80            TIME_WAIT   -                   
    tcp        0      0 10.3.0.4:42505              40.126.88.72:443            TIME_WAIT   -                   
    tcp        0     52 10.3.0.4:22                 167.220.255.53:61944        ESTABLISHED 32399/sshd          
    tcp        0      0 10.3.0.4:42506              40.126.88.72:443            TIME_WAIT   -                   
    tcp        0      0 10.3.0.4:42508              40.126.88.72:443            TIME_WAIT   -                   
    tcp        0      0 10.3.0.4:42509              40.126.88.72:443            TIME_WAIT   -                   
    tcp        0      0 10.3.0.4:51545              168.63.129.16:80            TIME_WAIT   -

    可以看到VM上很多到40.x.x.x的https请求。只要VM可以访问外部的HTTPS,VM Extension就可以工作。

    所以,我们的INPUT方向的iptables添加:

    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT  

    iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

    可以确保出方向的流量不被防火墙挡住。

    在添加如下防火墙规则后,VM extension仍然可以把iptables的规则清除:

    iptables -A INPUT -s 0/0 -j DROP
  • 相关阅读:
    MySpace的六次重构
    为SQL Server 2005启用对 4 GB 以上物理内存的支持
    MyBatis拦截器自定义分页插件实现
    SpringBoot中快速实现邮箱发送
    2010全面兼容IE6IE7IE8FF的CSS HACK写法
    详细的win2003 IIS6.0 301重定向带参数的问题(实现网站的整体301跳转)
    call和apply方法
    offsetLeft、clientHeight、scrollLeft、clientLeft
    JS中的escape() & encodeURI() & encodeURIComponent() 区别
    俺的分布式架构系统之计算机网络1
  • 原文地址:https://www.cnblogs.com/hengwei/p/5987193.html
Copyright © 2020-2023  润新知