有东莞的监控主机到北京BGP出问题了; 报警短信疯狂发送; 找东莞IDC和北京BGP服务商协查;
有个奇怪的问题;北京到东莞trcaceroute都有路由信息
东莞143段到北京全无路由信息;但,东莞151段到北京就有路由信息;
检查143段和151段的iptables配置;发现有细微的差别:
143:
# Generated by iptables-save v1.3.5 on Fri Dec 19 17:00:58 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3815024465:25962152950339]
......
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Fri Dec 19 17:00:58 2014
151:
# Generated by iptables-save v1.4.7 on Fri Dec 19 17:01:18 2014
*filter
:INPUT ACCEPT [158253008:8885848717]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [108990300717:428153347609533]
.................
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A OUTPUT -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Fri Dec 19 17:01:18 2014
有注意到:
-A INPUT -j DROP --------------------------------------->ping的时候是output;traceroute的时候每个路由节点回返回包;
而规则-A OUTPUT -m conntrack --ctstate NEW -j ACCEPT默认是TCP协议;而ping/traceroute使用的是icmp协议;
-A INPUT -p tcp -m tcp --dport 22 -j DROP----------------->这个仅仅drop了22端口,此外其他都是放行的;
====
优化143段配置如:
#-A INPUT -p icmp -j ACCEPT------------------------------------------>添加这一条规则
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j DROP
#-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A OUTPUT -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Fri Dec 19 17:05:26 2014