一次解决虚拟机内的服务不能被访问的经历
问题是这样的,在virtualbox中安装了centos系统,然后部署了一个自己的服务,在虚拟机内通过“127*”地址和“192*”地址都能正常访问,但是虚拟机外访问被拒绝
虚拟机内
[root@localhost dsp]# curl http://192.168.199.184:7050/debug/pprof/heap heap profile: 141: 4782544 [1677: 16456768] @ heap/1048576 1: 1376256 [1: 1376256] @ 0x40e542 0x40d3f2 0x52859e 0x5427cf 0x4014b5 0x4323d0 0x462b61 1: 1376256 [1: 1376256] @ 0x40e542 0x40d3f2 0x52859e 0x542846 0x4014b5 0x4323d0 0x462b61 1: 688128 [1: 688128] @ 0x40e542 0x40d3f2 0x52859e 0x5427cf 0x4014b5 0x4323d0 0x462b61 1: 688128 [1: 688128] @ 0x40e542 0x40d3f2 0x52859e 0x542846 0x4014b5 0x4323d0 0x462b61 1: 524288 [1: 524288] @ 0x5493e6 0x54185e 0x4014b5 0x4323d0 0x462b61 3: 26112 [3: 26112] @ 0x40e542 0x40d3f2 0x549c50 0x54185e 0x4014b5 0x4323d0 0x462b61 27: 19008 [27: 19008] @ 0x40c424 0x5279a1 0x542846 0x4014b5 0x4323d0 0x462b61 1: 17664 [1: 17664] @ 0x40e542 0x40d3f2 0x549c50 0x54185e 0x4014b5 0x4323d0 0x462b61 7: 16128 [12: 27648] @ 0x40e542 0x40d3f2 0x549c50 0x54185e 0x4014b5 0x4323d0 0x462b61 21: 14784 [21: 14784] @ 0x40c424 0x5279a1 0x5427cf 0x4014b5 0x4323d0 0x462b61 3: 13824 [4: 18432] @ 0x40e542 0x40d3f2 0x549c50 0x54185e 0x4014b5 0x4323d0 0x462b61
虚拟机外
➜ dsp curl http://192.168.199.184:7050/debug/pprof/heap curl: (7) Failed to connect to 192.168.199.184 port 7050: Connection refused ➜ dsp ➜ dsp
于是乎,检查网络端口监听是正常;7050端口确实监听正常,并且所有网络地址都监听了
[root@localhost dsp]# netstat -ltn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:6380 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:8888 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp6 0 0 :::7050 :::* LISTEN tcp6 0 0 :::6379 :::* LISTEN tcp6 0 0 :::10383 :::* LISTEN tcp6 0 0 :::7089 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 ::1:25 :::* LISTEN tcp6 0 0 :::8000 :::* LISTEN [root@localhost dsp]# [root@localhost dsp]#
到这里,开始怀疑是不是防火墙拒绝了访问,于是通过iptables查看防火墙规虑规则
-L|--list [CHAIN [RULENUM]] //列出指定链或所有链中指定规则或所有规则
-v|--verbose (x3) //查看规则列表时,显示更详细的信息
pkts 是被接受/拒绝的包的数量,
这里,第5条规则拒绝了75个包,现在问题已经明确了。需要去修改iptable的过滤规则
[root@localhost dsp]# iptables -L -v -n Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1646 119K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 1 84 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 7 445 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 75 17712 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8088 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:7050 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10383 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:7089 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8000 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 1609 packets, 175K bytes) pkts bytes target prot opt in out source destination
iptables中的规则如下,
[root@localhost dsp]# [root@localhost dsp]# cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited # COMMIT [root@localhost dsp]#
大致意思是
1.只要是封包状态为 RELATED,ESTABLISHED 就予以接受
2.只要封包协议是 icmp 类型的,就予以放行
3.网络接口是lo的,无论任何来源 (0.0.0.0/0) 且要去任何目标的封包,不论任何封包格式 (prot 为 all),通通都接受
4.只要是传给 port 22 的主动式联机 tcp 封包就接受
5.全部的封包信息通通拒绝,并且发送一条host prohibited的消息给被拒绝的主机。
iptables的规则是按照顺序逐个拿来匹配数据包的,匹配成功则去执行相应的动作(accept/reject),如果一个数据包不能被前4个匹配到,那么一定会在第5个规则的时候匹配成功,按照第5个规则数据会被拒绝掉
回到本次问题中,我们的7050端口被执行了第5条规则。要解决此问题,我们只需要在第5个规则之前增加一条规则即可
-A INPUT -p tcp -m state --state NEW -m tcp --dport 7050 -j ACCEPT
[root@localhost dsp]# [root@localhost dsp]# cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 7050 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited # COMMIT [root@localhost dsp]#
然后
systemctl restart iptables
问题解决:
➜ dsp curl http://192.168.199.184:7050/debug/pprof/heap heap profile: 141: 4782544 [1682: 16457312] @ heap/1048576 1: 1376256 [1: 1376256] @ 0x40e542 0x40d3f2 0x52859e 0x5427cf 0x4014b5 0x4323d0 0x462b61 1: 1376256 [1: 1376256] @ 0x40e542 0x40d3f2 0x52859e 0x542846 0x4014b5 0x4323d0 0x462b61 1: 688128 [1: 688128] @ 0x40e542 0x40d3f2 0x52859e 0x5427cf 0x4014b5 0x4323d0 0x462b61 1: 688128 [1: 688128] @ 0x40e542 0x40d3f2 0x52859e 0x542846 0x4014b5 0x4323d0 0x462b61 1: 524288 [1: 524288] @ 0x5493e6 0x54185e 0x4014b5 0x4323d0 0x462b61 3: 26112 [3: 26112] @ 0x40e542 0x40d3f2 0x549c50 0x54185e 0x4014b5 0x4323d0 0x462b61 27: 19008 [27: 19008] @ 0x40c424 0x5279a1 0x542846 0x4014b5 0x4323d0 0x462b61 1: 17664 [1: 17664] @ 0x40e542 0x40d3f2 0x549c50 0x54185e 0x4014b5
参考资料
http://cn.linux.vbird.org/linux_server/0250simple_firewall.php
http://www.cnblogs.com/pixy/p/5156739.html
https://wiki.archlinux.org/index.php/Iptables_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)
http://0x1.im/blog/server/use-linux-ubuntu-iptables.html