• 一次解决虚拟机内的服务不能被访问的经历


    一次解决虚拟机内的服务不能被访问的经历

    问题是这样的,在virtualbox中安装了centos系统,然后部署了一个自己的服务,在虚拟机内通过“127*”地址和“192*”地址都能正常访问,但是虚拟机外访问被拒绝

    虚拟机内

    [root@localhost dsp]# curl http://192.168.199.184:7050/debug/pprof/heap
    heap profile: 141: 4782544 [1677: 16456768] @ heap/1048576
    1: 1376256 [1: 1376256] @ 0x40e542 0x40d3f2 0x52859e 0x5427cf 0x4014b5 0x4323d0 0x462b61
    1: 1376256 [1: 1376256] @ 0x40e542 0x40d3f2 0x52859e 0x542846 0x4014b5 0x4323d0 0x462b61
    1: 688128 [1: 688128] @ 0x40e542 0x40d3f2 0x52859e 0x5427cf 0x4014b5 0x4323d0 0x462b61
    1: 688128 [1: 688128] @ 0x40e542 0x40d3f2 0x52859e 0x542846 0x4014b5 0x4323d0 0x462b61
    1: 524288 [1: 524288] @ 0x5493e6 0x54185e 0x4014b5 0x4323d0 0x462b61
    3: 26112 [3: 26112] @ 0x40e542 0x40d3f2 0x549c50 0x54185e 0x4014b5 0x4323d0 0x462b61
    27: 19008 [27: 19008] @ 0x40c424 0x5279a1 0x542846 0x4014b5 0x4323d0 0x462b61
    1: 17664 [1: 17664] @ 0x40e542 0x40d3f2 0x549c50 0x54185e 0x4014b5 0x4323d0 0x462b61
    7: 16128 [12: 27648] @ 0x40e542 0x40d3f2 0x549c50 0x54185e 0x4014b5 0x4323d0 0x462b61
    21: 14784 [21: 14784] @ 0x40c424 0x5279a1 0x5427cf 0x4014b5 0x4323d0 0x462b61
    3: 13824 [4: 18432] @ 0x40e542 0x40d3f2 0x549c50 0x54185e 0x4014b5 0x4323d0 0x462b61
    
     

    虚拟机外

    ➜ dsp curl http://192.168.199.184:7050/debug/pprof/heap
    curl: (7) Failed to connect to 192.168.199.184 port 7050: Connection refused
    ➜ dsp
    ➜ dsp

    于是乎,检查网络端口监听是正常;7050端口确实监听正常,并且所有网络地址都监听了

    [root@localhost dsp]# netstat -ltn
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State 
    tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 
    tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN 
    tcp 0 0 127.0.0.1:6380 0.0.0.0:* LISTEN 
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 
    tcp 0 0 127.0.0.1:8888 0.0.0.0:* LISTEN 
    tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 
    tcp6 0 0 :::7050 :::* LISTEN 
    tcp6 0 0 :::6379 :::* LISTEN 
    tcp6 0 0 :::10383 :::* LISTEN 
    tcp6 0 0 :::7089 :::* LISTEN 
    tcp6 0 0 :::22 :::* LISTEN 
    tcp6 0 0 ::1:25 :::* LISTEN 
    tcp6 0 0 :::8000 :::* LISTEN 
    [root@localhost dsp]# 
    [root@localhost dsp]#

    到这里,开始怀疑是不是防火墙拒绝了访问,于是通过iptables查看防火墙规虑规则
    -L|--list [CHAIN [RULENUM]] //列出指定链或所有链中指定规则或所有规则
    -v|--verbose (x3) //查看规则列表时,显示更详细的信息
    pkts 是被接受/拒绝的包的数量,

    这里,第5条规则拒绝了75个包,现在问题已经明确了。需要去修改iptable的过滤规则

    [root@localhost dsp]# iptables -L -v -n
    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination 
    1646 119K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    1 84 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 
    7 445 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
    75 17712 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8088
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:7050
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10383
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:7089
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8000
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination 
    0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
    
    Chain OUTPUT (policy ACCEPT 1609 packets, 175K bytes)
    pkts bytes target prot opt in out source destination


    iptables中的规则如下,

    [root@localhost dsp]# 
    [root@localhost dsp]# cat /etc/sysconfig/iptables
    # sample configuration for iptables service
    # you can edit this manually or use system-config-firewall
    # please do not ask us to add additional ports/services to this default configuration
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    #
    COMMIT
    [root@localhost dsp]#


    大致意思是
    1.只要是封包状态为 RELATED,ESTABLISHED 就予以接受
    2.只要封包协议是 icmp 类型的,就予以放行
    3.网络接口是lo的,无论任何来源 (0.0.0.0/0) 且要去任何目标的封包,不论任何封包格式 (prot 为 all),通通都接受
    4.只要是传给 port 22 的主动式联机 tcp 封包就接受
    5.全部的封包信息通通拒绝,并且发送一条host prohibited的消息给被拒绝的主机。


    iptables的规则是按照顺序逐个拿来匹配数据包的,匹配成功则去执行相应的动作(accept/reject),如果一个数据包不能被前4个匹配到,那么一定会在第5个规则的时候匹配成功,按照第5个规则数据会被拒绝掉

    回到本次问题中,我们的7050端口被执行了第5条规则。要解决此问题,我们只需要在第5个规则之前增加一条规则即可
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 7050 -j ACCEPT

    [root@localhost dsp]# 
    [root@localhost dsp]# cat /etc/sysconfig/iptables
    # sample configuration for iptables service
    # you can edit this manually or use system-config-firewall
    # please do not ask us to add additional ports/services to this default configuration
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 7050 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    #
    COMMIT
    [root@localhost dsp]#
    

    然后
    systemctl restart iptables


    问题解决:

    ➜ dsp curl http://192.168.199.184:7050/debug/pprof/heap
    heap profile: 141: 4782544 [1682: 16457312] @ heap/1048576
    1: 1376256 [1: 1376256] @ 0x40e542 0x40d3f2 0x52859e 0x5427cf 0x4014b5 0x4323d0 0x462b61
    1: 1376256 [1: 1376256] @ 0x40e542 0x40d3f2 0x52859e 0x542846 0x4014b5 0x4323d0 0x462b61
    1: 688128 [1: 688128] @ 0x40e542 0x40d3f2 0x52859e 0x5427cf 0x4014b5 0x4323d0 0x462b61
    1: 688128 [1: 688128] @ 0x40e542 0x40d3f2 0x52859e 0x542846 0x4014b5 0x4323d0 0x462b61
    1: 524288 [1: 524288] @ 0x5493e6 0x54185e 0x4014b5 0x4323d0 0x462b61
    3: 26112 [3: 26112] @ 0x40e542 0x40d3f2 0x549c50 0x54185e 0x4014b5 0x4323d0 0x462b61
    27: 19008 [27: 19008] @ 0x40c424 0x5279a1 0x542846 0x4014b5 0x4323d0 0x462b61
    1: 17664 [1: 17664] @ 0x40e542 0x40d3f2 0x549c50 0x54185e 0x4014b5


    参考资料
    http://cn.linux.vbird.org/linux_server/0250simple_firewall.php
    http://www.cnblogs.com/pixy/p/5156739.html
    https://wiki.archlinux.org/index.php/Iptables_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)
    http://0x1.im/blog/server/use-linux-ubuntu-iptables.html

  • 相关阅读:
    BZOJ 1576 树剖+LCT
    CF1051D Bicolorings 递推
    CF938D Buy a Ticket dijkstra
    记一次创建svc代理失败
    K8S中Service
    K8S中的Job和CronJob
    K8S中DaemonSet
    Linux expect介绍和用法
    Java根据余弦定理计算文本相似度
    Python和Sublime的整合
  • 原文地址:https://www.cnblogs.com/vc60er/p/6919539.html
Copyright © 2020-2023  润新知