Traceroute al servidor falla, esta es la descripción del problema:
root@newTralev ~ # ifconfig
eth0 Link encap:Ethernet HWaddr 74:d0:2b:9a:85:74
inet addr:176.9.18.37 Bcast:176.9.18.63 Mask:255.255.255.224
root@condor1796 ~ # traceroute --port=33434 176.9.18.37
traceroute to 176.9.18.37 (176.9.18.37), 30 hops max, 60 byte packets
1 static-ip-209-126-119-1.inaddr.ip-pool.com (209.126.119.1) 0.201 ms static-ip-209-126-119-2.inaddr.ip-pool.com (209.126.119.2) 3.741 ms static-ip-209-126-119-1.inaddr.ip-pool.com (209.126.119.1) 7.516 ms
2 207.38.80.33 (207.38.80.33) 0.207 ms 207.38.80.37 (207.38.80.37) 0.248 ms 0.262 ms
3 ae1.stl1-cr-atlas.bb.gdinf.net (207.38.95.5) 5.304 ms 5.304 ms 5.292 ms
4 stlo-b1-link.telia.net (62.115.165.48) 0.456 ms 0.318 ms stlo-b1-link.telia.net (62.115.165.90) 0.453 ms
5 chi-b23-link.telia.net (62.115.113.173) 7.864 ms 7.889 ms 7.850 ms
6 hetzner-ic-340780-nug-b1.c.telia.net (213.248.70.1) 118.777 ms 118.762 ms 118.776 ms
7 core24.fsn1.hetzner.com (213.239.252.234) 121.918 ms * *
8 ex9k1.dc6.fsn1.hetzner.com (213.239.229.94) 121.127 ms ex9k1.dc6.fsn1.hetzner.com (213.239.229.90) 121.127 ms 121.059 ms
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
root@condor1796 ~ #
Esto es iptables -L:
root@newTralev ~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match name: sshprobe side: source mask: 255.255.255.255
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: sshprobe side: source mask: 255.255.255.255
DROP tcp -- anywhere anywhere tcp dpt:8008 state NEW recent: UPDATE seconds: 2 hit_count: 50 name: DEFAULT side: source mask: 255.255.255.255
tcp -- anywhere anywhere tcp dpt:8008 state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP tcp -- anywhere anywhere tcp dpt:https state NEW recent: UPDATE seconds: 2 hit_count: 50 name: DEFAULT side: source mask: 255.255.255.255
tcp -- anywhere anywhere tcp dpt:https state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP tcp -- anywhere anywhere tcp dpt:8181 state NEW recent: UPDATE seconds: 2 hit_count: 50 name: DEFAULT side: source mask: 255.255.255.255
tcp -- anywhere anywhere tcp dpt:8181 state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP tcp -- anywhere anywhere tcp dpt:http-alt state NEW recent: UPDATE seconds: 2 hit_count: 50 name: DEFAULT side: source mask: 255.255.255.255
tcp -- anywhere anywhere tcp dpt:http-alt state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP tcp -- anywhere anywhere tcp dpt:http state NEW recent: UPDATE seconds: 2 hit_count: 50 name: DEFAULT side: source mask: 255.255.255.255
tcp -- anywhere anywhere tcp dpt:http state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP tcp -- anywhere anywhere tcp dpt:8008 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 20
DROP tcp -- anywhere anywhere tcp dpt:https flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 20
DROP tcp -- anywhere anywhere tcp dpt:8181 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 20
DROP tcp -- anywhere anywhere tcp dpt:http-alt flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 20
DROP tcp -- anywhere anywhere tcp dpt:http flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 20
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:8181
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:8008
ACCEPT tcp -- anywhere anywhere tcp dpt:12301
ACCEPT udp -- anywhere anywhere udp dpt:12301
ACCEPT tcp -- anywhere anywhere tcp dpt:52444
ACCEPT udp -- anywhere anywhere udp dpt:52444
ACCEPT tcp -- anywhere anywhere tcp dpt:33434
ACCEPT udp -- anywhere anywhere udp dpt:33434
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Pero se supone que Hetzner no debe bloquear el puerto 33434, entonces, ¿alguien entiende dónde está el problema?
¿Quizás en mi archivo iptables.config?
Mis iptables.rules son las siguientes:
#!/bin/bash
# ATTENTION: flush/delete all existing rules
iptables -F
################################################################
# set the default policy for each of the pre-defined chains
################################################################
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# allow establishment of connections initialised by my outgoing packets
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# accept anything on localhost
iptables -A INPUT -i lo -j ACCEPT
################################################################
#individual ports tcp
################################################################
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 8181 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 8008 -j ACCEPT
#dkim on port 12301
iptables -A INPUT -p tcp --dport 12301 -j ACCEPT
iptables -A INPUT -p udp --dport 12301 -j ACCEPT
#port for mtr
iptables -A INPUT -p tcp --dport 52444 -j ACCEPT
iptables -A INPUT -p udp --dport 52444 -j ACCEPT
iptables -A INPUT -p tcp --dport 33434 -j ACCEPT
iptables -A INPUT -p udp --dport 33434 -j ACCEPT
#uncomment next line to enable AdminGUI on port 4848:
#iptables -A INPUT -p tcp --dport 4848 -j ACCEPT
#limit number of connections
iptables -t filter -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables -t filter -I INPUT -p tcp --syn --dport 8080 -m connlimit --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables -t filter -I INPUT -p tcp --syn --dport 8181 -m connlimit --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables -t filter -I INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables -t filter -I INPUT -p tcp --syn --dport 8008 -m connlimit --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 -j DROP
iptables -I INPUT -p tcp --dport 8080 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 8080 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 -j DROP
iptables -I INPUT -p tcp --dport 8181 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 8181 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 -j DROP
iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 -j DROP
iptables -I INPUT -p tcp --dport 8008 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 8008 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 -j DROP
################################################################
#slow down the amount of ssh connections by the same ip address:
#wait 60 seconds if 3 times failed to connect
################################################################
iptables -I INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --set -j ACCEPT
iptables -I INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --update --seconds 60 --hitcount 3 --rttl -j DROP
#drop everything else
iptables -A INPUT -j DROP
################################################################
#Redirection Rules
################################################################
#1. redirection rules (allowing forwarding from localhost)
iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A OUTPUT -o lo -p tcp --dport 443 -j REDIRECT --to-port 8181
#2. redirection http
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
#3. redirection https
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8181
################################################################
#save the rules somewhere and make sure
#our rules get loaded if the ubuntu server is restarted
################################################################
iptables-save > /etc/my-iptables.rules
iptables-restore < /etc/my-iptables.rules
#List Rules to see what we have now
iptables -L
¡Gracias!
Respuesta1
- Ante cualquier problema extraño de red, ejecute tcpdump. Captura los paquetes antes de iptables.
- De forma predeterminada, traceroute utilizó las sondas UDP con el número de puerto de inicio
33434, incrementado en 1 para cada siguiente sonda. Debido a que su host no es el primero, debe permitir algunos números de puerto siguientes. Por ejemplo, 32. Entonces, la regla para traceroute debería verse así:
iptables -t filter -I INPUT -p udp --dport 33434:33468 -j ACCEPT
- También creo que deberías permitir los paquetes ICMP entrantes. Excepto el traceroute en el modo de sondas ICMP, se requiere ICMP para PMTUD (Descubrimiento de ruta MTU), por lo que bloquearlo por completo no es una buena idea.