서버에 대한 Traceroute가 실패했습니다. 문제에 대한 설명은 다음과 같습니다.
root@newTralev ~ # ifconfig
eth0 Link encap:Ethernet HWaddr 74:d0:2b:9a:85:74
inet addr:176.9.18.37 Bcast:176.9.18.63 Mask:255.255.255.224
root@condor1796 ~ # traceroute --port=33434 176.9.18.37
traceroute to 176.9.18.37 (176.9.18.37), 30 hops max, 60 byte packets
1 static-ip-209-126-119-1.inaddr.ip-pool.com (209.126.119.1) 0.201 ms static-ip-209-126-119-2.inaddr.ip-pool.com (209.126.119.2) 3.741 ms static-ip-209-126-119-1.inaddr.ip-pool.com (209.126.119.1) 7.516 ms
2 207.38.80.33 (207.38.80.33) 0.207 ms 207.38.80.37 (207.38.80.37) 0.248 ms 0.262 ms
3 ae1.stl1-cr-atlas.bb.gdinf.net (207.38.95.5) 5.304 ms 5.304 ms 5.292 ms
4 stlo-b1-link.telia.net (62.115.165.48) 0.456 ms 0.318 ms stlo-b1-link.telia.net (62.115.165.90) 0.453 ms
5 chi-b23-link.telia.net (62.115.113.173) 7.864 ms 7.889 ms 7.850 ms
6 hetzner-ic-340780-nug-b1.c.telia.net (213.248.70.1) 118.777 ms 118.762 ms 118.776 ms
7 core24.fsn1.hetzner.com (213.239.252.234) 121.918 ms * *
8 ex9k1.dc6.fsn1.hetzner.com (213.239.229.94) 121.127 ms ex9k1.dc6.fsn1.hetzner.com (213.239.229.90) 121.127 ms 121.059 ms
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
root@condor1796 ~ #
이것은 iptables -L입니다.
root@newTralev ~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match name: sshprobe side: source mask: 255.255.255.255
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: sshprobe side: source mask: 255.255.255.255
DROP tcp -- anywhere anywhere tcp dpt:8008 state NEW recent: UPDATE seconds: 2 hit_count: 50 name: DEFAULT side: source mask: 255.255.255.255
tcp -- anywhere anywhere tcp dpt:8008 state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP tcp -- anywhere anywhere tcp dpt:https state NEW recent: UPDATE seconds: 2 hit_count: 50 name: DEFAULT side: source mask: 255.255.255.255
tcp -- anywhere anywhere tcp dpt:https state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP tcp -- anywhere anywhere tcp dpt:8181 state NEW recent: UPDATE seconds: 2 hit_count: 50 name: DEFAULT side: source mask: 255.255.255.255
tcp -- anywhere anywhere tcp dpt:8181 state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP tcp -- anywhere anywhere tcp dpt:http-alt state NEW recent: UPDATE seconds: 2 hit_count: 50 name: DEFAULT side: source mask: 255.255.255.255
tcp -- anywhere anywhere tcp dpt:http-alt state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP tcp -- anywhere anywhere tcp dpt:http state NEW recent: UPDATE seconds: 2 hit_count: 50 name: DEFAULT side: source mask: 255.255.255.255
tcp -- anywhere anywhere tcp dpt:http state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP tcp -- anywhere anywhere tcp dpt:8008 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 20
DROP tcp -- anywhere anywhere tcp dpt:https flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 20
DROP tcp -- anywhere anywhere tcp dpt:8181 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 20
DROP tcp -- anywhere anywhere tcp dpt:http-alt flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 20
DROP tcp -- anywhere anywhere tcp dpt:http flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 20
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:8181
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:8008
ACCEPT tcp -- anywhere anywhere tcp dpt:12301
ACCEPT udp -- anywhere anywhere udp dpt:12301
ACCEPT tcp -- anywhere anywhere tcp dpt:52444
ACCEPT udp -- anywhere anywhere udp dpt:52444
ACCEPT tcp -- anywhere anywhere tcp dpt:33434
ACCEPT udp -- anywhere anywhere udp dpt:33434
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
그러나 hetzner는 포트 33434를 차단하지 않아야 하는데, 문제가 어디에 있는지 아는 사람이 있습니까?
아마도 내 iptables.config 파일에 있을까요?
내 iptables.rules는 다음과 같습니다.
#!/bin/bash
# ATTENTION: flush/delete all existing rules
iptables -F
################################################################
# set the default policy for each of the pre-defined chains
################################################################
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# allow establishment of connections initialised by my outgoing packets
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# accept anything on localhost
iptables -A INPUT -i lo -j ACCEPT
################################################################
#individual ports tcp
################################################################
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 8181 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 8008 -j ACCEPT
#dkim on port 12301
iptables -A INPUT -p tcp --dport 12301 -j ACCEPT
iptables -A INPUT -p udp --dport 12301 -j ACCEPT
#port for mtr
iptables -A INPUT -p tcp --dport 52444 -j ACCEPT
iptables -A INPUT -p udp --dport 52444 -j ACCEPT
iptables -A INPUT -p tcp --dport 33434 -j ACCEPT
iptables -A INPUT -p udp --dport 33434 -j ACCEPT
#uncomment next line to enable AdminGUI on port 4848:
#iptables -A INPUT -p tcp --dport 4848 -j ACCEPT
#limit number of connections
iptables -t filter -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables -t filter -I INPUT -p tcp --syn --dport 8080 -m connlimit --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables -t filter -I INPUT -p tcp --syn --dport 8181 -m connlimit --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables -t filter -I INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables -t filter -I INPUT -p tcp --syn --dport 8008 -m connlimit --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 -j DROP
iptables -I INPUT -p tcp --dport 8080 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 8080 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 -j DROP
iptables -I INPUT -p tcp --dport 8181 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 8181 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 -j DROP
iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 -j DROP
iptables -I INPUT -p tcp --dport 8008 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 8008 -m state --state NEW -m recent --update --seconds 2 --hitcount 50 -j DROP
################################################################
#slow down the amount of ssh connections by the same ip address:
#wait 60 seconds if 3 times failed to connect
################################################################
iptables -I INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --set -j ACCEPT
iptables -I INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --update --seconds 60 --hitcount 3 --rttl -j DROP
#drop everything else
iptables -A INPUT -j DROP
################################################################
#Redirection Rules
################################################################
#1. redirection rules (allowing forwarding from localhost)
iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A OUTPUT -o lo -p tcp --dport 443 -j REDIRECT --to-port 8181
#2. redirection http
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
#3. redirection https
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8181
################################################################
#save the rules somewhere and make sure
#our rules get loaded if the ubuntu server is restarted
################################################################
iptables-save > /etc/my-iptables.rules
iptables-restore < /etc/my-iptables.rules
#List Rules to see what we have now
iptables -L
감사합니다!
답변1
- 이상한 네트워크 문제가 있는 경우 tcpdump를 실행하세요. iptables 전에 패킷을 캡처합니다.
- 기본적으로 Traceroute는
33434다음 프로브마다 1씩 증가하는 시작 포트 번호가 있는 UDP 프로브를 사용했습니다. 귀하의 호스트가 첫 번째가 아니기 때문에 다음 포트 번호를 허용해야 합니다. 예를 들어 32입니다. 따라서 Traceroute에 대한 규칙은 다음과 같아야 합니다.
iptables -t filter -I INPUT -p udp --dport 33434:33468 -j ACCEPT
- 또한 들어오는 ICMP 패킷을 허용해야 한다고 생각합니다. ICMP 프로브 모드의 추적 경로를 제외하고 PMTUD(Path MTU Discovery)에는 ICMP가 필요하므로 완전히 차단하는 것은 좋은 생각이 아닙니다.