SSH를 통해 연결된 원격 시스템에서 루프백을 ping하려고 하는데 아무런 응답도 받지 못합니다.
$ ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
^C
--- localhost ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 100ms
다음에서는 무엇이 잘못되었는지 알아보기 위해 몇 가지 진단 프로그램을 실행했지만, 훈련받지 않은 내 눈에는 모든 것이 정상으로 보입니다.
$ cat /etc/hosts
# Your system has configured 'manage_etc_hosts' as True.
# As a result, if you wish for changes to this file to persist
# then you will need to either
# a.) make changes to the master file in /etc/cloud/templates/hosts.debian.tmpl
# b.) change or remove the value of 'manage_etc_hosts' in
# /etc/cloud/cloud.cfg or cloud-config from user-data
#
127.0.1.1 <name_of_device>
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
$ ifconfig lo
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 52 bytes 4188 (4.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 52 bytes 4188 (4.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
$ sysctl net.ipv4.icmp_echo_ignore_all
net.ipv4.icmp_echo_ignore_all = 0
$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 67.207.67.2
nameserver 67.207.67.3
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
$ uname -a
Linux <name_of_device> 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux
$ cat /etc/nftables.conf
# /usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
# Always allow SSH access
tcp dport 22 accept
ct state established,related log prefix "DROPPING PACKET: " drop
ip saddr 192.0.2.192/27 accept
ip saddr 192.0.2.96/27 accept
ip saddr 192.0.2.0/24 drop
ip saddr 198.51.100.69/32 accept
ip saddr 198.51.100.42/32 log prefix "DROPPING PACKET: " drop
ip saddr 198.51.100.32/28 accept
ip saddr 199.51.100.0/24 tcp dport { 80, 443 } accept
ip saddr 199.51.100.0/24 drop
ip saddr 203.0.113.0/24 tcp dport { 22, 443, 5432 } log prefix "INVALID TRAFFIC NETWORK: " drop
ip saddr 203.0.113.0/24 tcp dport 80 accept
}
}
게다가 이 컴퓨터는 인터넷의 어떤 것도 핑(ping)하지 못합니다.
$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 55ms
그리고 외부에서는 ping도 불가능합니다.
$ ping 138.68.93.123
PING 138.68.93.123 (138.68.93.123) 56(84) bytes of data.
64 bytes from 138.68.93.123: icmp_seq=1 ttl=52 time=7.75 ms
^C
--- 138.68.93.123 ping statistics ---
5 packets transmitted, 1 received, 80% packet loss, time 4050ms
rtt min/avg/max/mdev = 7.746/7.746/7.746/0.000 ms
이 시점에서 나는 아이디어가 부족했습니다. 어떤 도움이라도 대단히 감사하겠습니다!
답변1
이유가 있습니다. ct state [....] 규칙은 들어오는 패킷이 localhost 인터페이스에 대한 핑과 관련되어 있더라도 모든 패킷을 삭제합니다. 해당 규칙을 재고해야 합니다... 적어도 루프백 인터페이스에서 트래픽을 허용해야 합니다...