Iptables e negar problema

Question

Iptables e negar problema

#1 resposta do Doug Smythies (0 votos)

0

Eu configurei o iptables com o FWBuilder, e por alguma razão existe uma regra que é constantemente descartada, e eu não sei porque, porque todo o IP do endereço é de 10.208.xx (primeiro servidor) e 10.210. xx (este é um segundo servidor) são permitidos, e a porta que eu preciso usar também "3306":

Esta é a mensagem que tenho no syslog:

RULE 7 -- DENY IN= OUT=eth1 SRC=10.208.x.x DST=10.210.x.x LEN=52 TOS=0x08 PREC=0x00 TTL=64 ID=23943 DF PROTO=TCP SPT=48850 DPT=3306 WINDOW=237 RES=0x00 ACK PSH FIN URGP=0

No entanto, como você pode ver, o ip e a porta estão funcionando bem:

root@xxx:~# telnet 10.210.x.x 3306 (from first and second server)
Trying 10.210.x.x...
Connected to 10.210.x.x.

root@xxx:~# ping 10.210.x.x
PING 10.210.x.x (10.210.x.x) 56(84) bytes of data.
64 bytes from 10.210.x.x: icmp_seq=1 ttl=61 time=0.443 ms
64 bytes from 10.210.x.x: icmp_seq=2 ttl=61 time=0.392 ms
64 bytes from 10.210.x.x: icmp_seq=3 ttl=61 time=0.445 ms
64 bytes from 10.210.x.x: icmp_seq=4 ttl=61 time=0.454 ms

Versão do Linux:

::::::::::::::
/etc/lsb-release
::::::::::::::
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.2 LTS"
::::::::::::::
/etc/os-release
::::::::::::::
NAME="Ubuntu"
VERSION="14.04.2 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.2 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

Alguém poderia me dar uma mão com isso? Eu acho que poderia ser algum errado configurado ou talvez haja um bug.

root@*:~# sudo iptables -v -x -n -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
437254327 92783258843 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
       0        0 In_RULE_0  all  --  eth0   *       10.208.*.*        0.0.0.0/0           
       0        0 In_RULE_0  all  --  eth0   *       67.192.*.*        0.0.0.0/0           
       0        0 In_RULE_0  all  --  eth0   *       192.168.33.172       0.0.0.0/0           
   56849  3410940 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            state NEW
  250823 15126338 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.208.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       67.192.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.172       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.40.*.*            0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.99.*.*           0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.176.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.178.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.178.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.178.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.178.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.179.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.179.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.179.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.181.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.182.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.183.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.208.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.208.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.208.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.208.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.208.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.208.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.208.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.208.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.208.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*          0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.209.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.210.*.*          0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.210.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.223.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.223.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.223.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       10.223.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       23.253.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       23.253.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       23.253.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       23.253.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       23.253.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       23.253.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       23.253.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       23.253.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       23.253.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       23.253.*.*       0.0.0.0/0            state NEW
       7     3767 ACCEPT     all  --  eth0   *       50.56.*.*         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       50.56.*.*        0.0.0.0/0            state NEW
   81855  4256460 ACCEPT     all  --  eth0   *       50.56.*.*        0.0.0.0/0            state NEW
   53187  2765724 ACCEPT     all  --  eth0   *       50.56.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       50.56.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       50.56.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.130.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       104.239.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       108.171.*.*      0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       108.171.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       136.243.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       148.251.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       166.78.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       166.78.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       174.143.*.*       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       179.27.*.*/29      0.0.0.0/0            state NEW
    1088    47984 ACCEPT     all  --  eth0   *       190.64.*.*/29    0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       190.64.*.*/29     0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.1         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.2         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.3         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.4         0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.19        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.24        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.41        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.42        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.50        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.55        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.101       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.102       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.103       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.106       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.107       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.108       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.121       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.161       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.163       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.164       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.165       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.166       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.167       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.168       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.169       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.170       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.171       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.173       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.174       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.175       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.176       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.181       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.182       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.200       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.201       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.219       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.220       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.246       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.168.33.247       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       192.237.218.99       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       198.101.222.83       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       198.101.251.56       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       198.101.251.97       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  eth0   *       200.57.*.*/28     0.0.0.0/0            state NEW
   11992   719520 ACCEPT     all  --  eth0   *       200.57.*.*/28    0.0.0.0/0            state NEW
      10      600 ACCEPT     all  --  eth0   *       201.131.*.*/24       0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  *      *       10.208.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  *      *       67.192.*.*        0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  *      *       192.168.33.172       0.0.0.0/0            state NEW
     779    44456 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW
   90410  8134061 DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0            icmptype 255
    3620   267644 RULE_7     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
       0        0 In_RULE_0  all  --  eth0   *       10.208.*.*        0.0.0.0/0           
       0        0 In_RULE_0  all  --  eth0   *       67.192.*.*        0.0.0.0/0           
       0        0 In_RULE_0  all  --  eth0   *       192.168.33.172       0.0.0.0/0           
       0        0 DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0            icmptype 255
       0        0 RULE_7     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
487779276 80687509431 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   56849  3410940 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            state NEW
       0        0 ACCEPT     all  --  *      eth1    0.0.0.0/0            10.208.*.*        state NEW
       0        0 ACCEPT     all  --  *      eth1    0.0.0.0/0            67.192.*.*        state NEW
       0        0 ACCEPT     all  --  *      eth1    0.0.0.0/0            192.168.33.172       state NEW
       0        0 ACCEPT     all  --  *      eth2    0.0.0.0/0            10.208.*.*        state NEW
       0        0 ACCEPT     all  --  *      eth2    0.0.0.0/0            67.192.*.*        state NEW
       0        0 ACCEPT     all  --  *      eth2    0.0.0.0/0            192.168.33.172       state NEW
       0        0 Cid30714X20128.0  all  --  *      eth0    10.208.*.*        0.0.0.0/0            state NEW
 2928645 175735100 Cid30714X20128.0  all  --  *      eth0    67.192.*.*        0.0.0.0/0            state NEW
       0        0 Cid30714X20128.0  all  --  *      eth0    192.168.33.172       0.0.0.0/0            state NEW
58835947 3530679635 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
   21733  1117948 RULE_7     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain Cid30714X20128.0 (3 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            10.208.*.*       
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            67.192.*.*       
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.33.172      

Chain In_RULE_0 (6 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "RULE 0 --fwb-- DENY "
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain RULE_7 (3 references)
    pkts      bytes target     prot opt in     out     source               destination         
   25353  1385592 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "RULE 7 -- DENY "
   25353  1385592 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

por pablo 09.01.2016 / 01:10

1 resposta

Openshot trouble, help Suavização de fonte não funciona para fontes do Windows

score 0 · Answer 1

Suas ocorrências da regra 7 não são realmente um problema. Para conexões TCP, o Linux tende a usar uma sequência fechada "half-duplex" onde cada lado da sessão pode iniciar a conexão através de um handshake FIN-ACK de 2 vias (que coloca a conexão no estado CLOSE_WAIT), em vez de um full Aperto de mão FIN-ACK de 4 vias. A única regra 7 que você postou provavelmente é uma sobra de FIN pacote depois que a conexão já foi fechada e esquecida, portanto ela não atravessou sua regra RELATED,ESTABLISHED e acabou na regra 7.