ping: host desconhecido com o iptables ativado

Question

ping: host desconhecido com o iptables ativado

#1 resposta do (1 votos)
#2 resposta do (0 votos)

1

Eu não posso pingar www.google.com. No entanto, posso fazer o ping no endereço IP:

ping 74.125.237.142

Primeiro, achei que fosse um problema com minhas configurações de DNS. Mas eu verifiquei meus resolv.conf , hosts e hostname cuidadosamente. Eles estão todos corretos.

Quando eu limpo todas as regras de firewall usando:

iptables -F

Então ping www.google.com funciona

Portanto, o problema ainda está nas configurações de firewall ou NAT.

Alguém pode fornecer algumas ideias? Como posso definir as regras iptables ?

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   13  1476 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    1    80 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   34  6030 INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   34  6030 INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   34  6030 INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_IN_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_OUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 17 packets, 2694 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   82  9498 OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_public  all  --  A      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDI_public  all  --  p2p1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDI_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_public  all  --  *      A       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_public  all  --  *      p2p1    0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_public  all  --  *      +       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDI_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDI_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDI_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_external (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_external_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_external_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_external_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDO_external_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDO_external_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_external_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDO_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 IN_public  all  --  A      *       0.0.0.0/0            0.0.0.0/0           
   16  3011 IN_public  all  --  p2p1   *       0.0.0.0/0            0.0.0.0/0           
   18  3019 IN_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_dmz (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 IN_dmz_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_dmz_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_dmz_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_dmz_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW

Chain IN_dmz_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_dmz_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_external (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 IN_external_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_external_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_external_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_external_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW

Chain IN_external_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_external_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_home (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 IN_home_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_home_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_home_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_home_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:631 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138 ctstate NEW

Chain IN_home_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_home_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_internal (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 IN_internal_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_internal_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_internal_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_internal_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:631 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138 ctstate NEW

Chain IN_internal_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_internal_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public (3 references)
 pkts bytes target     prot opt in     out     source               destination         
   34  6030 IN_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   34  6030 IN_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   34  6030 IN_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
   34  6030 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353 ctstate NEW

Chain IN_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_work (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 IN_work_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_work_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_work_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_work_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:631 ctstate NEW

Chain IN_work_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_work_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination

dns networking iptables ping linux

por vvilp 29.09.2014 / 05:17

2 respostas

Tags dns networking iptables ping linux

Instalando o Linux sem UEFI Existe algum propósito útil para diretórios com permissões -w-? [duplicado]

score 1 · Answer 1

Não vejo uma regra para permitir a porta UDP 53. Sem a porta UDP 53, você não recebe DNS, portanto, não é surpresa que a resolução de nomes falhe.

Você precisa adicionar uma regra para permitir o tráfego UDP de entrada da porta 53, pelo menos do (s) servidor (es) DNS de seus provedores de acesso à Internet. Algo como

iptables -A INPUT -p udp --sport 53 -j ACCEPT

possivelmente com restrições adicionais, possivelmente em uma regra diferente (não entendo a organização do seu firewall). Como suas regras de firewall parecem ter sido geradas automaticamente, você provavelmente desejará alterar as configurações da ferramenta de configuração do firewall em vez de chamar iptables diretamente.

score 0 · Answer 2

Complementando a resposta anterior, tente adicionar uma regra que permita o tráfego UDP como a resposta anterior e a conexão TCP assim:

# iptables -A INPUT -p tcp --sport 53 -j ACCEPT

A conexão TCP é usada quando o tamanho dos dados de resposta excede 512 bytes, o que é normal.