네트워크가 두 개 있습니다.
192.168.0.0/24 which is my home network
10.2.0.0/24 which is the second network dedicated to vm's
방화벽이 없으면 아무 문제 없이 모든 네트워크에 ping을 보낼 수 있습니다.
클라이언트 시스템은 Slackware 14.2, ip 192.168.0.2 서버는 OmniOS, ip 10.2.0.1(bge1) 및 192.168.0.30(bge0)입니다.
/etc/rc.d/rc.firewall stop
ping 10.2.0.1
PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.30: icmp_seq=1 ttl=255 time=4.34 ms
64 bytes from 192.168.0.30: icmp_seq=2 ttl=255 time=4.81 ms
가상 머신이 인터넷에 액세스하는 데 네트워크 10.2.0.0/24가 이미 허용되어 있으므로 192.168.0.30으로 응답합니다.
방화벽이 활성화되어 있습니다.
/etc/rc.d/rc.firewall start
ping 10.2.0.1
대답이 없습니다. 시스템 로그에 따르면...
Apr 8 12:03:58 slack64 kernel: [22092.913008] IN=bridge0 OUT= MAC=************* SRC=192.168.0.30 DST=192.168.0.2 LEN=84 TOS=0x00 PREC=0x00 TTL=255 ID=31255 DF PROTO=ICMP TYPE=0 CODE=0 ID=12441 SEQ=5
Apr 8 12:03:59 slack64 kernel: [22093.935986] IN=bridge0 OUT= MAC=************* SRC=192.168.0.30 DST=192.168.0.2 LEN=84 TOS=0x00 PREC=0x00 TTL=255 ID=31256 DF PROTO=ICMP TYPE=0 CODE=0 ID=12441 SEQ=6
내 방화벽은 이 스크립트입니다.
#!/bin/sh
# A simple script firewall
set -e
# We need this for redirection
echo 1 > /proc/sys/net/ipv4/ip_forward
firewall_start() {
# Clean first
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
iptables -t raw -F
iptables -t raw -X
iptables -t raw -Z
# Default policy
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
# firewall rules INPUT
iptables -A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# Bacula
iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 9102:9104 -j ACCEPT
# Ssh
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Icmp
iptables -A INPUT -p icmp -m icmp --icmp-type 0 -s 0/0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -s 0/0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# Log on syslog
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
# Final input rules
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
}
firewall_stop() {
# Clean
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
iptables -t raw -F
iptables -t raw -X
iptables -t raw -Z
}
firewall_restart() {
firewall_stop
firewall_start
}
case "$1" in
'start')
firewall_start
;;
'stop')
firewall_stop
;;
'restart')
firewall_restart
;;
*)
echo "usage $0 start|stop|restart"
esac
이것은 서버의 ipf.conf입니다.
# block and quick everything by default but pass on lo0
block in log on bge0 all
pass in quick on lo0 all
# These rules will allow connections initiated from
# this host along with the return connection
pass out quick proto icmp all keep state
pass out quick proto tcp all keep state
pass out quick proto udp all keep state
# Allow SecureShell incoming connections on 2122 port
pass in quick proto tcp from any to any port = 2122 flags S keep state keep frags
# Allow SecureShell incoming connections on 22 port
pass in quick proto tcp from any to any port = 22 flags S keep state keep frags
# Allow Secure stunnel telnet incoming connections on 5860 port
pass in quick proto tcp from any to any port = 5860 flags S keep state keep frags
# Allow nfs 3 4
pass in quick proto tcp from 192.168.0.0/24 to any port = 2049 flags S keep state keep frags
pass in quick proto udp from 192.168.0.0/24 to any port = 2049 keep state
pass in quick proto tcp from 192.168.0.0/24 to any port = 4001 flags S keep state keep frags
pass in quick proto udp from 192.168.0.0/24 to any port = 4001 keep state
pass in quick proto tcp from 192.168.0.0/24 to any port = 111 flags S keep state keep frags
pass in quick proto udp from 192.168.0.0/24 to any port = 111 keep state
pass in quick proto tcp from 192.168.0.0/24 to any port = 48472 flags S keep state keep frags
pass in quick proto udp from 192.168.0.0/24 to any port = 48472 keep state
pass in quick proto tcp from 192.168.0.0/24 to any port = 8932 flags S keep state keep frags
pass in quick proto udp from 192.168.0.0/24 to any port = 8932 keep state
#Allow PING
pass in quick proto icmp from any to any keep state
# Samba
pass in quick proto udp from 192.168.0.0/24 to any port = 137 keep state
pass in quick proto udp from 192.168.0.0/24 to any port = 138 keep state
pass in quick proto udp from 192.168.0.0/24 to any port = 139 keep state
pass in quick proto udp from 192.168.0.0/24 to any port = 445 keep state
pass in quick proto tcp from 192.168.0.0/24 to any port = 137 flags S keep state keep frags
pass in quick proto tcp from 192.168.0.0/24 to any port = 138 flags S keep state keep frags
pass in quick proto tcp from 192.168.0.0/24 to any port = 139 flags S keep state keep frags
pass in quick proto tcp from 192.168.0.0/24 to any port = 445 flags S keep state keep frags
# Dns
pass in quick proto udp from 192.168.0.0/24 to any port = 53 keep state
pass in quick proto tcp from 192.168.0.0/24 to any port = 53 flags S keep state keep frags
핑을 활성화하려면 어떻게 해야 합니까?
답변1
다른 포럼의 다른 사용자가 문제를 발견했습니다. 방화벽이 잘못 구성되었습니다. 이 스크립트를 사용하면 모든 것이 잘 작동합니다.
#!/bin/sh
#a simple script firewall
# We need this for redirection
echo 1 > /proc/sys/net/ipv4/ip_forward
firewall_start() {
# Clean
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
# firewall rules INPUT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# X11
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 6000 -j ACCEPT
# Vdr
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 3000 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 2000 -j ACCEPT
# Samba
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 445 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 445 -j ACCEPT
# Mail
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 25 -j ACCEPT
# Print
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 631 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 631 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 515 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 515 -j ACCEPT
# Nfs
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 111 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 662 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 662 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 2049 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 2049 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 4001 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 4001 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 32768 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 32768 -j ACCEPT
# Ssh
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 2122 -j ACCEPT
# Ftp
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 2121 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 2121 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 60000:65535 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 60000:65535 -j ACCEPT
# Secure telnet
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 5859 -j ACCEPT
# Ktorrent
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 54233:54234 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 54233:54234 -j ACCEPT
# Firewall rules NAT/OUTPUT
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 21 -j REDIRECT --to-port 2121
iptables -t nat -A OUTPUT -s 192.168.0.0/24 -p tcp -o lo --dport 21 -j REDIRECT --to-port 2121
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 22 -j REDIRECT --to-ports 2122
iptables -t nat -A OUTPUT -s 192.168.0.0/24 -p tcp -o lo --dport 22 -j REDIRECT --to-ports 2122
# Icmp
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
# Log
#iptables -A INPUT -j LOG
#iptables -A FORWARD -j LOG
#Final rules
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
}
firewall_stop() {
# Clean
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
}
firewall_restart() {
firewall_stop
firewall_start
}
case "$1" in
'start')
firewall_start
;;
'stop')
firewall_stop
;;
'restart')
firewall_restart
;;
*)
echo "usage $0 start|stop|restart"
esac