www.google.com을 핑할 수 없습니다. 하지만 IP 주소를 ping할 수는 있습니다.
ping 74.125.237.142
처음에는 DNS 설정에 문제가 있는 줄 알았습니다. 하지만 내 resolv.conf, hosts, 을 다시 확인했습니다 hostname. 둘 다 맞습니다.
다음을 사용하여 모든 방화벽 규칙을 지울 때:
iptables -F
그럼 ping www.google.com일해
따라서 문제는 여전히 방화벽이나 NAT 설정에 있습니다.
누구든지 아이디어를 제공할 수 있나요? 규칙은 어떻게 만드나요 iptables?
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
13 1476 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1 80 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
34 6030 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
34 6030 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
34 6030 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 17 packets, 2694 bytes)
pkts bytes target prot opt in out source destination
82 9498 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- A * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public all -- p2p1 * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- * A 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public all -- * p2p1 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (3 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_external (0 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_external_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_external_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_external_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_external_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_external_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_external_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (3 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 IN_public all -- A * 0.0.0.0/0 0.0.0.0/0
16 3011 IN_public all -- p2p1 * 0.0.0.0/0 0.0.0.0/0
18 3019 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_dmz (0 references)
pkts bytes target prot opt in out source destination
0 0 IN_dmz_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_dmz_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_dmz_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_dmz_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_dmz_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_dmz_log (1 references)
pkts bytes target prot opt in out source destination
Chain IN_external (0 references)
pkts bytes target prot opt in out source destination
0 0 IN_external_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_external_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_external_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_external_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_external_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_external_log (1 references)
pkts bytes target prot opt in out source destination
Chain IN_home (0 references)
pkts bytes target prot opt in out source destination
0 0 IN_home_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_home_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_home_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_home_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW
Chain IN_home_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_home_log (1 references)
pkts bytes target prot opt in out source destination
Chain IN_internal (0 references)
pkts bytes target prot opt in out source destination
0 0 IN_internal_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_internal_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_internal_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_internal_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW
Chain IN_internal_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_internal_log (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (3 references)
pkts bytes target prot opt in out source destination
34 6030 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
34 6030 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
34 6030 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
34 6030 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain IN_work (0 references)
pkts bytes target prot opt in out source destination
0 0 IN_work_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_work_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_work_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_work_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ctstate NEW
Chain IN_work_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_work_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
답변1
UDP 포트 53을 허용하는 규칙이 없습니다. UDP 포트 53이 없으면 DNS를 얻을 수 없으므로 이름 확인이 실패하는 것은 놀라운 일이 아닙니다.
포트 53(적어도 인터넷 액세스 공급자의 DNS 서버)에서 들어오는 UDP 트래픽을 허용하는 규칙을 추가해야 합니다. 그것은 마치
iptables -A INPUT -p udp --sport 53 -j ACCEPT
다른 규칙에 추가 제한 사항이 있을 수 있습니다(방화벽 구성을 이해할 수 없습니다). 방화벽 규칙은 자동으로 생성된 것으로 나타나므로 방화벽 구성 도구를 직접 호출하는 대신 방화벽 구성 도구의 설정을 변경하는 것이 좋습니다 iptables.
답변2
이전 답변을 보완하여 다음과 같이 이전 답변과 같이 UDP 트래픽 및 TCP 연결을 허용하는 규칙을 추가해 보세요.
# iptables -A INPUT -p tcp --sport 53 -j ACCEPT
이는 응답 데이터 크기가 512바이트를 초과할 때 TCP 연결을 사용하는 경우 정상적인 현상입니다.