몇 달 전에 시스템 관리자가 서버 중 하나에서 핑 응답을 비활성화했습니다. 하지만 이제 우리는 핑 응답을 다시 활성화하려고 합니다.
구성에서 ping이 비활성화되어 있는지 확인해 보았습니다. 이 값은 0으로 설정됩니다.
root@dumpty:/mnt/NAS# cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
0
root@dumpty:/mnt/NAS# cat /proc/sys/net/ipv4/icmp_echo_ignore_all
0
이것은 sysctl.conf:
root@dumpty:/mnt/NAS# cat /etc/sysctl.conf | grep icmp
#net.ipv4.icmp_echo_ignore_broadcasts = 1
#net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_echo_ignore_broadcasts = 0
net.ipv4.icmp_echo_ignore_all = 0
ping이 여전히 작동하지 않습니다. 요청은 볼 수 있지만 tcpdump나가는 응답은 볼 수 없기 때문에 서버가 핑을 수신할 수 있다는 것을 알고 있습니다. 예:
ping의 tcpdump 캡처:
root@dumpty:/mnt/NAS# tcpdump -nni eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:39:45.260686 IP 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 1, length 64
18:39:46.259975 IP 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 2, length 64
18:39:47.260289 IP 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 3, length 64
18:39:48.259971 IP 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 4, length 64
18:39:49.261652 IP 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 5, length 64
18:39:50.261956 IP 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 6, length 64
18:39:51.260058 IP 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 7, length 64
18:39:52.260309 IP 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 8, length 64
^C
8 packets captured
13 packets received by filter
0 packets dropped by kernel
내가 틀렸을 수도 있지만 이것은 들어오는 패킷을 캡처해야 하는 온라인에서 찾은 명령입니다.
root@dumpty:/mnt/NAS# tcpdump -nni eth0 -e icmp[icmptype] == 8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:40:48.260108 00:10:db:ff:10:01 > bc:30:5b:da:51:a6, ethertype IPv4 (0x0800), length 98: 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 64, length 64
18:40:49.260064 00:10:db:ff:10:01 > bc:30:5b:da:51:a6, ethertype IPv4 (0x0800), length 98: 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 65, length 64
18:40:50.260119 00:10:db:ff:10:01 > bc:30:5b:da:51:a6, ethertype IPv4 (0x0800), length 98: 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 66, length 64
18:40:51.260092 00:10:db:ff:10:01 > bc:30:5b:da:51:a6, ethertype IPv4 (0x0800), length 98: 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 67, length 64
18:40:52.260285 00:10:db:ff:10:01 > bc:30:5b:da:51:a6, ethertype IPv4 (0x0800), length 98: 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 68, length 64
18:40:53.260465 00:10:db:ff:10:01 > bc:30:5b:da:51:a6, ethertype IPv4 (0x0800), length 98: 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 69, length 64
18:40:54.262405 00:10:db:ff:10:01 > bc:30:5b:da:51:a6, ethertype IPv4 (0x0800), length 98: 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 70, length 64
^C
7 packets captured
7 packets received by filter
0 packets dropped by kernel
이게 무슨 일이야
root@dumpty:/mnt/NAS# tcpdump -nni eth0 -e icmp[icmptype] == 0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
나가는 패킷이 보이지 않습니다. 또한 icmp를 차단하는 규칙이 있는지 확인하기 위해 iptables도 확인했습니다.
root@dumpty:/mnt/NAS# sudo iptables -L INPUT | grep reject
REJECT tcp -- anywhere anywhere tcp dpt:9200 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:httpflags: FIN,SYN,RST,ACK/SYN #conn src/32 > 15 reject-with tcp-reset
root@dumpty:/mnt/NAS# sudo iptables -L INPUT | grep icmp
REJECT tcp -- anywhere anywhere tcp dpt:9200 reject-with icmp-port-unreachable
root@dumpty:/mnt/NAS# sudo iptables -L INPUT | grep drop
root@dumpty:/mnt/NAS#
포트 9200에서 거부가 발생하지만 모든 포트를 차단해야 한다고 생각하지는 않습니까? 핑 응답을 차단하는 또 다른 요인은 무엇입니까? 제가 놓친 다른 구성이 있나요?
디버깅하기 위해 최선을 다하고 있습니다. 도움을 주시면 대단히 감사하겠습니다.
참고: 콘솔의 출력을 편집하고 서버 IP를 다음으로 대체했습니다.SEVERIP
편집하다:
iptables OUTPUT 체인 추가
root@dumpty:/mnt/NAS# sudo iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
편집 2:
root@dumpty:/mnt/NAS# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
root@dumpty:/mnt/NAS# iptables -t raw -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
root@dumpty:/mnt/NAS# iptables -t mangle -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination