aerocat
2010-11-03, 09:31 PM
Linux iptables 設定問題- 能力不足請求協助
環境說明:
Centos 4.3(=RedHat enterprise server)
網路卡--一片eth0,設兩個IP (eth0, eth0:1)
ADSL ---pppoe 連線,ppp0
有一個IP 拼了命連我的WEB server,造成mysql load重到掉快掛了,
已經有半年了,本來固定每天早上9:00 癱瘓30分鐘,最近搞一整天,
原本在web server conf 裡面設定 DENY IP 沒用,
沒辦法只有啟動firewall(iptables v1.2.11),我是第一次設定,
但是iptables 和 httpd.conf 我設定也擋住自己的IP經過測試都是OK的,
就是就是擋不住對方的IP,請問到底是怎麼回事?
====== iptables config =====
# Generated by iptables-save v1.2.11 on Mon Nov 1 20:46:36 2010
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp -s 68.233.225.8 -i ppp0 -j DROP
-A INPUT -s 68.233.225.8 -i ppp0 -j DROP # 對方的IP
-A INPUT -s 68.233.225.8 -i eth0 -j DROP
-A INPUT -p tcp -m tcp -s input1.jaxified.com -i ppp0 -j REJECT
-A OUTPUT -d input1.jaxified.com -j DROP
-A INPUT -s 68.233.225.8 -j DROP
-A INPUT -p tcp -m tcp -s 122.111.22.11 -i ppp0 --dport 80 -j DROP #這是我自己的IP
COMMIT
# Completed on Mon Nov 1 20:46:36 2010
# Generated by iptables-save v1.2.11 on Mon Nov 1 20:46:36 2010
*mangle
:PREROUTING ACCEPT [13:600]
:INPUT ACCEPT [26:1216]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3:156]
:POSTROUTING ACCEPT [2:104]
COMMIT
# Completed on Mon Nov 1 20:46:36 2010
# Generated by iptables-save v1.2.11 on Mon Nov 1 20:46:36 2010
*nat
:PREROUTING ACCEPT [1:60]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Mon Nov 1 20:46:36 2010
==================
[root@linux ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 68.233.225.8 0.0.0.0/0 tcp
DROP all -- 68.233.225.8 0.0.0.0/0
DROP all -- 68.233.225.8 0.0.0.0/0
REJECT tcp -- 68.233.225.8 0.0.0.0/0 tcp reject-with icmp-port-unreachable
DROP all -- 68.233.225.8 0.0.0.0/0
DROP tcp -- 122.111.22.11 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 0.0.0.0/0 68.233.225.8
贊助商連結
環境說明:
Centos 4.3(=RedHat enterprise server)
網路卡--一片eth0,設兩個IP (eth0, eth0:1)
ADSL ---pppoe 連線,ppp0
有一個IP 拼了命連我的WEB server,造成mysql load重到掉快掛了,
已經有半年了,本來固定每天早上9:00 癱瘓30分鐘,最近搞一整天,
原本在web server conf 裡面設定 DENY IP 沒用,
沒辦法只有啟動firewall(iptables v1.2.11),我是第一次設定,
但是iptables 和 httpd.conf 我設定也擋住自己的IP經過測試都是OK的,
就是就是擋不住對方的IP,請問到底是怎麼回事?
====== iptables config =====
# Generated by iptables-save v1.2.11 on Mon Nov 1 20:46:36 2010
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp -s 68.233.225.8 -i ppp0 -j DROP
-A INPUT -s 68.233.225.8 -i ppp0 -j DROP # 對方的IP
-A INPUT -s 68.233.225.8 -i eth0 -j DROP
-A INPUT -p tcp -m tcp -s input1.jaxified.com -i ppp0 -j REJECT
-A OUTPUT -d input1.jaxified.com -j DROP
-A INPUT -s 68.233.225.8 -j DROP
-A INPUT -p tcp -m tcp -s 122.111.22.11 -i ppp0 --dport 80 -j DROP #這是我自己的IP
COMMIT
# Completed on Mon Nov 1 20:46:36 2010
# Generated by iptables-save v1.2.11 on Mon Nov 1 20:46:36 2010
*mangle
:PREROUTING ACCEPT [13:600]
:INPUT ACCEPT [26:1216]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3:156]
:POSTROUTING ACCEPT [2:104]
COMMIT
# Completed on Mon Nov 1 20:46:36 2010
# Generated by iptables-save v1.2.11 on Mon Nov 1 20:46:36 2010
*nat
:PREROUTING ACCEPT [1:60]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Mon Nov 1 20:46:36 2010
==================
[root@linux ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 68.233.225.8 0.0.0.0/0 tcp
DROP all -- 68.233.225.8 0.0.0.0/0
DROP all -- 68.233.225.8 0.0.0.0/0
REJECT tcp -- 68.233.225.8 0.0.0.0/0 tcp reject-with icmp-port-unreachable
DROP all -- 68.233.225.8 0.0.0.0/0
DROP tcp -- 122.111.22.11 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 0.0.0.0/0 68.233.225.8
贊助商連結