数ヶ月前に、システム管理者はサーバーの1つでping応答を無効にしました。しかし、今私たちはping応答を再び有効にしようとしています。
設定でpingが無効になっていることを確認しました。この値は 0 に設定されます。
root@dumpty:/mnt/NAS# cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
0
root@dumpty:/mnt/NAS# cat /proc/sys/net/ipv4/icmp_echo_ignore_all
0
これはsysctl.conf
:
root@dumpty:/mnt/NAS# cat /etc/sysctl.conf | grep icmp
#net.ipv4.icmp_echo_ignore_broadcasts = 1
#net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_echo_ignore_broadcasts = 0
net.ipv4.icmp_echo_ignore_all = 0
pingはまだ機能していません。要求は表示できますが、tcpdump
発信応答は表示されないため、サーバーがpingを受信できることがわかります。例:
pingのtcpdumpキャプチャ:
root@dumpty:/mnt/NAS# tcpdump -nni eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:39:45.260686 IP 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 1, length 64
18:39:46.259975 IP 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 2, length 64
18:39:47.260289 IP 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 3, length 64
18:39:48.259971 IP 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 4, length 64
18:39:49.261652 IP 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 5, length 64
18:39:50.261956 IP 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 6, length 64
18:39:51.260058 IP 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 7, length 64
18:39:52.260309 IP 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 8, length 64
^C
8 packets captured
13 packets received by filter
0 packets dropped by kernel
私は間違っているかもしれませんが、これは着信パケットをキャプチャする必要があるオンラインで見つけたコマンドです。
root@dumpty:/mnt/NAS# tcpdump -nni eth0 -e icmp[icmptype] == 8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:40:48.260108 00:10:db:ff:10:01 > bc:30:5b:da:51:a6, ethertype IPv4 (0x0800), length 98: 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 64, length 64
18:40:49.260064 00:10:db:ff:10:01 > bc:30:5b:da:51:a6, ethertype IPv4 (0x0800), length 98: 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 65, length 64
18:40:50.260119 00:10:db:ff:10:01 > bc:30:5b:da:51:a6, ethertype IPv4 (0x0800), length 98: 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 66, length 64
18:40:51.260092 00:10:db:ff:10:01 > bc:30:5b:da:51:a6, ethertype IPv4 (0x0800), length 98: 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 67, length 64
18:40:52.260285 00:10:db:ff:10:01 > bc:30:5b:da:51:a6, ethertype IPv4 (0x0800), length 98: 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 68, length 64
18:40:53.260465 00:10:db:ff:10:01 > bc:30:5b:da:51:a6, ethertype IPv4 (0x0800), length 98: 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 69, length 64
18:40:54.262405 00:10:db:ff:10:01 > bc:30:5b:da:51:a6, ethertype IPv4 (0x0800), length 98: 103.227.98.242 > SEVERIP: ICMP echo request, id 4799, seq 70, length 64
^C
7 packets captured
7 packets received by filter
0 packets dropped by kernel
これはどうしたの?
root@dumpty:/mnt/NAS# tcpdump -nni eth0 -e icmp[icmptype] == 0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
発信パケットは見えません。また、icmpをブロックするルールがあることを確認するために、iptablesも確認しました。
root@dumpty:/mnt/NAS# sudo iptables -L INPUT | grep reject
REJECT tcp -- anywhere anywhere tcp dpt:9200 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:httpflags: FIN,SYN,RST,ACK/SYN #conn src/32 > 15 reject-with tcp-reset
root@dumpty:/mnt/NAS# sudo iptables -L INPUT | grep icmp
REJECT tcp -- anywhere anywhere tcp dpt:9200 reject-with icmp-port-unreachable
root@dumpty:/mnt/NAS# sudo iptables -L INPUT | grep drop
root@dumpty:/mnt/NAS#
ポート9200で拒否が発生しますが、すべてのポートをブロックする必要があるとは思いませんか? ping応答をブロックするもう一つの要因は何ですか?私が見逃した他の構成はありますか?
デバッグするために最善を尽くしています。助けてくれてありがとう。
注:コンソールの出力を編集し、サーバーIPを次に置き換えました。SEVERIP
編集する:
iptables OUTPUTチェーンの追加
root@dumpty:/mnt/NAS# sudo iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
編集2:
root@dumpty:/mnt/NAS# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
root@dumpty:/mnt/NAS# iptables -t raw -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
root@dumpty:/mnt/NAS# iptables -t mangle -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination