| 1 | = iptables |
| 2 | |
| 3 | == ルールの追加方法 |
| 4 | |
| 5 | 追加したい場所を確認 |
| 6 | |
| 7 | {{{ |
| 8 | # iptables -L --line-numbers |
| 9 | Chain INPUT (policy ACCEPT) |
| 10 | num target prot opt source destination |
| 11 | 1 cali-INPUT all -- anywhere anywhere /* cali:Cz_u1IQiXIMmKD4c */ |
| 12 | 2 KUBE-FIREWALL all -- anywhere anywhere |
| 13 | 3 KUBE-EXTERNAL-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */ |
| 14 | 4 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED |
| 15 | 5 ACCEPT icmp -- anywhere anywhere |
| 16 | 6 ACCEPT all -- anywhere anywhere |
| 17 | 7 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh |
| 18 | 8 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited |
| 19 | }}} |
| 20 | |
| 21 | INPUTチェインの8行目でリジェクトされる前にルールを追加する。 |
| 22 | |
| 23 | {{{ |
| 24 | # iptables -I INPUT 8 -p tcp --dport 8080 -j ACCEPT |
| 25 | }}} |
| 26 | |
| 27 | 下記のコマンドで追加すると、ルールが追加されている。 |
| 28 | |
| 29 | {{{ |
| 30 | # iptables -L --line-numbers |
| 31 | Chain INPUT (policy ACCEPT) |
| 32 | num target prot opt source destination |
| 33 | 1 cali-INPUT all -- anywhere anywhere /* cali:Cz_u1IQiXIMmKD4c */ |
| 34 | 2 KUBE-FIREWALL all -- anywhere anywhere |
| 35 | 3 KUBE-EXTERNAL-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */ |
| 36 | 4 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED |
| 37 | 5 ACCEPT icmp -- anywhere anywhere |
| 38 | 6 ACCEPT all -- anywhere anywhere |
| 39 | 7 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh |
| 40 | 8 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:webcache |
| 41 | 9 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited |
| 42 | }}} |
| 43 | |
| 44 | == デバッグ |
| 45 | |
| 46 | 上記のルールの追加を利用して、ドロップする前にログを出力するルールを追加する。 |
| 47 | |
| 48 | {{{ |
| 49 | # iptables -I INPUT 8 -j LOG --log-prefix "IPTABLES DROP:" --log-level=info |
| 50 | }}} |
| 51 | |
| 52 | {{{ |
| 53 | Chain INPUT (policy ACCEPT) |
| 54 | num target prot opt source destination |
| 55 | 1 cali-INPUT all -- anywhere anywhere /* cali:Cz_u1IQiXIMmKD4c */ |
| 56 | 2 KUBE-FIREWALL all -- anywhere anywhere |
| 57 | 3 KUBE-EXTERNAL-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */ |
| 58 | 4 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED |
| 59 | 5 ACCEPT icmp -- anywhere anywhere |
| 60 | 6 ACCEPT all -- anywhere anywhere |
| 61 | 7 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh |
| 62 | 8 LOG all -- anywhere anywhere LOG level info prefix "IPTABLES DROP:" |
| 63 | 9 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited |
| 64 | }}} |
| 65 | |
| 66 | ドロップされたパケットがあると、/var/log/messagesに表示される。 |
| 67 | |
| 68 | {{{ |
| 69 | Jul 13 09:54:40 master1 kernel: IPTABLES DROP:IN=eth0 OUT= MAC=00:0d:3a:4d:fc:d2:74:83:ef:85:23:fc:08:00 SRC=10.0.0.8 DST=10.0.0.7 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46332 DF PROTO=TCP SPT=39658 DPT=2379 WINDOW=29200 RES=0x00 SYN URGP=0 |
| 70 | }}} |
| 71 | |
| 72 | 上記の例では、2379にアクセスされているのが分かる。iptablesで2379を空けてやると通信がうまくいくようになる。 |