關於squid(pinger)與iptables有關的問題(已解決)

火星人 @ 2014-03-04 , reply:0


關於squid(pinger)與iptables有關的問題(已解決)

centos 5.2
squid的configre選項為:--enable-icmp --enable-htcp;
其後也安裝了pinger,make install-pinger.

iptables規則如下:

# Generated by iptables-save v1.3.5 on Thu Jan  8 09:27:22 2009
*filter
:INPUT DROP
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 445 -j ACCEPT
COMMIT
# Completed on Thu Jan  8 09:27:22 2009

squid -N -d1時的信息如下:
# squid -N -d1      
2009/01/08 22:33:30| Starting Squid Cache version 3.0.STABLE11 for i686-pc-linux-gnu...
2009/01/08 22:33:30| Process ID 13674
2009/01/08 22:33:30| With 1024 file descriptors available
2009/01/08 22:33:30| Performing DNS Tests...
2009/01/08 22:33:30| Successful DNS name lookup tests...
2009/01/08 22:33:30| DNS Socket created at 0.0.0.0, port 32875, FD 5
2009/01/08 22:33:30| Adding nameserver 192.168.1.1 from /etc/resolv.conf
2009/01/08 22:33:30| Unlinkd pipe opened on FD 11
2009/01/08 22:33:30| Swap maxSize 102400 KB, estimated 7876 objects
2009/01/08 22:33:30| Target number of buckets: 393
2009/01/08 22:33:30| Using 8192 Store buckets
2009/01/08 22:33:30| Max Mem  size: 8192 KB
2009/01/08 22:33:30| Max Swap size: 102400 KB
2009/01/08 22:33:30| Version 1 of swap file with LFS support detected...
2009/01/08 22:33:30| Rebuilding storage in /usr/local/squid/var/cache (DIRTY)
2009/01/08 22:33:30| Using Least Load store dir selection
2009/01/08 22:33:30| Set Current Directory to /usr/local/squid/var/cache
2009/01/08 22:33:30| Loaded Icons.
2009/01/08 22:33:30| Accepting  HTTP connections at 0.0.0.0, port 3128, FD 13.
2009/01/08 22:33:30| Accepting ICP messages at 0.0.0.0, port 3130, FD 14.
2009/01/08 22:33:30| HTCP Disabled.


清掉iptables的所有規則后:
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

squid -N -d1時則可以通過:
# squid -N -d1
2009/01/08 22:41:02| Starting Squid Cache version 3.0.STABLE11 for i686-pc-linux-gnu...
2009/01/08 22:41:02| Process ID 13692
2009/01/08 22:41:02| With 1024 file descriptors available
2009/01/08 22:41:02| Performing DNS Tests...
2009/01/08 22:41:02| Successful DNS name lookup tests...
2009/01/08 22:41:02| DNS Socket created at 0.0.0.0, port 32877, FD 5
2009/01/08 22:41:02| Adding nameserver 192.168.1.1 from /etc/resolv.conf
2009/01/08 22:41:02| Unlinkd pipe opened on FD 11
2009/01/08 22:41:02| Swap maxSize 102400 KB, estimated 7876 objects
2009/01/08 22:41:02| Target number of buckets: 393
2009/01/08 22:41:02| Using 8192 Store buckets
2009/01/08 22:41:02| Max Mem  size: 8192 KB
2009/01/08 22:41:02| Max Swap size: 102400 KB
2009/01/08 22:41:02| Version 1 of swap file with LFS support detected...
2009/01/08 22:41:02| Rebuilding storage in /usr/local/squid/var/cache (DIRTY)
2009/01/08 22:41:02| Using Least Load store dir selection
2009/01/08 22:41:02| Set Current Directory to /usr/local/squid/var/cache
2009/01/08 22:41:02| Loaded Icons.
2009/01/08 22:41:02| Accepting  HTTP connections at 0.0.0.0, port 3128, FD 13.
2009/01/08 22:41:02| Accepting ICP messages at 0.0.0.0, port 3130, FD 14.
2009/01/08 22:41:02| HTCP Disabled.
2009/01/08 22:41:02| Pinger socket opened on FD 16
2009/01/08 22:41:03| Ready to serve requests.
2009/01/08 22:41:03| Done reading /usr/local/squid/var/cache swaplog (0 entries)
2009/01/08 22:41:03| Finished rebuilding storage from disk.
2009/01/08 22:41:03|         0 Entries scanned
2009/01/08 22:41:03|         0 Invalid entries.
2009/01/08 22:41:03|         0 With invalid flags.
2009/01/08 22:41:03|         0 Objects loaded.
2009/01/08 22:41:03|         0 Objects expired.
2009/01/08 22:41:03|         0 Objects cancelled.
2009/01/08 22:41:03|         0 Duplicate URLs purged.
2009/01/08 22:41:03|         0 Swapfile clashes avoided.
2009/01/08 22:41:03|   Took 0.14 seconds (  0.00 objects/sec).
2009/01/08 22:41:03| Beginning Validation Procedure
2009/01/08 22:41:03|   Completed Validation Procedure
2009/01/08 22:41:03|   Validated 25 Entries
2009/01/08 22:41:03|   store_swap_size = 0
2009/01/08 22:41:03| storeLateRelease: released 0 objects

情況就是上面這個情況,個人分析與這條「Pinger socket opened on FD 16「,感覺是iptables規則阻止了什麼命令的執行,請各位朋友幫忙分析下,多謝!!

[ 本帖最後由 gyp334a 於 2009-1-12 11:01 編輯 ]
《解決方案》

加上一條
iptables -A INPUT -i lo -j ACCEPT

迴環要打開
《解決方案》

原帖由 huzi1986 於 2009-1-12 10:44 發表 http://bbs.chinaunix.net/images/common/back.gif
加上一條
iptables -A INPUT -i lo -j ACCEPT

迴環要打開

多謝,就是這個問題,已解決!!




[火星人 via ] 關於squid(pinger)與iptables有關的問題(已解決)已經有175次圍觀

http://www.coctec.com/docs/service/show-post-24948.html