|
|
环境:
adsl拨号上网,一台双网卡机器安装gentoo linux,防火墙为shorewall(调用iptables),由linux拨号出去,内部网络有50台机器windows,全部通过linux上网,没有设置什么特别的策略,基本就是设定成一个nat了,局域网内的windows全部制定好IP和DNS服务器,NAT自身不提供任何域名解析和dhcp服务,现在出现了以下的古怪问题:
大部分站点,内部网络的机器都能正常访问,但是有个别站点(非小站,都是大站),无法访问,表现情况如下——输入地址后,浏览器状态栏闪过正在连接站点IP地址,然后到“已经找到网站,等待回应”处卡住了,浏览器即不出现提示,而状态显示没有数据流入,反正就整个一个空白版面卡在那里,没有反应了……就这样一个古怪情况
目前统计的无法访问的站点有淘宝,天涯,sina,pchome,cnbeta等,全部是一样的症状
我试图查找原因,于是做了以下尝试,首先,NAT机和客户机ping DNS,外部网络,都是通的,ping那些不能访问的站点的域名,能解析出IP,也能ping通,在客户机上用tracert命令跟踪不能访问的站点的域名和IP,也是通的,如下所示意
- C:\Documents and Settings\xwuser>tracert www.sina.com.cn
- Tracing route to jupiter.sina.com.cn [61.172.201.194]
- over a maximum of 30 hops:
- 1 <1 ms <1 ms <1 ms 192.168.0.1
- 2 * * * Request timed out.
- 3 25 ms 20 ms 24 ms 58.49.2.81
- 4 62 ms 52 ms 48 ms 221.232.254.129
- 5 33 ms 36 ms 41 ms 221.232.254.117
- 6 223 ms 212 ms 135 ms 61.152.80.149
- 7 290 ms 408 ms 131 ms 61.152.87.122
- 8 64 ms 75 ms 82 ms 222.72.243.250
- 9 213 ms 264 ms 370 ms 61.172.201.194
- Trace complete.
PS:第二步那个 Request timed out,在追踪可以访问的站点时也出现这情况
然后我又做了两件事情,我把adsl从linux下拆下来,随便插在一台windows客户机上拨号上网,上述不能访问的地址,都可以正常访问了,随后,我又把原来那个dlink 604+的路由器拿来(本来这个linux就是要取代这个路由器的),按照以前做的那个接好,windows客户机都不改变任何设置,那些不能访问的网站都能访问。(所以我基本能确定windows客户机的DNS设置没有任何问题)
随后我想到了telent和用IP访问,结果让我发现了一件奇怪的事情,
在windows客户端下telent任何一个网站的80口,无论是能不能访问的站点,telent上去以后出现一个黑色版面,不显示任何东西,过一会又跳回到命令行起始位置。
而如果用IP去访问站点的话,则出现,无论什么站点,都访问不了,提示如下
- 错误
- 您所请求的网址(URL)无法获取
- --------------------------------------------------------------------------------
- 当尝试读取以下网址(URL)时: http://220.181.28.206/
- 发生了下列的错误:
- Access Denied.
- 拒绝访问
- Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.
- 当前的存取控制设定禁止您的请求被接受,如果您觉得这是错误的,请与您网路服务的提供者联系。
- 本缓存服务器管理员:webmaster
- --------------------------------------------------------------------------------
- Generated Thu, 16 Aug 2007 04:50:33 GMT by www.163.com (cache/2.001+logs)
如同上面这样的情况。
这到底是怎么回事,我就想不明白,请高手指点这为何有的网站能访问,有的网站不能访问的古怪问题……
另外附上我用iptables -L -n命令看到的shorewall调用的iptables策略
- Chain INPUT (policy DROP)
- target prot opt source destination
- LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_IN:'
- ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
- ppp0_in all -- 0.0.0.0/0 0.0.0.0/0
- eth0_in all -- 0.0.0.0/0 0.0.0.0/0
- Reject all -- 0.0.0.0/0 0.0.0.0/0
- reject all -- 0.0.0.0/0 0.0.0.0/0
- Chain FORWARD (policy DROP)
- target prot opt source destination
- LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_OUT:'
- LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_IN:'
- ppp0_fwd all -- 0.0.0.0/0 0.0.0.0/0
- eth0_fwd all -- 0.0.0.0/0 0.0.0.0/0
- Reject all -- 0.0.0.0/0 0.0.0.0/0
- reject all -- 0.0.0.0/0 0.0.0.0/0
- Chain OUTPUT (policy DROP)
- target prot opt source destination
- LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_OUT:'
- ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
- fw2all all -- 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
- fw2lan all -- 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
- ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
- Chain Drop (1 references)
- target prot opt source destination
- reject tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
- dropBcast all -- 0.0.0.0/0 0.0.0.0/0
- ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
- ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
- dropInvalid all -- 0.0.0.0/0 0.0.0.0/0
- DROP udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445
- DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
- DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535
- DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445
- DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
- dropNotSyn tcp -- 0.0.0.0/0 0.0.0.0/0
- DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
- Chain Reject (3 references)
- target prot opt source destination
- reject tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
- dropBcast all -- 0.0.0.0/0 0.0.0.0/0
- ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
- ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
- dropInvalid all -- 0.0.0.0/0 0.0.0.0/0
- reject udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445
- reject udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
- reject udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535
- reject tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445
- DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
- dropNotSyn tcp -- 0.0.0.0/0 0.0.0.0/0
- DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
- Chain all2all (0 references)
- target prot opt source destination
- ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- Reject all -- 0.0.0.0/0 0.0.0.0/0
- reject all -- 0.0.0.0/0 0.0.0.0/0
- Chain dropBcast (2 references)
- target prot opt source destination
- DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
- DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
- Chain dropInvalid (2 references)
- target prot opt source destination
- DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
- Chain dropNotSyn (2 references)
- target prot opt source destination
- DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02
- Chain dynamic (4 references)
- target prot opt source destination
- Chain eth0_fwd (1 references)
- target prot opt source destination
- dynamic all -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
- lan2all all -- 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
- Chain eth0_in (1 references)
- target prot opt source destination
- dynamic all -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
- lan2all all -- 0.0.0.0/0 0.0.0.0/0 policy match dir in pol none
- Chain fw2all (2 references)
- target prot opt source destination
- ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
- Chain fw2lan (1 references)
- target prot opt source destination
- ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- ACCEPT tcp -- 0.0.0.0/0 192.168.0.129 tcp dpt:14672
- ACCEPT udp -- 0.0.0.0/0 192.168.0.129 udp dpt:14672
- fw2all all -- 0.0.0.0/0 0.0.0.0/0
- Chain lan2all (2 references)
- target prot opt source destination
- ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
- Chain logdrop (0 references)
- target prot opt source destination
- LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:'
- DROP all -- 0.0.0.0/0 0.0.0.0/0
- Chain logreject (0 references)
- target prot opt source destination
- LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logreject:REJECT:'
- reject all -- 0.0.0.0/0 0.0.0.0/0
- Chain net2all (2 references)
- target prot opt source destination
- ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- Drop all -- 0.0.0.0/0 0.0.0.0/0
- DROP all -- 0.0.0.0/0 0.0.0.0/0
- Chain net2fw (1 references)
- target prot opt source destination
- ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:14682
- ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:14682
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:14692
- ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:14692
- net2all all -- 0.0.0.0/0 0.0.0.0/0
- Chain net2lan (1 references)
- target prot opt source destination
- ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- ACCEPT tcp -- 0.0.0.0/0 192.168.0.129 tcp dpt:14672
- ACCEPT udp -- 0.0.0.0/0 192.168.0.129 udp dpt:14672
- net2all all -- 0.0.0.0/0 0.0.0.0/0
- Chain ppp0_fwd (1 references)
- target prot opt source destination
- dynamic all -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
- net2lan all -- 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
- Chain ppp0_in (1 references)
- target prot opt source destination
- dynamic all -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
- net2fw all -- 0.0.0.0/0 0.0.0.0/0 policy match dir in pol none
- Chain reject (10 references)
- target prot opt source destination
- DROP all -- 255.255.255.255 0.0.0.0/0
- DROP all -- 224.0.0.0/4 0.0.0.0/0
- DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
- DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
- DROP all -- 255.255.255.255 0.0.0.0/0
- DROP all -- 224.0.0.0/4 0.0.0.0/0
- REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
- REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
- REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
- REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- Chain shorewall (0 references)
- target prot opt source destination
- Chain smurfs (0 references)
- target prot opt source destination
- LOG all -- 255.255.255.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
- DROP all -- 255.255.255.255 0.0.0.0/0
- LOG all -- 224.0.0.0/4 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
- DROP all -- 224.0.0.0/4 0.0.0.0/0
|
|
IP卡
狗仔卡
发表于 2007-8-16 13:32:14
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡