疎通確認 - 負荷分散環境の構築日記

ローカルからの確認

サーバのローカルからtelnetで80ポート(httpdのlistenポート)に接続してhrmlをgetできたので、listenはOK。

[root@linux38 etc]# telnet 192.168.10.38 80
Trying 192.168.10.38...
Connected to linux38 (192.168.10.38).
Escape character is '^]'.
GET /index.html HTTP/1.0

HTTP/1.1 200 OK
Date: Mon, 23 Oct 2006 11:14:33 GMT
Server: Apache/2.2.2 (Fedora)
Last-Modified: Mon, 23 Oct 2006 10:37:54 GMT
ETag: "689832-51-bdc6480"
Accept-Ranges: bytes
Content-Length: 81
Connection: close
Content-Type: text/html; charset=UTF-8



<a class="keyword" href="http://d.hatena.ne.jp/keyword/kari">kari</a>





index.html




Connection closed by foreign host.

リモートからの疎通

これがうまくいかなかったけど解決しました。
結局のところ原因1:iptablesがFireWallしてて、外からのアクセスを弾いてました。

顛末記

windowsからブラウザでhttp://192.168.10.38にアセクスしてもサーバが見つかりません。

teratermで192.168.10.38:80にコネクトしようとすると、しばらくconnecting･･･が続いたのち「Cannnot connect the host」と出て失敗する。

前提
- windowsからサーバへはsshで接続できている。

考えられる原因1

- サーバが外部からの80ポート接続を拒否している。
  - ipchains, iptables 最終行のREJECTはこれでいいのか？

#iptables -L
[root@linux38 etc]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 4039  301K RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 3833 packets, 994K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination
   48  3930 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp any
    0     0 ACCEPT     ipv6-crypt--  any    any     anywhere             anywhere
    0     0 ACCEPT     ipv6-auth--  any    any     anywhere             anywhere
   15  2216 ACCEPT     udp  --  any    any     anywhere             224.0.0.251         udp dpt:mdns
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:ipp
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ipp
 3761  257K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    2    96 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh
  213 37976 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

最終行のREJECTを削除してみる。

[root@linux38 etc]# iptables -D RH-Firewall-1-INPUT 10
[root@linux38 etc]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 4103  307K RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 3883 packets, 1000K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination
   48  3930 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp any
    0     0 ACCEPT     ipv6-crypt--  any    any     anywhere             anywhere
    0     0 ACCEPT     ipv6-auth--  any    any     anywhere             anywhere
   15  2216 ACCEPT     udp  --  any    any     anywhere             224.0.0.251         udp dpt:mdns
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:ipp
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ipp
 3811  260K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    2    96 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh

[root@linux38 conf]# /etc/init.d/iptables
使い方: /etc/init.d/iptables {start|stop|restart|condrestart|status|panic|save}
[root@linux38 conf]# /etc/init.d/iptables restart
ファイアウォールルールを適用中:                            [  OK  ]
チェインポリシーを ACCEPT に設定中filter                   [  OK  ]
iptables モジュールを取り外し中                            [  OK  ]
iptables ファイアウォールルールを適用中:                   [  OK  ]
iptables モジュールを読み込み中ip_conntrack_netbios_ns     [  OK  ]
[root@linux38 conf]#

この段階でも、まだ外部ブラウザからアクセスできません。ちょっと待て、REJECTが復活してる。REJECTの削除がきちんと保存されていない？？？

[root@linux38 conf]# iptables -L -v
    1    78 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

/etc/init.d/iptablesは/etc/sysconfig/iptablesに書かれたルールを見てテーブルの初期設定をするので、/etc/sysconfig/iptablesを直接編集してやった。

[root@linux38 sysconfig]# pwd
/etc/sysconfig
[root@linux38 sysconfig]# ls -la iptables
-rw------- 1 root root 802 10月 23 21:02 iptables

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

windowsのブラウザからアクセスできた！！

考えられる原因2

xinetd関係
この周辺

#cd /etc/xinetd.d

考えられる原因3

/etc/hosts.allow, /etc/hosts.deny

全部OK、とういか制限無しにしている。

[root@linux38 etc]# more /etc/hosts.allow
#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
#rsync: 127.0.0.1
#rsync: 192.168.10.37
#ALL: ALL

[root@linux38 etc]# more /etc/hosts.deny
#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!
#rsync: ALL
#ALL: ALL

考えられる原因4

apacheのホスト認証

denyを書いていないので、全部OK。

#cd /etc/httpd/conf/httpd.conf


#
# Possible values for the Options directive are "None", "All",
# or any combination of:
#   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important.  Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options
# for more information.
#
    Options Indexes FollowSymLinks

#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
#   Options FileInfo AuthConfig Limit
#
    AllowOverride None

#
# Controls who can get stuff from this server.
#
    Order allow,deny
    Allow from all