-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
79 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
--- | ||
date: 2019-12-15 | ||
spot: 大冲新城花园 | ||
sort: Computer Science | ||
tags: | ||
- Network | ||
- iptables | ||
- NAT | ||
- TCP | ||
- MySQL | ||
- Unix domain socket | ||
- man page | ||
--- | ||
|
||
# 慎用 iptables:误用规则引发的疑问 | ||
|
||
![BCY0349 Masquerade](./bcy0349.jpg "Permitted under the [Terms and conditions](https://www.dfo-mpo.gc.ca/terms-conditions-avis-eng.htm). ©️ [**Contributors**](https://www.dfo-mpo.gc.ca/species-especes/mammals-mammiferes/humpback-rorqual-a-bosse/photos/index-eng.html) on [*dfo-mpo.gc.ca*](https://www.dfo-mpo.gc.ca/species-especes/mammals-mammiferes/humpback-rorqual-a-bosse/photos/bcy-eng.html).") | ||
|
||
昨天去了一趟广州。在深圳安检排队时微信突然来了一串消息: | ||
|
||
> 有个 Web 服务突然被数据库拒绝访问。 | ||
事态比较紧急,我们组长先做了临时处理,之后通知了我们几个相关的人。由于我前阵子接手了这个项目,所以也就承担调查事故原因的任务。 | ||
|
||
## 背景 | ||
|
||
这里涉及一些业务层面的东西,需要脱敏,所以只提取出涉事技术因素: | ||
|
||
- Web 服务(下文以 `IDLE` 代称):一个重要而不繁忙的内部网站,只有工作时间会有人使用。 | ||
- 数据库(下文以 `DB` 代称):一个重要且繁忙的数据库,`IDLE` 会对 `DB` 进行只读操作。 | ||
- 另一个 Web 服务(下文以 `BUSY` 代称):持续对 `DB` 进行高频读写操作。 | ||
|
||
### 具体故障 | ||
|
||
`IDLE` 被 `DB` 拒绝访问。 | ||
|
||
在这之前,`IDLE` 对 `DB` 的访问是完全正常的。作为当前唯一的维护人员,我接手后还没做几个变更就出了这个故障,实属摸不着头脑。 | ||
|
||
### 初步调查及临时措施 | ||
|
||
组长做了初步调查及临时措施,并提出疑问: | ||
|
||
- Web 服务报错:`sqlMessage: "Host 'IP.IP.IP.IP' is not allowed to connect to this MySQL server"` | ||
- 临时措施: | ||
- `GRANT ALL PRIVILEGES ON *.* TO 'USER'@'IP.IP.IP.IP';` | ||
- 对 `DB` 做了此变更之后 `IDLE` 恢复正常 | ||
- 疑问: | ||
> 1. MySQL 拒绝 `IDLE` 访问,为什么昨天没有出现,而今天早晨出现了?周五晚上有人修改了 MySQL 配置吗? | ||
> 2. `IDLE` 服务连接数据库的配置中,`host = "localhost"`,为什么 MySQL 的报错会变成 `"IP.IP.IP.IP"`? | ||
### 可能相关的运维变更 | ||
|
||
有位同事补充了周五晚上他对服务器做的变更:出于运维需要,给 iptables 加了如下规则: | ||
|
||
```sh | ||
sudo iptables -t nat -A POSTROUTING -j MASQUERADE | ||
``` | ||
|
||
之后,又使用 `iptables-restore` 将变更前备份的 iptables 规则表重新导入回去。 | ||
|
||
## 我的疑问 | ||
|
||
得到以上所有信息之后,我也产生了如下几个疑问: | ||
|
||
--- | ||
|
||
- [](https://man7.org/linux/man-pages/index.html) | ||
|
||
:::details 封面图 | ||
|
||
::: | ||
|
||
## References |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.