谷歌计算平台防火墙规则

时间:2017-11-22 01:28:22

标签: django google-cloud-platform firewall iptables portforwarding

我已经打开了端口,但它仍无法正常工作。

从我本地机器上的gcloud:

C:\Program Files (x86)\Google\Cloud SDK>gcloud compute firewall-rules list
To show all fields of the firewall, please show in JSON format: --format=json
To show all fields in table format, please see the examples in --help.

NAME                    NETWORK  DIRECTION  PRIORITY  ALLOW                             DENY
default-allow-https     default  INGRESS    1000      tcp:443
default-allow-icmp      default  INGRESS    65534     icmp
default-allow-internal  default  INGRESS    65534     tcp:0-65535,udp:0-65535,icmp
default-allow-rdp       default  INGRESS    65534     tcp:3389
default-allow-ssh       default  INGRESS    65534     tcp:22
django                  default  EGRESS     1000      tcp:8000,tcp:80,tcp:8080,tcp:443
django-in               default  INGRESS    1000      tcp:8000,tcp:80,tcp:8080,tcp:443

来自google cloud上的实例:

admin-u5214628@instance-1:~$ wget localhost:8080
--2017-11-22 01:23:56--  http://localhost:8080/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 302 FOUND
Location: http://localhost:8080/login/?next=/ [following]
--2017-11-22 01:23:56--  http://localhost:8080/login/?next=/
Connecting to localhost (localhost)|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html              [ <=>                ]   6.26K  --.-KB/s    in 0s

2017-11-22 01:23:56 (161 MB/s) - ‘index.html’ saved [6411]

但是通过外部IP,没有显示任何内容:

http://35.197.1.158:8080/

我通过以下命令检查了端口:

root@instance-1:/etc# netstat -ntlp | grep LISTEN
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      1539/redis-server 1
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      2138/python
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1735/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      1735/sshd

我不确定这对Ubuntu防火墙设置是否足够?对我来说没问题。

在实例上,我检查了我能想到的一切。

enter image description here

UFW(简单防火墙):

root@instance-1:~# ufw status
Status: inactive

根据我的理解,这意味着它已关闭,因此不会阻止任何事情。

根据建议,我尝试配置iptables

iptables -P INPUT ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

然后我保存它:

root@instance-1:~# iptables-save -c
# Generated by iptables-save v1.6.0 on Thu Nov 23 00:16:44 2017
*mangle
:PREROUTING ACCEPT [175:18493]
:INPUT ACCEPT [175:18493]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [154:15965]
:POSTROUTING ACCEPT [154:15965]
COMMIT
# Completed on Thu Nov 23 00:16:44 2017
# Generated by iptables-save v1.6.0 on Thu Nov 23 00:16:44 2017
*nat
:PREROUTING ACCEPT [6:300]
:INPUT ACCEPT [6:300]
:OUTPUT ACCEPT [6:360]
:POSTROUTING ACCEPT [6:360]
COMMIT
# Completed on Thu Nov 23 00:16:44 2017
# Generated by iptables-save v1.6.0 on Thu Nov 23 00:16:44 2017
*filter
:INPUT ACCEPT [169:18193]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [163:17013]
[6:300] -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Thu Nov 23 00:16:44 2017

现在看起来像这样:

root@instance-1:~# iptables -v -n -x -L
Chain INPUT (policy ACCEPT 80 packets, 5855 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 52 packets, 6047 bytes)
    pkts      bytes target     prot opt in     out     source               destination

确保规则得到应用并实时:

iptables-save > /etc/iptables.rules
iptables-apply /etc/iptables.rules

我认为我不需要重启/重置实例。

我想我需要forward traffic to local ip

# sysctl net.ipv4.ip_forward=1
# iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 127.0.0.1:8000
# iptables -t nat -A POSTROUTING -j MASQUERADE
# python manage.py runserver
Performing system checks...

System check identified no issues (0 silenced).
November 24, 2017 - 17:54:00
Django version 1.8.18, using settings 'codebench.settings'
Starting development server at http://127.0.0.1:8000/

这种方法不起作用......

尝试:

python manage.py runserver 0.0.0.0:8080 &

这绝对适用于我的本地机器,只是不在google实例上,我很困惑。

2 个答案:

答案 0 :(得分:0)

根据我的经验,当我创建计算引擎的实例时,我应该明确标记允许HTTP(S)访问。这可能是一件值得关注的事情。

另一个 - 您在计算引擎实例中部署/使用的操作系统可能有自己的防火墙规则。它们需要相应修改。

基于新提供的有关UFW和Ubuntu的信息。我对Ubuntu不是很有信心,但我知道UFW是iptables的包装器。我可能错了,但我想如果启用它可能会更好。然后,您可以获得有关防火墙配置的更多详细信息。

答案 1 :(得分:0)

我认为问题在于服务器仅应听127.0.0.1:8080而不是0.0.0.0:8080。这就是为什么您没有收到http://localhost:8080/的回复的原因 与http://35.197.1.158:8080一起使用有关更多详细信息,请从stackoverflow What is the difference between 0.0.0.0, 127.0.0.1 and localhost?

中查看此答案。

要更改配置以使Apache侦听0.0.0.0:8080或特定的IP和端口,请遵循此文档https://httpd.apache.org/docs/2.4/bind.html