nginx与防火墙

billows1026 2014-08-07 12:03:12

碰到个很奇怪的问题，网络上找不到相关信息
公司有个网站，在阿里云上。以下为防火墙过滤信息
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:11211
8 DROP icmp -- 0.0.0.0/0 0.0.0.0/0
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8009
12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9000

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

正常的时候可以访问公司网站，但我使用iptables -P INPUT DROP后，我设置的nginx就无法通过upstream连接后端的服务。
1246#0: *140697 connect() to [::1]:8080 failed (101: Network is unreachable) while connecting to upstream, client: 180.153.206.22, server: www.cctvshow.com, request: "GET /static/assets/plugins/respond.min.js HTTP/1.1", upstream: "http://[::1]:8080/static/assets/plugins/respond.min.js", host: "www.cctvshow.com", referrer: "http://www.cctvshow.com/static/assets/plugins/respond.min.js"

求助。。。

...全文

731 7 打赏收藏转发到动态举报

写回复

用AI写文章

7 条回复

切换为时间正序

请发表友善的回复…

发表回复

GoogleFan 2015-10-13

打赏
举报

Can I ask a simple question? Where is my previous reply? If u were innocent, why did u report to the moderator? 生产环境? Give me a break! Ur admin allow u to monkey around in the production environment? The post I refers to is supposed to discuss the correct way to configure ngnix as reserved proxy for tomcat. U didn't give any details. All you can told is "this didn't work, that did't work". I gave u replies twice. In the end, "可能产生这种问题的原因” or ur excuse is "forgot clear browser cache". Does it have anything to do with nginx or tomcat at all? And for this post, lo rule is populated in iptables as default, how come u removed it at the first place? Btw, I didn't see u said thank you to me there at all. You closed that post with the status "no satisfied answer". IMHO, the person who breaks the rules here is YOU! You don't know appreciation at all. U ask, I answer, then u gave me ur points. The similar rules work all around world. Stackoverflow has it as well, mark this as answer. I doubt u could survive any tech forum. Remember, everyone's time is precious... So, I hope I won't see u again here and good luck to ur "production environment"... Btw, from ur pic, u looks older than me. So don't pretend to be a rookie, ok?[/quote] ============= Ur chinglish is very good! But it cannot change the truth "U'are a SB" hahahha

小笨和漂向北方 2014-08-08

打赏
举报

There u go, another "无满意结贴”...

小笨和漂向北方 2014-08-08

打赏
举报

引用 4 楼 billows1026 的回复:

你是个很莫名其妙的人，我来这里求助，我很感谢你的帮助，但造成问题的原因很多，尤其是在生产环境，可能一个莫名其妙的东西就能造成你很大的问题。我发出问题，没人回答，然后自己找出答案并且公布出来，只是提供一种了可能产生这种问题的原因。我只是个菜鸟，很多东西都不懂，如果你不愿意帮我，那请别回我的贴。另外，放心，这个论坛我也不会再来了。因为我是菜鸟，你是大神，高攀不起

billows1026 2014-08-08

打赏
举报

你是个很莫名其妙的人，我来这里求助，我很感谢你的帮助，但造成问题的原因很多，尤其是在生产环境，可能一个莫名其妙的东西就能造成你很大的问题。我发出问题，没人回答，然后自己找出答案并且公布出来，只是提供一种了可能产生这种问题的原因。我只是个菜鸟，很多东西都不懂，如果你不愿意帮我，那请别回我的贴。另外，放心，这个论坛我也不会再来了。因为我是菜鸟，你是大神，高攀不起

小笨和漂向北方 2014-08-07

打赏
举报

Don't waste ur time to help this guy. He likes to answer the question by his own and close the post. By saying "answering by his own", I mean he could recognize his stupid mistakes that has nothing to do with his original question. The he would complain, see, u guys suck, no one can help me.. Don't ever let me see u again!

billows1026 2014-08-07

打赏
举报

搞定了。 netstat -ant命令发现一下2条数据 tcp 0 1 127.0.0.1:36509 127.0.0.1:8080 SYN_SENT tcp 0 0 127.0.0.1:8080 127.0.0.1:36509 SYN_RECV 发现是本机到本机TCP 三次握手协议没有达成，在防火墙中加入以下策略 iptables -A INPUT -s 127.0.0.1 -p tcp -d 127.0.0.1 -j ACCEPT 就OK了还有问题就是为什么local到local的tcp包会经过iptables的 INPUT链？这个还是没有明白。虽然问题解决了。

billows1026 2014-08-07