November 2017 – Page 2 – 一江春水向东流

openstack使用官方镜像

自制镜像很麻烦, 而且坑很多, 之前自建了一个, 导致启不来, 还是直接下载官方的方便好用. 下载官方镜像

http://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud-1708.qcow2

1	http://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud-1708.qcow2

上传镜像:

glance image-create --name centos-7  --disk-format qcow2 --container-format bare < CentOS-7-x86_64-GenericCloud-1708.qcow2

1	glance image-create --name centos-7 --disk-format qcow2 --container-format bare < CentOS-7-x86_64-GenericCloud-1708.qcow2

关于使用官方ubuntu镜像无法使用ssh用户名密码登录登录的问题在创建instance的时候，选择创建后，然后选择直接输入，输入如下代码 ubuntu

#!/bin/sh    
sed -i 's/PermitRootLogin without-password/PermitRootLogin yes/g' /etc/ssh/sshd_config    
sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config    
cp -f /home/ubuntu/.ssh/authorized_keys /root/.ssh/    
service ssh restart    
passwd ubuntu<<EOF    
123456  
123456

#!/bin/sh

sed -i 's/PermitRootLogin without-password/PermitRootLogin yes/g' /etc/ssh/sshd_config

sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config

cp -f /home/ubuntu/.ssh/authorized_keys /root/.ssh/

service ssh restart

passwd ubuntu<<EOF

123456

Centos7

#!/bin/sh    
sed -i 's/PermitRootLogin without-password/PermitRootLogin yes/g' /etc/ssh/sshd_config    
sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config
cp -f /home/centos/.ssh/authorized_keys /root/.ssh/    
systemctl restart sshd
cp -r /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
echo "1450" > /sys/class/net/eth0/mtu
passwd root<<EOF
xxxxxx
xxxxxx
EOF

注: 密码必须满足8个字符的长度

#!/bin/sh

sed -i 's/PermitRootLogin without-password/PermitRootLogin yes/g' /etc/ssh/sshd_config

sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config

cp -f /home/centos/.ssh/authorized_keys /root/.ssh/

systemctl restart sshd

cp -r /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

echo "1450" > /sys/class/net/eth0/mtu

passwd root<<EOF

xxxxxx

EOF

注: 密码必须满足8个字符的长度

By sean, 7 years11/12/2017 ago

CentOS7 minimal安装后需要安装的软件

CentOS7 minimal安装后需要安装的软件:

yum update -y
yum upgrade
yum install wget telnet perl perl-devel net-tools kernel-devel vim
yum groupinstall "Development tools" -y
vim /etc/selinux/config
yum -y install epel-release
yum -y install python-pip
pip install -U pip

vim /etc/selinux/config
在 SELINUX=enforcing 前面加个#号注释掉它
#SELINUX=enforcing
然后新加一行
SELINUX=disabled
#SELINUXTYPE=targeted #注释掉这行

setenforce 0
systemctl stop firewalld.service
systemctl disable firewalld
yum install iptables-services
vim /etc/sysconfig/iptables
yum install ntpdate -y
ntpdate time.windows.com && hwclock -w
hwclock --systohc

yum update -y

yum upgrade

yum install wget telnet perl perl-devel net-tools kernel-devel vim

yum groupinstall "Development tools" -y

vim /etc/selinux/config

yum -y install epel-release

yum -y install python-pip

pip install -U pip

vim /etc/selinux/config

在 SELINUX=enforcing 前面加个#号注释掉它

#SELINUX=enforcing

然后新加一行

SELINUX=disabled

#SELINUXTYPE=targeted #注释掉这行

setenforce 0

systemctl stop firewalld.service

systemctl disable firewalld

yum install iptables-services

vim /etc/sysconfig/iptables

yum install ntpdate -y

ntpdate time.windows.com && hwclock -w

hwclock --systohc

By sean, 7 years11/12/2017 ago

openstack 使用自定义镜像在使用openstack的时候创建镜像是非常常见的，大部分使用官方的方法就可以了使用官方推荐的方法，请看官方文档利用VirtualBox转换镜像利用qemu将其他格式的转成img格式，再将img格式转换成qcow2格式第一步：用virtualBox创建一个centos7的虚拟机，使用CentOS-7-x86_64-DVD-1511.iso。第二步：把该安装的软件都安装好，然后停止vm 第三步：VBoxManage 将转换镜像。命令如下：

VBoxManage clonehd centos7.vdi centos7-mini.img --format raw

1	VBoxManage clonehd centos7.vdi centos7-mini.img --format raw

第四步：将img格式的镜像上传到服务器上，在使用命令转换成qcow2格式。命令如下：

qemu-img convert -f raw centos7-mini.img -O qcow2 centos7-mini2.img

1	qemu-img convert -f raw centos7-mini.img -O qcow2 centos7-mini2.img

第五步：上传到glance。命令如下：

openstack image create "centos7-x64" --file /opt/centos7-mini2.img --disk-format qcow2 --container-format bare --public

1	openstack image create "centos7-x64" --file /opt/centos7-mini2.img --disk-format qcow2 --container-format bare --public

官方文档此处注意: 安装虚机时创建磁盘时不要太大, 就用默认的8G就行, 太大的话, 用VBoxManage clonehd 时会复制一份, 磁盘容易不够用. 参考: http://www.ws0711.com/2016/09/20/use-virtualbox-convert-to-qcow2/

By sean, 7 years11/11/2017 ago

未分类

利用kolla快速搭建openstack-pike多节点

准备工作系统：Centos7 服务器：两台物理机配置：内存：188GB | 硬盘： 19T | CPU: 39 core 部署步骤：环境准备：更改主机名，此处有个坑，之前装时设置的域名是：openstack-master1-iuap-idc-yycloud.yonyouiuap.com, 结果导致rabbitmq服务启不来，网上查的是有两个原因, 一个可能是端口被占用，另一个是主机名设置的问题，此处设置为短名， openstack1和openstack2：

hostnamectl set-hostname openstack1.yonyouiuap.com

1	hostnamectl set-hostname openstack1.yonyouiuap.com

网络配置: 网卡一, 用于openstack自身容器服务及VIP对外服务:

HWADDR=6C:92:BF:4A:36:4C
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eno1
UUID=951a1ef0-bee5-477f-8f3f-4ada0b1e0a9b
ONBOOT=yes
IPADDR=172.x.x.128
PREFIX=24
GATEWAY=172.x.x.1
DNS1=10.x.x.14
DNS2=10.x.x.15

HWADDR=6C:92:BF:4A:36:4C

TYPE=Ethernet

BOOTPROTO=static

DEFROUTE=yes

PEERDNS=yes

PEERROUTES=yes

IPV4_FAILURE_FATAL=no

IPV6INIT=yes

IPV6_AUTOCONF=yes

IPV6_DEFROUTE=yes

IPV6_PEERDNS=yes

IPV6_PEERROUTES=yes

IPV6_FAILURE_FATAL=no

NAME=eno1

UUID=951a1ef0-bee5-477f-8f3f-4ada0b1e0a9b

ONBOOT=yes

IPADDR=172.x.x.128

PREFIX=24

GATEWAY=172.x.x.1

DNS1=10.x.x.14

DNS2=10.x.x.15

网卡二, 用于在openstack上跑的云主机对外访问和远程访问云主机, 不用配置IP地址:

HWADDR=6C:92:BF:4A:36:4D
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=no
PEERDNS=yes
PEERROUTES=no
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eno2
UUID=1890c055-f6bd-47d0-83ee-dddffdcf544f
ONBOOT=yes

HWADDR=6C:92:BF:4A:36:4D

TYPE=Ethernet

BOOTPROTO=static

DEFROUTE=no

PEERDNS=yes

PEERROUTES=no

IPV4_FAILURE_FATAL=no

IPV6INIT=yes

IPV6_AUTOCONF=yes

IPV6_DEFROUTE=yes

IPV6_PEERDNS=yes

IPV6_PEERROUTES=yes

IPV6_FAILURE_FATAL=no

NAME=eno2

UUID=1890c055-f6bd-47d0-83ee-dddffdcf544f

ONBOOT=yes

安装NTP服务 CentOS系统

$ yum install -y chrony
配置NTP服务：
$ \cp -f /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
$ vim /etc/chrony.conf
server 0.cn.pool.ntp.org iburst
server 1.cn.pool.ntp.org iburst
server 2.cn.pool.ntp.org iburst
server 3.cn.pool.ntp.org iburst
#重启NTP服务：
$ systemctl enable chronyd.service
$ systemctl restart chronyd.service

$ yum install -y chrony

配置NTP服务：

$ \cp -f /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

$ vim /etc/chrony.conf

server 0.cn.pool.ntp.org iburst

server 1.cn.pool.ntp.org iburst

server 2.cn.pool.ntp.org iburst

server 3.cn.pool.ntp.org iburst

#重启NTP服务：

$ systemctl enable chronyd.service

$ systemctl restart chronyd.service

在所有节点配置hosts文件：

[root@openstack1 lokolla]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

172.20.23.128 openstack1.yonyouiuap.com openstack1
172.20.23.129 openstack2.yonyouiuap.com openstack2
172.20.23.191 openstack3.yonyouiuap.com openstack3
172.20.23.193 openstack4.yonyouiuap.com openstack4
172.20.23.195 openstack5.yonyouiuap.com openstack5

[root@openstack1 lokolla]# cat /etc/hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

172.20.23.128 openstack1.yonyouiuap.com openstack1

172.20.23.129 openstack2.yonyouiuap.com openstack2

172.20.23.191 openstack3.yonyouiuap.com openstack3

172.20.23.193 openstack4.yonyouiuap.com openstack4

172.20.23.195 openstack5.yonyouiuap.com openstack5

所有节点关闭防火墙
salt "*" cmd.run "systemctl stop firewalld" salt "*" cmd.run "systemctl disable firewalld"
所有节点关闭selinux并重启
[root@master1 yum.repos.d]# cat /etc/selinux/config |grep -v ^#|awk NF SELINUX=disabled  SELINUXTYPE=targeted 
所有节点关闭NetworkManager
salt "*" cmd.run "systemctl stop NetworkManager" salt "*" cmd.run "systemctl disable NetworkManager"
所有节点关闭libvirted
salt "*" cmd.run "systemctl stop libvirtd.service" salt "*" cmd.run "systemctl disable libvirtd.service"
所有节点加载rbd模块
salt "*" cmd.run "modprobe rbd" salt "*" cmd.run "lsmod|grep rbd"

所有节点关闭防火墙

salt "*" cmd.run "systemctl stop firewalld" salt "*" cmd.run "systemctl disable firewalld"

所有节点关闭selinux并重启

[root@master1 yum.repos.d]# cat /etc/selinux/config |grep -v ^#|awk NF SELINUX=disabled SELINUXTYPE=targeted

所有节点关闭NetworkManager

salt "*" cmd.run "systemctl stop NetworkManager" salt "*" cmd.run "systemctl disable NetworkManager"

所有节点关闭libvirted

salt "*" cmd.run "systemctl stop libvirtd.service" salt "*" cmd.run "systemctl disable libvirtd.service"

所有节点加载rbd模块

salt "*" cmd.run "modprobe rbd" salt "*" cmd.run "lsmod|grep rbd"

在所有节点配置ssh密钥互通：

ssh-keygen
ssh-copy-id root@172.x.x.128

1 2	ssh-keygen ssh-copy-id root@172.x.x.128

安装docker基础配置：

[root@openstack1 ~]# cat /etc/sysconfig/selinux | grep -i '^selinux='
SELINUX=disabled
[root@openstack1 ~]# setenforce 0
[root@openstack1 ~]# systemctl stop firewalld
[root@openstack1 ~]# systemctl disable firewalld
##关闭NetworkManager
systemctl stop NetworkManager
systemctl disable NetworkManager

[root@openstack1 ~]# yum install epel-release
##安装系统中常用的必要组件
[root@openstack1 ~]# yum install -y tree net-tools bind-utils tree sysstat vim-en* \
lrzsz NetworkManager-tui ntp ntpdate iftop tcpdump telnet traceroute python-devel \
libffi-devel gcc openssl-devel git python-setuptools
[root@openstack1 ~]# curl -sSL https://get.docker.io | bash //注:这条命令安装的是最新版的docker，会默认下载docker源
# 或者选择yum安装方式:
[root@openstack1 ~]# tee /etc/yum.repos.d/docker.repo << 'EOF'
[dockerrepo]
name=Docker Repository
baseurl=https://yum.dockerproject.org/repo/main/centos/$releasever/
enabled=1
gpgcheck=1
gpgkey=https://yum.dockerproject.org/gpg
EOF
[root@openstack1 ~]# yum install -y docker-engine
[root@openstack1 ~]# mkdir -p /etc/systemd/system/docker.service.d
[root@openstack1 ~]# tee /etc/systemd/system/docker.service.d/kolla.conf <<-'EOF'
[Service]
MountFlags=shared
#EnvironmentFile=/etc/sysconfig/docker
ExecStart=
ExecStart=/usr/bin/dockerd --insecure-registry 0.0.0.0/0
EOF
[root@openstack1 ~]# systemctl daemon-reload
[root@openstack1 ~]# systemctl restart docker
[root@openstack1 ~]# systemctl enable docker.service

[root@openstack1 ~]# cat /etc/sysconfig/selinux | grep -i '^selinux='

SELINUX=disabled

[root@openstack1 ~]# setenforce 0

[root@openstack1 ~]# systemctl stop firewalld

[root@openstack1 ~]# systemctl disable firewalld

##关闭NetworkManager

systemctl stop NetworkManager

systemctl disable NetworkManager

[root@openstack1 ~]# yum install epel-release

##安装系统中常用的必要组件

[root@openstack1 ~]# yum install -y tree net-tools bind-utils tree sysstat vim-en* \

lrzsz NetworkManager-tui ntp ntpdate iftop tcpdump telnet traceroute python-devel \

libffi-devel gcc openssl-devel git python-setuptools

[root@openstack1 ~]# curl -sSL https://get.docker.io | bash //注:这条命令安装的是最新版的docker，会默认下载docker源

# 或者选择yum安装方式:

[root@openstack1 ~]# tee /etc/yum.repos.d/docker.repo << 'EOF'

[dockerrepo]

name=Docker Repository

baseurl=https://yum.dockerproject.org/repo/main/centos/$releasever/

enabled=1

gpgcheck=1

gpgkey=https://yum.dockerproject.org/gpg

EOF

[root@openstack1 ~]# yum install -y docker-engine

[root@openstack1 ~]# mkdir -p /etc/systemd/system/docker.service.d

[root@openstack1 ~]# tee /etc/systemd/system/docker.service.d/kolla.conf <<-'EOF'

[Service]

MountFlags=shared

#EnvironmentFile=/etc/sysconfig/docker

ExecStart=

ExecStart=/usr/bin/dockerd --insecure-registry 0.0.0.0/0

EOF

[root@openstack1 ~]# systemctl daemon-reload

[root@openstack1 ~]# systemctl restart docker

[root@openstack1 ~]# systemctl enable docker.service

[root@openstack1 ~]# pip install --upgrade pip
[root@openstack1 ~]# pip install -U docker #安装Docker Python服务
[root@openstack1 ~]# pip install kolla ##安装kolla
[root@openstack1 ~]# pip install kolla-ansible #安装Kolla Ansible服务

[root@openstack1 ~]# pip install --upgrade pip

[root@openstack1 ~]# pip install -U docker #安装Docker Python服务

[root@openstack1 ~]# pip install kolla ##安装kolla

[root@openstack1 ~]# pip install kolla-ansible #安装Kolla Ansible服务

拷贝配置文件

$ cp -r /usr/share/kolla-ansible/etc_examples/kolla /etc/kolla
$ mkdir -p /openstack/kolla-deploy
$ cp /usr/share/kolla-ansible/ansible/inventory/* /openstack/kolla-deploy/

$ cp -r /usr/share/kolla-ansible/etc_examples/kolla /etc/kolla

$ mkdir -p /openstack/kolla-deploy

$ cp /usr/share/kolla-ansible/ansible/inventory/* /openstack/kolla-deploy/

生成密码

##生成密码，更改的配置文件为/etc/kolla/passwords.yml；
$ kolla-genpwd
##自定密码：
$ vim /etc/kolla/passwords.yml
keystone_admin_password: admin

##生成密码，更改的配置文件为/etc/kolla/passwords.yml；

$ kolla-genpwd

##自定密码：

$ vim /etc/kolla/passwords.yml

keystone_admin_password: admin

下载build好的镜像，建立私有仓库，这里，下载使用Kolla社区的pike版本镜像（免去在本地环境docker build的过程，大大加快安装时间）。Ocata版本是4.0.3， pike版本是5.0.1，事实证明Ocata版本有Bug，装完后会导致centos-source-cinder-api和centos-source-fluentd两个容器启动失败。

[root@openstack1 ~]# wget http://tarballs.openstack.org/kolla/images/centos-source-registry-pike.tar.gz
[root@openstack1 ~]# docker load -i centos-source-registry-pike.tar.gz&nbsp;
[root@openstack1 ~]# mkdir /opt/registry
[root@openstack1 ~]# tar -xf centos-source-registry-ocata.tar.gz -C /opt/registry/
[root@openstack1 ~]# docker run -d -v /opt/registry:/var/lib/registry -p 4000:5000 --restart=always --name registry registry:2&nbsp;
## /opt/registry是宿主机的目录，默认docker的registry是使用5000端口，对于OpenStack来说，有端口冲突，所以改成4000
[root@openstack1 ~]# curl http://127.0.0.1:4000/v2/_catalog #可以通过curl来访问验证本地Registry是否正常，检查镜像解压到regisrty是否有效
仓库里面存在的镜像
查看该镜像的tag
curl -XGET http://127.0.0.1:4000/v2/kolla/centos-binary-nova-compute/tags/list

[root@openstack1 ~]# wget http://tarballs.openstack.org/kolla/images/centos-source-registry-pike.tar.gz

[root@openstack1 ~]# docker load -i centos-source-registry-pike.tar.gz 

[root@openstack1 ~]# mkdir /opt/registry

[root@openstack1 ~]# tar -xf centos-source-registry-ocata.tar.gz -C /opt/registry/

[root@openstack1 ~]# docker run -d -v /opt/registry:/var/lib/registry -p 4000:5000 --restart=always --name registry registry:2 

## /opt/registry是宿主机的目录，默认docker的registry是使用5000端口，对于OpenStack来说，有端口冲突，所以改成4000

[root@openstack1 ~]# curl http://127.0.0.1:4000/v2/_catalog #可以通过curl来访问验证本地Registry是否正常，检查镜像解压到regisrty是否有效

仓库里面存在的镜像

查看该镜像的tag

curl -XGET http://127.0.0.1:4000/v2/kolla/centos-binary-nova-compute/tags/list

如果是在虚拟机里装kolla，希望可以虚拟机中再启动云主机，那么你需要把virt_type=qemu

# egrep -c '(vmx|svm)' /proc/cpuinfo
# mkdir -p /etc/kolla/config/nova //服务器默认就是kvm，无需操作该步骤。
cat << EOF > /etc/kolla/config/nova/nova-compute.conf
[libvirt]
virt_type=qemu
cpu_mode = none
EOF

# egrep -c '(vmx|svm)' /proc/cpuinfo

# mkdir -p /etc/kolla/config/nova //服务器默认就是kvm，无需操作该步骤。

cat << EOF > /etc/kolla/config/nova/nova-compute.conf

[libvirt]

virt_type=qemu

cpu_mode = none

EOF

配置Kolla 下面是我的配置，此处要注意，kolla_internal_vip_address是配置的没有使用的IP，如果配置的IP已经被使用的话会报错 Read more…

By sean, 7 years11/09/2017 ago

SECURITY

清除wnTKYg挖矿木马的全过程

今天下午，同事登录nginx服务器，发现一个进程占用CPU100%：搜索得知是一个挖矿木马，通过redis漏洞来植入的。检查crontab：发现一个redis进程：查看操作日志：查看/root/.ssh/authorized_keys，发现多了个不明key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfxLBb/eKbi0TVVULI8ILVtbv2iaGM+eZbZoCWcD3v/
eF1B/VkHAC1YwIhfqkUYudwhxVfQzsOZYQmKyapWzgp3tBAxcl82Al++VQc36mf/XFnECHndJS1JZB429
/w/Ao+KlASl/qzita61D2VsXyejIQIeYR7Ro+ztLSTXjx+70CvzgOae3oayunL/hGX8qORIkG5YR3R1Je
fhxy1NhGxEd6GaR7fZA5QWGfM17IcSXi2Q876JL8U7Aq8cjQyN/kGT2jWiiQiOZzqbjVJVICiwk0KvtrT
wppV6FLty/vdfhgyspR4WZMep41xxuBH5rBkEJO5lqbKJWatcaA8n9jR x

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfxLBb/eKbi0TVVULI8ILVtbv2iaGM+eZbZoCWcD3v/

eF1B/VkHAC1YwIhfqkUYudwhxVfQzsOZYQmKyapWzgp3tBAxcl82Al++VQc36mf/XFnECHndJS1JZB429

/w/Ao+KlASl/qzita61D2VsXyejIQIeYR7Ro+ztLSTXjx+70CvzgOae3oayunL/hGX8qORIkG5YR3R1Je

fhxy1NhGxEd6GaR7fZA5QWGfM17IcSXi2Q876JL8U7Aq8cjQyN/kGT2jWiiQiOZzqbjVJVICiwk0KvtrT

wppV6FLty/vdfhgyspR4WZMep41xxuBH5rBkEJO5lqbKJWatcaA8n9jR x

初步判明，由于187和186上以前同事测ABTestingGateway时启动了两个redis，但是没有设redis的密码，因为redis是root帐户启动的，所以通过redis把ssh public key写入了root的authorized_keys，从而运行了一个cron程序，之前一直没发现是因为内存和CPU使用率都在正常范围内（CPU使用率60%）按照网上方法杀之：删除不明key 杀掉进程并清理crontab和运行程序

pkill -9 wnTKYg

pkill -9 ddg.1009

rm -rf /var/spool/cron/root

rm -rf /tmp/wnTKYg

pkill -9 wnTKYg

pkill -9 ddg.1009

rm -rf /var/spool/cron/root

rm -rf /tmp/wnTKYg

增加防火墙策略：

# sample configuration for iptables service
# # you can edit this manually or use system-config-firewall
# # please do not ask us to add additional ports/services to this default configuration
#################
#     NAT       #
#################
*nat
:PREROUTING ACCEPT [27:11935]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [598:57368]
:POSTROUTING ACCEPT [591:57092]
:DOCKER - [0:0]

#OpenVPN
#-A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE

#-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
#-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
#-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT

#################
#     filter    #
#################
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#:DOCKER - [0:0]

# 这里对已经建立连接的包直接放行，以提高iptables 效率(此条规则通常放在第一条)
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#允许ping
-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

#本机设备放行
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT


#开放sshd服务
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

#SMTP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
#允许 80 443 端口，http 和 https
-A INPUT -i eth0 -m state --state NEW -p tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -p tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -p tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -p tcp --sport 443 -j ACCEPT
-A OUTPUT -p tcp --sport 443 -j ACCEPT
-A OUTPUT -p tcp --dport 443 -j ACCEPT
#dns
-A OUTPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --sport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A OUTPUT -p udp --sport 53 -j ACCEPT
#---ganglia的端口----
#ganglia展示web界面、解释php用的apache
-A INPUT -m state --state NEW -m tcp -p tcp --dport 81 -j ACCEPT
-A OUTPUT -p tcp --sport 81 -m state --state ESTABLISHED -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 5001 -j ACCEPT
-A OUTPUT -p tcp --sport 5001 -m state --state ESTABLISHED -j ACCEPT
#falcon-agent sent
-A OUTPUT -p tcp --dport 6030 -j ACCEPT
-A OUTPUT -p tcp --dport 8433 -j ACCEPT
-A INPUT -s 10.x.x.203 -p tcp --dport 1988 -j ACCEPT

#prometheus
-A INPUT -s 10.x.x.0/24  --match multiport -m state --state NEW -m tcp -p tcp --dports 9100,9102,9105 -j ACCEPT
#处理IP碎片数量,防止攻击,允许每秒100个
-A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
#允许来自外部的ping测试
#-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
#禁止ping
-A INPUT -p icmp -i eth0 -j DROP
#设置ICMP包过滤,允许每秒1个包,限制触发条件是10个包
-A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT


####################
#DROP RULL
####################
#丢弃坏的TCP包
#-A FORWARD -p TCP ! --syn -m state --state NEW -j DROP

# Reject spoofed packets
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 127.0.0.0/8 -j DROP

-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255 -j DROP

# Stop smurf attacks
-A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
-A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP

# Drop all invalid packets
-A INPUT -m state --state INVALID -j DROP
#-A FORWARD -m state --state INVALID -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
#drop 3128端口是 squid 的默认端口
-A INPUT -p tcp --dport 3128 -j DROP
# Drop excessive RST packets to avoid smurf attacks
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

# Attempt to block portscans
# Anyone who tried to portscan us is locked out for an entire day.
-A INPUT   -m recent --name portscan --rcheck --seconds 86400 -j DROP
-A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Once the day has passed, remove them from the portscan list
-A INPUT   -m recent --name portscan --remove
-A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.
-A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
-A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

-A INPUT -s xmr.crypto-pool.fr -j DROP
-A INPUT -s 218.248.40.228 -j DROP
-A OUTPUT -d xmr.crypto-pool.fr -j DROP   
-A OUTPUT -d 218.248.40.228 -j DROP     

#禁止其他未允许的规则访问
#-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j DROP
#-A OUTPUT -j DROP
-A FORWARD -j DROP

COMMIT

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

# sample configuration for iptables service

# # you can edit this manually or use system-config-firewall

# # please do not ask us to add additional ports/services to this default configuration

#################

# NAT #

#################

*nat

:PREROUTING ACCEPT [27:11935]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [598:57368]

:POSTROUTING ACCEPT [591:57092]

:DOCKER - [0:0]

#OpenVPN

#-A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE

#-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER

#-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER

#-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE

COMMIT

#################

# filter #

#################

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

#:DOCKER - [0:0]

# 这里对已经建立连接的包直接放行，以提高iptables 效率(此条规则通常放在第一条)

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#允许ping

-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

#本机设备放行

-A INPUT -i lo -j ACCEPT

-A OUTPUT -o lo -j ACCEPT

-A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

-A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

#开放sshd服务

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

#SMTP

-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT

#允许 80 443 端口，http 和 https

-A INPUT -i eth0 -m state --state NEW -p tcp --dport 80 -j ACCEPT

-A INPUT -i eth0 -m state --state NEW -p tcp --sport 80 -j ACCEPT

-A OUTPUT -p tcp --sport 80 -j ACCEPT

-A OUTPUT -p tcp --dport 80 -j ACCEPT

-A INPUT -i eth0 -m state --state NEW -p tcp --dport 443 -j ACCEPT

-A INPUT -i eth0 -m state --state NEW -p tcp --sport 443 -j ACCEPT

-A OUTPUT -p tcp --sport 443 -j ACCEPT

-A OUTPUT -p tcp --dport 443 -j ACCEPT

#dns

-A OUTPUT -p udp --dport 53 -j ACCEPT

-A INPUT -p udp --sport 53 -j ACCEPT

-A INPUT -p udp --dport 53 -j ACCEPT

-A OUTPUT -p udp --sport 53 -j ACCEPT

#---ganglia的端口----

#ganglia展示web界面、解释php用的apache

-A INPUT -m state --state NEW -m tcp -p tcp --dport 81 -j ACCEPT

-A OUTPUT -p tcp --sport 81 -m state --state ESTABLISHED -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 5001 -j ACCEPT

-A OUTPUT -p tcp --sport 5001 -m state --state ESTABLISHED -j ACCEPT

#falcon-agent sent

-A OUTPUT -p tcp --dport 6030 -j ACCEPT

-A OUTPUT -p tcp --dport 8433 -j ACCEPT

-A INPUT -s 10.x.x.203 -p tcp --dport 1988 -j ACCEPT

#prometheus

-A INPUT -s 10.x.x.0/24 --match multiport -m state --state NEW -m tcp -p tcp --dports 9100,9102,9105 -j ACCEPT

#处理IP碎片数量,防止攻击,允许每秒100个

-A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT

#允许来自外部的ping测试

#-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#禁止ping

-A INPUT -p icmp -i eth0 -j DROP

#设置ICMP包过滤,允许每秒1个包,限制触发条件是10个包

-A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT

####################

#DROP RULL

####################

#丢弃坏的TCP包

#-A FORWARD -p TCP ! --syn -m state --state NEW -j DROP

# Reject spoofed packets

-A INPUT -s 169.254.0.0/16 -j DROP

-A INPUT -s 172.16.0.0/12 -j DROP

-A INPUT -s 127.0.0.0/8 -j DROP

-A INPUT -s 224.0.0.0/4 -j DROP

-A INPUT -d 224.0.0.0/4 -j DROP

-A INPUT -s 240.0.0.0/5 -j DROP

-A INPUT -d 240.0.0.0/5 -j DROP

-A INPUT -s 0.0.0.0/8 -j DROP

-A INPUT -d 0.0.0.0/8 -j DROP

-A INPUT -d 239.255.255.0/24 -j DROP

-A INPUT -d 255.255.255.255 -j DROP

# Stop smurf attacks

-A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP

-A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP

-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP

# Drop all invalid packets

-A INPUT -m state --state INVALID -j DROP

#-A FORWARD -m state --state INVALID -j DROP

-A OUTPUT -m state --state INVALID -j DROP

-A INPUT -m conntrack --ctstate INVALID -j DROP

#drop 3128端口是 squid 的默认端口

-A INPUT -p tcp --dport 3128 -j DROP

# Drop excessive RST packets to avoid smurf attacks

-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

# Attempt to block portscans

# Anyone who tried to portscan us is locked out for an entire day.

-A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP

-A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Once the day has passed, remove them from the portscan list

-A INPUT -m recent --name portscan --remove

-A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.

-A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"

-A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"

-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

-A INPUT -s xmr.crypto-pool.fr -j DROP

-A INPUT -s 218.248.40.228 -j DROP

-A OUTPUT -d xmr.crypto-pool.fr -j DROP

-A OUTPUT -d 218.248.40.228 -j DROP

#禁止其他未允许的规则访问

#-A INPUT -j REJECT --reject-with icmp-host-prohibited

#-A FORWARD -j REJECT --reject-with icmp-host-prohibited

-A INPUT -j DROP

#-A OUTPUT -j DROP

-A FORWARD -j DROP

COMMIT

By sean, 7 years11/02/2017 ago