Azure上Linux VM误配防火墙的恢复方法
2024-10-15 09:53:11
在实际运维中,防火墙把自己挡在机器外面的情况会时有发生。如何快速的恢复对运维人员是很重要的。
本文将介绍如何用Azure Extension实现不通过ssh对VM进行操作的方法。
之前写过一遍Blog介绍如何部署Azure的CustomScriptExtension:
http://www.cnblogs.com/hengwei/p/5862200.html
在CustomScriptExtension的基础上,如果实现关闭防火墙。
1.添加防火墙规则
通过添加iptables规则关闭外部访问该VM的ssh:
iptables -A INPUT -p tcp --dport -j DROP
所有22端口都被关闭了。
通过psping进行观察VM 22端口的情况:
psping -t 139.219.237.69:
Connecting to 139.219.237.69:: .94ms
Connecting to 139.219.237.69:: .50ms
Connecting to 139.219.237.69:: .93ms
Connecting to 139.219.237.69:: .51ms
Connecting to 139.219.237.69:: .42ms
Connecting to 139.219.237.69:: .54ms
Connecting to 139.219.237.69:: .16ms
Connecting to 139.219.237.69:: This operation returned because the timeout period expired.
Connecting to 139.219.237.69:: This operation returned because the timeout period expired.
Connecting to 139.219.237.69:: This operation returned because the timeout period expired.
Connecting to 139.219.237.69:: This operation returned because the timeout period expired.
为防止出现脚本不成功,导致再不能访问VM的情况,执行如下脚本,过5分钟自动去除防火墙:
[root@hwcentos ~]#./remove_iptables.sh &
#!/bin/bash
while true
do
sleep
iptables -F
echo `date` >> a.txt
done
2.通过CustomScriptExtension去除防火墙规则
运行PowerShell脚本:
$mycred = Get-Credential -UserName admin@xxx.partner.onmschina.cn -Message hello
Login-AzureRmAccount -EnvironmentName AzureChinaCloud -Credential $mycred
#定义Resource Group、VM和Location变量
$RGName = 'hwextensiontest'
$VmName = 'hwcentos'
$Location = 'China East'
#定义Extension相关信息
$ExtensionName = 'CustomScriptForLinux'
$Publisher = 'Microsoft.OSTCExtensions'
$version = '1.5'
$PublicConf = '{"commandToExecute": "iptables -F"}'
#执行Set-AzureRmVMExtension命令,安装extension:
Set-AzureRmVMExtension -ResourceGroupName $RGName -VMName $VmName -Location $Location `
-Name $ExtensionName -Publisher $Publisher `
-ExtensionType $ExtensionName -TypeHandlerVersion $Version `
-Settingstring $PublicConf RequestId IsSuccessStatusCode StatusCode ReasonPhrase
--------- ------------------- ---------- ------------
True OK OK
通过iptables -F的命令关闭所有的防火墙。
PsPing的输出结果如下:
Connecting to 139.219.237.69:: This operation returned because the timeout period expired.
Connecting to 139.219.237.69:: This operation returned because the timeout period expired.
Connecting to 139.219.237.69:: This operation returned because the timeout period expired.
Connecting to 139.219.237.69:: This operation returned because the timeout period expired.
Connecting to 139.219.237.69:: This operation returned because the timeout period expired.
Connecting to 139.219.237.69:: .12ms
Connecting to 139.219.237.69:: .16ms
Connecting to 139.219.237.69:: .64ms
这时已经可以通过ssh登录这台VM。
观察extension的日志:
[root@hwcentos 1.5.2.0]# pwd
/var/log/azure/Microsoft.OSTCExtensions.CustomScriptForLinux/1.5.2.0
[root@hwcentos 1.5.2.0]# less extension.log
..........
// :: [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Config decoded correctly.
// :: [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Will try to download files, number of retries = , wait SECONDS between retrievals = 20s
// :: [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Command to execute:iptables -F
// :: [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]fileUris value provided is empty or invalid. Continue with executing command...
// :: [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Succeeded to download files, retry count =
// :: [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Internal DNS is ready, retry count =
// :: [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Command to execute:iptables -F
// :: [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Command is finished.
// :: ---stdout---
// ::
// :: ---errout---
// ::
// ::
// :: [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Daemon,success,,Command is finished.
// :: ---stdout---
// ::
// :: ---errout---
// ::
查看防火墙状态:
[root@hwcentos ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination Chain FORWARD (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy ACCEPT)
target prot opt source destination
防火墙已经关闭。
3.延展
有时客户VM没有响应的原因并不是因为防火墙,但原因并不是防火墙。此时我们可以通过收集sosreport的信息,通过复制到其他VM等方法获得这个文件后,进行分析。
当然也可以通过ping其它VM,并在另外一台VM上抓包,看这台VM是否网络存活,以进行下一步的分析和动作。
4.需要注意的问题
当多次执行CustomScript时,这个extension会判断内容是否相同,如果相同extension会认为是重复执行,脚本将不再执行。
更新:
Azure VM的Extension的通讯机制是通过HTTPS对外发起的。如下的输出:
[root@hwcentos ~]# netstat -tunp
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 10.3.0.4: 167.220.255.53: SYN_RECV -
tcp 10.3.0.4: 168.63.129.16: TIME_WAIT -
tcp 10.3.0.4: 40.126.88.72: TIME_WAIT -
tcp 10.3.0.4: 167.220.255.53: ESTABLISHED /sshd
tcp 10.3.0.4: 40.126.88.72: TIME_WAIT -
tcp 10.3.0.4: 40.126.88.72: TIME_WAIT -
tcp 10.3.0.4: 40.126.88.72: TIME_WAIT -
tcp 10.3.0.4: 168.63.129.16: TIME_WAIT -
可以看到VM上很多到40.x.x.x的https请求。只要VM可以访问外部的HTTPS,VM Extension就可以工作。
所以,我们的INPUT方向的iptables添加:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
或
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
可以确保出方向的流量不被防火墙挡住。
在添加如下防火墙规则后,VM extension仍然可以把iptables的规则清除:
iptables -A INPUT -s / -j DROP
最新文章
- Qt文件路径分隔符
- mysql锁 实战测试代码
- MemCache中的内存管理详解
- 【linux】linux脚本中#!/bin/sh的含义
- ios开发中的toll-free bridged
- SQLite使用事务更新—by command
- [改善Java代码]若有必要,使用变长数组
- BlockingQueue队列学习
- 容器的深入研究(二)—Set与Map
- Linux用户与用户组,UID及GID
- 帝国cms7.2灵动标签万能教程
- POJ 2528 QAQ段树+分离
- 网络语音视频技术浅议(附多个demo源码下载)
- Vim常用操作-合并行。
- canal-client无法获取数据
- SQL 查询存储过程
- JavaScript——执行环境、变量对象、作用域链
- EFCore CodeFirst 适配数据库
- PhpStorm 2017 激活办法
- Sqlserver 还原