5
回答
Iptables+Nginx+Tomcat6

Ubuntu 9.10 X86

没有安装apache,就是个干净系统

想装nginx+mysql+Tomcat6

只安装nginx,使用缺省配置文件

我主要是想实现NIGINX实现tomcat6的负载.

TOMCAT6也是默认端口没有改变过

.
出现的情况都一样:无论使用ip还是域名,都无法连接, firefox和ie都说无法连接,没有给出具体的错误号
而在主机上使用curl 127.0.0.1却可以看到nginx欢迎页的代码

2010/03/03 04:42:43 [error] 306#0: *63 connect() failed (111: Connection refused) while connecting to upstream, client: 115.170.22.159, server: zhoujin.com, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8080/", host: "freeoa.com"

如果关掉IPTABLES就没有问题.

 

配置的策略如下:

# Generated by iptables-save v1.4.4 on Tue Mar  2 19:00:03 2010

*nat

:PREROUTING ACCEPT [78:4861]

:POSTROUTING ACCEPT [10:622]

:OUTPUT ACCEPT [10:622]

COMMIT

# Completed on Tue Mar  2 19:00:03 2010

# Generated by iptables-save v1.4.4 on Tue Mar  2 19:00:03 2010

*mangle

:PREROUTING ACCEPT [1578:202403]

:INPUT ACCEPT [1578:202403]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1437:944115]

:POSTROUTING ACCEPT [1437:944115]

COMMIT

# Completed on Tue Mar  2 19:00:03 2010

# Generated by iptables-save v1.4.4 on Tue Mar  2 19:00:03 2010

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1410:942495]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i venet0 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -i venet0 -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -i venet0 -p tcp -m tcp --dport 10000 -j ACCEPT

-A INPUT -i venet0 -p tcp -m tcp --dport 8080 -j ACCEPT

-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

-A INPUT -j DROP

-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT

-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 8080 -j ACCEPT

-A OUTPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT

-A OUTPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 8080 -j ACCEPT

COMMIT

# Completed on Tue Mar  2 19:00:03 2010

举报
蝶衣人生
发帖于9年前 5回/2K+阅
共有5个答案 最后回答: 8年前

引用来自“范堡”的帖子

在 IPtables 上把 相对于的端口开了麽?

我觉得还是我iptables的策略有问题.

刚刚把策略发上去了.

# 下面是我机器上的配置
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [69433329:72212483414]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jan 11 14:01:33 2010

引用来自“红薯”的帖子

# 下面是我机器上的配置
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [69433329:72212483414]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jan 11 14:01:33 2010

不知道我理解是不是错的.这个配置是可以PING通服务器.

还有没有禁止一些端口的访问吧.我在些基础上增加了一条.那个DROP所有的.

顶部