nginx控制iptables芝麻开门
During maintenance of a production server, we use to encounter a problem like this – an internet-access-blocked port, say 3306 (mysql), is about to be open for a little while due to debugging needs, which is not uncommon, right? So how to make this easily operated, mostly secure, and automatically disabled after working – I guess this’s gonna help somehow.
A Linux server with whatever the distribution including iptables (e.g. CentOS, Rocky for now as example), Nginx, fcgiwrap, a simple shell script and a commonly used web browser, let’s say chrome, will be major ingredients on the recipe.
常做运维,总会遇到某些线上服务器,为了便于调试,在符合安全要求的基础上,需要相对便利的对公网短时定向开放某些端口。
昨天想了一招,用nginx操作shell脚本,对特定公网IP开口子,叫一声“芝麻开门”,便捷又安全。举例端口3306(mysql),系统是Rocky Linux 8(原CentOS 8)。
先查一下现有的防火墙规则,需要的话可以保存一下。换句话说,搞芝麻开门之前,先确定门是隐藏的;也即已经有相应(且持久化)的iptables rule确保到被保护端口的连接是DROP/REJECT状态。
1 2 3 4 5 6 7 8 9 10 11 |
[root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 48772 9041K ACCEPT tcp -- * * 10.0.0.0/8 0.0.0.0/0 tcp 6 376 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination |
然后就是fcgiwrap的安装,此处就不写nginx安装过程了,默认安装即可。
安装后增加两个systemd服务文件,并测试fcgiwrap服务生效。
【注】那俩服务文件,在Redhat之外的发行版上,fcgiwrap安装包可能自带,请针对所用版本自行检查。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
[root@localhost ~]# dnf install fcgiwrap 上次元数据过期检查:2:45:15 前,执行于 2022年02月09日 星期三 20时00分42秒。 依赖关系解决。 (……部分省略) 已安装: fcgi-2.4.0-36.el8.x86_64 fcgiwrap-1.1.0-12.20181108git99c942c.el8.x86_64 完毕! [root@localhost ~]# [root@localhost ~]# cat /usr/lib/systemd/system/fcgiwrap.service [Unit] Description=Simple CGI Server After=nss-user-lookup.target Requires=fcgiwrap.socket [Service] EnvironmentFile=/etc/sysconfig/fcgiwrap ExecStart=/usr/sbin/fcgiwrap ${DAEMON_OPTS} -c ${DAEMON_PROCS} User=nginx Group=nginx [Install] Also=fcgiwrap.socket [root@localhost ~]# cat /usr/lib/systemd/system/fcgiwrap.socket [Unit] Description=fcgiwrap Socket [Socket] ListenStream=/run/fcgiwrap.socket [Install] WantedBy=sockets.target [root@localhost ~]# systemctl daemon-reload [root@localhost ~]# systemctl enable fcgiwrap.service —now Created symlink /etc/systemd/system/sockets.target.wants/fcgiwrap.socket → /usr/lib/systemd/system/fcgiwrap.socket. [root@localhost ~]# systemctl status fcgiwrap.service ● fcgiwrap.service - Simple CGI Server Loaded: loaded (/usr/lib/systemd/system/fcgiwrap.service; indirect; vendor preset: disable> Active: active (running) since Wed 2022-02-09 22:54:17 CST; 4s ago Main PID: 814486 (fcgiwrap) Tasks: 1 (limit: 23712) Memory: 492.0K CGroup: /system.slice/fcgiwrap.service └─814486 /usr/sbin/fcgiwrap -f -c 1 2月 09 22:54:17 localhost.localdomain systemd[1]: Started Simple CGI Server. [root@localhost ~]# |
接下来为一个新的nginx server准备个根目录,存放网页和之后控制iptables的脚本。
文章的脚注信息由WordPress的wp-posturl插件自动生成
完整阅读本篇»