Linux 主机到主机迁移

Question

Elitmiar

Asked: 2014-10-16 10:53:59 +0800 CST2014-10-16 10:53:59 +0800 CST 2014-10-16 10:53:59 +0800 CST

无法将主机解析为非 root 用户

772

我最近设置了一个运行 Centos 6.5 和 Web 主机管理器的 VPS 服务器。我当前的问题是我无法通过 nslookup 或在命令行上 ping 解析主机名。但是当我使用 root 登录时，我可以 ping 并执行 nslookups 等

当以非 root 用户身份登录时，我执行以下命令但没有得到任何结果：

user@server [~]# ping google.com
ping: unknown host google.com

user@server [~]# nslookup google.com 
;; connection timed out; trying next origin

user@server [~]# ping 74.125.230.226
ping: icmp open socket: Operation not permitted

user@server [~]# nslookup 74.125.230.226
;; connection timed out; trying next origin
;; connection timed out; no servers could be reached

然而，当我以 root 身份登录时，上述所有命令都按预期工作：

root@server [~]# ping google.com
PING google.com (74.125.230.224) 56(84) bytes of data.
64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=1 ttl=52 time=198 ms
64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=2 ttl=52 time=196 ms
64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=3 ttl=52 time=196 ms
64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=4 ttl=52 time=196 ms
64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=5 ttl=52 time=198 ms

nslookup google.com
Server:         196.7.7.7
Address:        196.7.7.7#53

Non-authoritative answer:
Name:   google.com
Address: 74.125.230.233
Name:   google.com
Address: 74.125.230.238
Name:   google.com
Address: 74.125.230.227
Name:   google.com
Address: 74.125.230.229
Name:   google.com
Address: 74.125.230.225
Name:   google.com
Address: 74.125.230.228
Name:   google.com
Address: 74.125.230.232
Name:   google.com
Address: 74.125.230.224
Name:   google.com
Address: 74.125.230.226
Name:   google.com
Address: 74.125.230.231
Name:   google.com
Address: 74.125.230.230

我可以使用非 root 用户读取文件 /etc/resolv.conf 和 /etc/nsswitch.conf，

我使用 suExec 运行 Apache，mod security，se linux 设置为 permissive。

从网站运行某些命令时，我收到如下消息：

curl/fopen php 给出以下消息

* , referer: http://www.domain
Hostname was NOT found in DNS cache, referer: http://www.domain
getaddrinfo(3) failed

我对设置服务器很陌生，对于我的生活，我无法弄清楚问题是什么。

更新：

的内容/etc/resolv.conf

nameserver 196.7.7.7
nameserver 196.7.8.9

IPTABLES 输出 - iptables -nvL -t filter

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1546  201K cP-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 1533  200K acctboth   all  --  *      *       0.0.0.0/0            0.0.0.0/0
  561 94135 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    2   120 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 1:1023,2082:2083,3306,2086:2087,2095:2096,30000:32760
  689 59006 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 1:1023
    0     0 ACCEPT     tcp  --  *      *       41.76.213.0/24       0.0.0.0/0           multiport dports 5666
    0     0 ACCEPT     tcp  --  *      *       41.86.112.0/24       0.0.0.0/0           multiport dports 5666
    0     0 ACCEPT     tcp  --  *      *       197.242.159.6        0.0.0.0/0           multiport dports 1167
    0     0 ACCEPT     tcp  --  *      *       197.242.150.150      0.0.0.0/0           multiport dports 1167
    0     0 ACCEPT     tcp  --  *      *       196.33.227.219       0.0.0.0/0           multiport dports 1167
    0     0 ACCEPT     tcp  --  *      *       197.242.144.0/21     0.0.0.0/0           multiport dports 9999
    0     0 ACCEPT     tcp  --  *      *       196.33.227.0/24      0.0.0.0/0           multiport dports 9999
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
  278 46670 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           ADDRTYPE match dst-type BROADCAST
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp flags:0x17/0x02 limit: avg 3/hour burst 5 LOG flags 8 level 4 prefix `in-new:'
    2    72 LOG       !tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW limit: avg 3/hour burst 5 LOG flags 8 level 4 prefix `in-new:'
    3   116 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 cP-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  588  112K acctboth   all  --  *      *       0.0.0.0/0            0.0.0.0/0
  569  111K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    7   604 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           owner UID match 0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           owner GID match 12
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:20
    3   180 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    9   640 out-bad    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 110,143,995,80,443,21
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            197.242.155.155
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            197.242.144.144
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp flags:0x17/0x02 LOG flags 8 level 4 prefix `out-new:'
    8   568 LOG       !tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW LOG flags 8 level 4 prefix `out-new:'
    9   640 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain acctboth (2 references)
 pkts bytes target     prot opt in     out     source               destination

Chain cP-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2078
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2082
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2077
    9   492 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:26
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8080
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995
    1    52 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2086
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2087
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2095
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:465
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2096
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:3306
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2083
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53

Chain out-bad (1 references)
 pkts bytes target     prot opt in     out     source               destination

2 个回答

Voted

Xavier Lucas · Answer 1 · 2014-10-16T12:17:59+08:00

Best Answer

Xavier Lucas

2014-10-16T12:17:59+08:002014-10-16T12:17:59+08:00

这是很多规则，而且非常严格。找到创建这个的规则：

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           owner UID match 0

还要匹配您的“普通”用户 ID 或/和 apache 用户 ID，并将其调整为接受传出 UDP 流量端口 53。

例如对于用户“apache”，在前面的规则之后添加：

/sbin/iptables -A OUTPUT -p udp -m owner --uid-owner apache --dport 53 -j ACCEPT

3

mdpc · Answer 2 · 2014-10-16T13:08:58+08:00

mdpc

2014-10-16T13:08:58+08:002014-10-16T13:08:58+08:00

嗯...我怀疑 /etc/resolv.conf 文件的权限不正确。

2

无法将主机解析为非 root 用户

新安装后 postgres 的默认超级用户用户名/密码是什么？

SFTP 使用什么端口？

命令行列出 Windows Active Directory 组中的用户？

什么是 Pem 文件，它与其他 OpenSSL 生成的密钥文件格式有何不同？

如何确定bash变量是否为空？

无法将主机解析为非 root 用户

2 个回答

相关问题