RenegadeAndy's questions

我的家庭网络 (192.168.0.0/24) 上有许多服务器，并且想将 bind9 设置为 DNS 服务器，这样我可以更轻松地通过名称解析这些机器的 IP 地址。

我按照以下方式在 ubuntu 20.04 上安装和配置了 bind9 ——非常接近本教程。

2 个区域： epicsystems.local.com - /etc/bind/zones/db.epicsystems.local.com

    $TTL    604800
@   IN  SOA ns1.epicsystems.local.com. admin.epicsystems.local.com. (
                  3     ; Serial
             604800     ; Refresh
              86400     ; Retry
            2419200     ; Expire
             604800 )   ; Negative Cache TTL
;
; name servers - NS records
    IN  NS  ns1.epicsystems.local.com.

; name servers - A records
ns1.epicsystems.local.com.  IN  A   192.168.0.69


; 192.168.0.0/16 - A records
host2.epicsystems.local.com.    IN  A    192.168.0.67
host1.epicsystems.local.com         IN  A    192.168.0.66

db.192.168 -- 反向查找区域

;
; BIND reverse data file for local loopback interface
;
$TTL    604800
@   IN  SOA ns1.epicsystems.local.com. admin.epicsystems.local.com. (
                  3     ; Serial
             604800     ; Refresh
              86400     ; Retry
            2419200     ; Expire
             604800 )   ; Negative Cache TTL
;

;name servers - NS records
    IN  NS  ns1.epicsystems.local.com.

;PTR records
69.0    IN  PTR ns1.epicsystems.local.com.          ;192.168.0.69
66.0    IN  PTR host1.epicsystems.local.com.            ;192.168.0.66
67.0    IN  PTR host2.epicsystems.local.com.        ;192.168.0.67

我在 /etc/bind/named.conf.local 中的 named.conf.local 有：

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "epicsystems.local.com"{
    type master;
    file "/etc/bind/zones/db.epicsystems.local.com"; #zone file path
};

zone "168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/zones/db.192.168"; #192.168.0.0/16 subnet
};

我检查了 conf 和区域的语法 - 从语法上讲它是有效的 - 但它不起作用。

我将我的本地 mac 分配给 dns 服务器 192.168.0.69 - 并尝试对 ubuntu.com 进行 nslookup - 这有效 - 所以 bind9 在此范围内有效。

如果我然后尝试对 host1 或 host2 进行 nslookup - 它会失败。bind9 的杂项日志显示正在设置的区域：

09-Aug-2021 21:23:34.627 zoneload: info: managed-keys-zone: loaded serial 11
09-Aug-2021 21:23:34.627 zoneload: info: zone 0.in-addr.arpa/IN: loaded serial 1
09-Aug-2021 21:23:34.631 zoneload: info: zone 255.in-addr.arpa/IN: loaded serial 1
09-Aug-2021 21:23:34.635 zoneload: info: zone 127.in-addr.arpa/IN: loaded serial 1
09-Aug-2021 21:23:34.635 zoneload: info: zone 168.192.in-addr.arpa/IN: loaded serial 3
09-Aug-2021 21:23:34.639 zoneload: info: zone localhost/IN: loaded serial 2
09-Aug-2021 21:23:34.639 zoneload: info: zone epicsystems.local.com/IN: loaded serial 3
09-Aug-2021 21:23:34.639 general: notice: all zones loaded
09-Aug-2021 21:23:34.639 general: notice: running
09-Aug-2021 21:23:34.743 dnssec: info: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
09-Aug-2021 21:23:34.811 resolver: info: resolver priming query complete
09-Aug-2021 21:23:42.131 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.143 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.163 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.231 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.247 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.335 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.347 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.415 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.603 dnssec: info:   validating com/SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.623 dnssec: info:   validating com/SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.707 dnssec: info: validating com/DNSKEY: got insecure response; parent indicates it should be secure
09-Aug-2021 21:23:42.715 dnssec: info: validating com/DNSKEY: got insecure response; parent indicates it should be secure
09-Aug-2021 21:24:20.508 dnssec: info:   validating com/SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:24:20.528 dnssec: info:   validating com/SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:24:29.244 dnssec: info:   validating cloud/SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:24:29.260 dnssec: info:   validating cloud/SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:24:29.324 dnssec: info: validating cloud/DNSKEY: got insecure response; parent indicates it should be secure
09-Aug-2021 21:24:29.340 dnssec: info: validating cloud/DNSKEY: got insecure response; parent indicates it should be secure
09-Aug-2021 21:25:36.973 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:25:36.989 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:25:37.005 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:25:37.093 dnssec: info:   validating ./SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:29:26.277 dnssec: info:   validating com/SOA: got insecure response; parent indicates it should be secure
09-Aug-2021 21:29:26.577 dnssec: info: validating net/DNSKEY: got insecure response; parent indicates it should be secure

query.log 显示对 host1 的查找到达 - 但没有解决任何问题：

09-Aug-2021 21:25:15.148 client @0x7f1cc0005910 192.168.0.13#49292 (host1.epicsystems.local.com): query: host1.epicsystems.local.com IN A + (192.168.0.69)
09-Aug-2021 21:25:36.941 client @0x7f1cbc00a550 192.168.0.13#58522 (host1): query: host1 IN A + (192.168.0.69)

谁能看到我在这里做错了什么？这是我第一次尝试设置 DNS 服务器，所以很可能我在某个地方犯了错误！

我对机架服务器非常陌生，正在探索 RAM 的选项。

我正在查看Dell PowerEdge R710，我找到了解释内存要求的 PDF 。然而，它没有提到 ECC、NonECC 等。

戴尔官方网站上的这个页面没有说明什么类型的 DDR3 内存与这个系统兼容。

因此我的问题是 - 任何 DDR3 内存都可以在这里工作吗？桌面？欧共体？桌面内存和 ecc 内存是不同的引脚配置吗？我应该使用哪个？

--------更新--------- 我在系统硬件手册中看到它说：

您的系统支持 DDR3 寄存 DIMM (RDIMM) 或 ECC 无缓冲 DIMM (UDIMM)。单列和双列 DIMM 可以是 1067 或 1333-MHz，四列 DIMM 可以是 1067-MHz。

对我来说，这表明它同时支持 Registered DIMM 和普通桌面 RAM (UDIMM)。以及两者的结合？

你能确认我的理解吗

我购买了一个带有 8GB RAM 的系统（即将交付）......我想购买更多，但我不知道那个 RAM 是什么，所以有兼容性问题，不知道如何容纳这些服务器是。

非常感谢

我正在使用 RHEL 7.4 并且有 virbr0 和 virbr1。我想同时删除它们。

我可以通过停止和禁用默认的虚拟 kvm 来删除 virbr0。

libvirtd 没有运行，但我仍然有 virbr1。最初，我关注了 setaoffice.com/2015/01/06/remove-virbr0-interface-in-linux，它删除了 virbr0，但没有删除 virbr1。

当我运行 ifconfig 时，我看到以下内容：

ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.27  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::b675:d8a3:7535:216d  prefixlen 64  scopeid 0x20<link>
        ether 3c:97:0e:96:36:a5  txqueuelen 1000  (Ethernet)
        RX packets 2649  bytes 529358 (516.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1315  bytes 230578 (225.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xf3a00000-f3a20000  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 10  bytes 840 (840.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10  bytes 840 (840.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr1: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.123.1  netmask 255.255.255.0  broadcast 192.168.123.255
        ether 00:16:3e:14:cb:4c  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

如果我 ping 192.168.123.1 我会收到响应，因此该地址上的某些东西处于活动状态

我想弄清楚为什么我有一个virb1？我需要吗？据我所知，我已经禁用并销毁了默认的 libvirt virth 机器，它们不再存在。

有什么想法可以弄清楚这个设备是什么以及如何从我的配置中删除它？

我正在努力根据 Redhat 6.8 中的防火墙确定特定端口是否打开

我想打开2222端口。

我尝试了以下方法：

system-config-firewall，以 sudo 运行，我将端口 2222 描述为要打开的特定端口：

然而，端口似乎没有打开。我正在通过尝试通过 SSH 连接到端口 2222 来对此进行测试。目前 SSH 在端口 22 上运行，我可以正常连接，但是当我将 SSH 配置为通过 2222 运行时，Port 2222在 /etc/ssh/ 中的 sshd_config 中使用时，连接超时。我知道 SSHD 配置为侦听该端口，因为我可以使用 netstat 进行测试。

我还尝试了对 /etc/sysconfig/iptables 的各种编辑，包括添加以下规则：

-I INPUT 9 -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT

和

-A INPUT -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT

在我执行这些更改后sudo service iptables restart，我无法连接。有趣的是，如果我这样做了，cat /etc/sysconfig/iptables | grep 2222我将无法在该列表中看到我的新规则，我希望我应该这样做。运行时我也看不到sudo iptables -L -n正常吗？

我已经意识到主机正在运行 SELinux - 根据此输出：

[andyarmstrong@o0201320382301 ~]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        targeted

我安装了 semanage，并运行了 : semanage port -a -t ssh_port_t -p tcp 2222-- 但我仍然没有通过它。

整个 /etc/sysconfig/iptables 文件包含以下内容：

#GENERATED BY Modular IPTABLES Config
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 5308 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5901 -j ACCEPT
# Sametime File Transfers use ports 443 and 5656
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5656 -j ACCEPT
#VoiceJam Rules
-A INPUT -p udp -m udp --dport 5004:5005 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5004:5005 -j ACCEPT
-A INPUT -p udp -m udp --dport 20830 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20830 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5060:5062 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5062 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12080 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
# CDS Peering #60050
-A INPUT -p tcp -m tcp --dport 21100 -j ACCEPT
# My Help SSL P2P migration
-A INPUT -p tcp -m tcp --dport 2001 -j ACCEPT
-A INPUT -p udp -m udp --dport 2001 -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 500 -j ACCEPT
-A INPUT -i ipsec+ -p 254 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 9 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT

# Enable forward between KVM server and virtual machines
-I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.123.0/24 -o virbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.123.0/24 -i virbr1 -j ACCEPT
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
# Rule required by package ibm-config-kvm-printing
# Allow printer sharing between Linux host and KVM guests
-A INPUT -i virbr0 -p tcp --dport 631 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1533 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 52311 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30000:30005 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 67:68 -j DROP
-A INPUT -p udp -m udp --dport 67:68 -j DROP
-A INPUT -p tcp -m tcp --dport 137 -j DROP
-A INPUT -p udp -m udp --dport 137 -j DROP
-A INPUT -p tcp -m tcp --dport 138 -j DROP
-A INPUT -p udp -m udp --dport 138 -j DROP
-A INPUT -p tcp -m tcp --dport 139 -j DROP
-A INPUT -p udp -m udp --dport 139 -j DROP
-A INPUT -p tcp -m tcp --dport 1:20 -j DROP
-A INPUT -p tcp -m tcp --dport 111 -j DROP
-A INPUT -p tcp -m tcp --dport 161:162 -j DROP
-A INPUT -p tcp -m tcp --dport 520 -j DROP
-A INPUT -p tcp -m tcp --dport 6348:6349 -j DROP
-A INPUT -p tcp -m tcp --dport 6345:6347 -j DROP
-A INPUT -i virbr0 -p tcp -d 192.168.122.1 --dport 445 -j ACCEPT
-A INPUT -i virbr0 -p tcp -d 192.168.122.1 --dport 1445 -j ACCEPT
-A INPUT -i virbr1 -p tcp -d 192.168.123.1 --dport 445 -j ACCEPT
-A INPUT -i virbr1 -p tcp -d 192.168.123.1 --dport 1445 -j ACCEPT
# Accept local Samba connections
-I INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT 
-I INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT 
-I INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT 
-I INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT 
-I INPUT -i virbr0 -p udp -m udp --dport 137 -j ACCEPT
-I INPUT -i virbr0 -p udp -m udp --dport 138 -j ACCEPT
-I INPUT -i virbr0 -p tcp -m tcp --dport 139 -j ACCEPT
-I INPUT -i virbr0 -p tcp -m tcp --dport 445 -j ACCEPT
-I INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-I INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-I INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-I INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-I INPUT -i virbr1 -p udp -m udp --dport 137 -j ACCEPT
-I INPUT -i virbr1 -p udp -m udp --dport 138 -j ACCEPT
-I INPUT -i virbr1 -p tcp -m tcp --dport 139 -j ACCEPT
-I INPUT -i virbr1 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 48500 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 48500 -j ACCEPT
-A INPUT -p tcp -m limit --limit 3/min -j LOG --log-prefix "FIREWALL: " --log-level 6
-A INPUT -p udp -m limit --limit 3/min -j LOG --log-prefix "FIREWALL: " --log-level 6
-A INPUT -j DROP
:OUTPUT ACCEPT [0:0]
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
:PREROUTING ACCEPT [0:0]
COMMIT
*nat
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i virbr0 -p tcp -d 192.168.122.1 --dport 445 -j REDIRECT --to-port 1445
-A PREROUTING -i virbr1 -p tcp -d 192.168.123.1 --dport 445 -j REDIRECT --to-port 1445

COMMIT

iptables 配置文件是：

# Load additional iptables modules (nat helpers)
#   Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES="ip_conntrack_ftp"

# Unload modules on restart and stop
#   Value: yes|no,  default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"

# Save current firewall rules on stop.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"

# Save (and restore) rule and chain counter.
#   Value: yes|no,  default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"

# Numeric status output
#   Value: yes|no,  default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"

# Verbose status output
#   Value: yes|no,  default: yes
# Print info about the number of packets and bytes plus the "input-" and
# "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"

# Status output with numbered lines
#   Value: yes|no,  default: yes
# Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"

FILE=`mktemp -q /tmp/iptables-rules.XXXXXXXXXX`
/opt/ibm/c4eb/firewall/create-rule-file.sh > $FILE
cp $FILE /etc/sysconfig/iptables
rm $FILE

----进度更新-----当我运行我的命令时： sudo iptables -A INPUT -p tcp --dport 2222 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT 还有 sudo iptables -A OUTPUT -p tcp --dport 2222 -m conntrack --ctstate ESTABLISHED -j ACCEPT

我看到/etc/sysconfig/iptables文件大小增加到 6583。然后我执行 sudo service iptables save。保存也是一样的。然后我执行 sudo service iptables restart，文件恢复到原来的大小（6219），没有我的更新！为什么！

我错过了什么吗？你能看到我错过的任何东西吗？

感谢大家的支持

我有一个基于云的服务器。我按照本指南配置其安全性：http ://www.rubytreesoftware.com/resources/securely-setup-ubuntu-1404-server

SSH的配置如下：

# Edit or add the following configuration to sshd_config
PermitRootLogin no
PasswordAuthentication no
X11Forwarding no
AllowUsers andy deploy

我通过将笔记本电脑上的私钥添加到主机上的授权密钥来向远程服务器进行身份验证。

我担心的是，如果我在笔记本电脑上丢失了我的公钥会发生什么。我是否锁定了服务器？这里的最佳做法是什么 - 我如何降低丢失公钥的风险？

如果我的公钥更改会怎样？如果发生这种情况，我也可以“备份”我的公钥吗？我认为不是，因为它是特定于机器但值得检查的密钥对。

正在使用的防火墙是 ufw 并且配置如下：

# configure ufw
sudo ufw logging on
sudo ufw allow ssh
sudo ufw allow www

如果我应该采取其他措施来保护提供 Web 应用程序的服务器，请告诉我我错过了什么。任何有关保护基于云并服务于公共应用程序的服务器的好文章都将受到高度赞赏。