Tuinslak's questions

我有一个运行 Wireguard 的服务器（因此需要masquerade）和一个在端口 2525 上运行的容器。

我有以下iptables规则：

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination 172.18.0.1:2525
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

直接连接时server:2525，Docker 容器可以看到我的真实 IP 地址（1.2.3.4）。连接到 portserver:25时，Docker 容器看到的是由提供的本地 IP docker network：

Apr 07 12:45:46 mx postfix/smtpd[87]: lost connection after CONNECT from unknown[172.18.0.1]
Apr 07 12:45:46 mx postfix/smtpd[87]: disconnect from unknown[172.18.0.1] commands=0/0

如何确保 Docker 容器在连接到端口 25 时正确看到公共 IP 地址（而不仅仅是在连接到端口 2525 时）。

谢谢

# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
52300 3131K DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.18.0.1:2525
 150K 8524K DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2   120 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3385  256K MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0
1733K  104M MASQUERADE  all  --  *      !br-b147ffdbc9f3  172.18.0.0/16        0.0.0.0/0
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:53
    0     0 MASQUERADE  udp  --  *      *       172.17.0.2           172.17.0.2           udp dpt:53
    0     0 MASQUERADE  tcp  --  *      *       172.18.0.2           172.18.0.2           tcp dpt:25

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
   12  1419 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  br-b147ffdbc9f3 *       0.0.0.0/0            0.0.0.0/0
   56  3192 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5354 to:172.17.0.2:53
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:5354 to:172.17.0.2:53
  107  6020 DNAT       tcp  --  !br-b147ffdbc9f3 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2525 to:172.18.0.2:25

# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 32:d0:56:15:0a:64 brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    altname ens3
    inet 159.223.80.86/20 brd 159.223.95.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.15.0.19/16 brd 10.15.255.255 scope global eth0:1
       valid_lft forever preferred_lft forever
    inet6 2400:6180:0:d0::f57:6001/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::30d0:56ff:fe15:a64/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 32:dc:4a:e4:27:be brd ff:ff:ff:ff:ff:ff
    altname enp0s4
    altname ens4
    inet 10.130.244.15/16 brd 10.130.255.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::30dc:4aff:fee4:27be/64 scope link
       valid_lft forever preferred_lft forever
4: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.200.200.52/24 scope global wg0
       valid_lft forever preferred_lft forever
5: wg1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.222.111.1/24 scope global wg1
       valid_lft forever preferred_lft forever
6: br-b147ffdbc9f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:46:21:70:c0 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-b147ffdbc9f3
       valid_lft forever preferred_lft forever
    inet6 fe80::42:46ff:fe21:70c0/64 scope link
       valid_lft forever preferred_lft forever
7: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:66:22:41:91 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:66ff:fe22:4191/64 scope link
       valid_lft forever preferred_lft forever
9: veth31eff9d@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether e6:fb:80:5d:c7:a3 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::e4fb:80ff:fe5d:c7a3/64 scope link
       valid_lft forever preferred_lft forever
19: veth01269f5@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-b147ffdbc9f3 state UP group default
    link/ether 36:f4:e7:43:5f:da brd ff:ff:ff:ff:ff:ff link-netnsid 2
    inet6 fe80::34f4:e7ff:fe43:5fda/64 scope link
       valid_lft forever preferred_lft forever

我试图在 Raspbian 安装中锁定普通用户。我会用rbash它。

我想编辑 PATH 文件，以便只能~/bin执行文件。

我已经剥离$PATH：/etc/profile/

if [ "`id -u`" -eq 0 ]; then
  PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
else
  PATH=""
fi
export PATH

我已经剥离$PATH：/etc/login.defs

# cat /etc/login.defs | grep PATH=
ENV_SUPATH      PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH        PATH=""

该/etc/environment文件为空：

~ # cat /etc/environment
~ #

本地用户的.profile文件只包含以下内容：

$ cat .profile
# if running bash
if [ -n "$BASH_VERSION" ]; then
    # include .bashrc if it exists
    if [ -f "$HOME/.bashrc" ]; then
    . "$HOME/.bashrc"
    fi
fi

# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
    PATH="$HOME/bin"
fi

运行时效果很好ssh user@host：

$ free
-rbash: free: command not found
$ uname
-rbash: uname: command not found
$ echo $PATH
/home/user/bin

但是，当运行ssh -t user@host bash --noprofile .profile未执行时，我仍然可以访问完全正常工作的 $PATH：

$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/games
$ uname
Linux

我在这里想念什么？文件在哪里$PATH定义？

运行时出现此错误xl create：

# xl create ../vm-www.rootspirit.com.cfg
Parsing config from ../vm-www.rootspirit.com.cfg
libxl: error: libxl_exec.c:118:libxl_report_child_exitstatus: /etc/xen/scripts/vif-nat online [12721] exited with error status 1
libxl: error: libxl_device.c:1286:device_hotplug_child_death_cb: script: /etc/xen/scripts/vif-nat failed; error detected.
libxl: error: libxl_create.c:1520:domcreate_attach_devices: Domain 32:unable to add vif devices

我的 VIF 配置如下所示：

vif = [ 'ip=172.16.1.51,mac=11:11:23:44:23:52,script=vif-nat', 'ip=2001:1AF8:3100:A00A:21::2000,mac=43:32:11:23:70:20,script=vif-bridge,bridge=xenbr0' ]

但是任何包含script=vif-nat或script=vif-route失败的上述错误。

软件包iproute2并net-tools已安装。日志不显示任何内容。

xl -vvvv命令在这里。

我在这里想念什么？

我正在寻找连接不同网络上的两个不同 Docker 容器（即允许它们互相 ping）的最佳方法。

wg-net我有一个连接到范围内的 WireGuard 容器，192.168.200.0/24另一个连接到默认bridge网络172.17.0.0/24.

从一个容器 ping 到另一个容器失败；理想情况下，我想将来自一个容器的某些 IP 流量路由到另一个容器，从而连接到 WireGuard VPN。

从 Docker 主机 ping 任一网络都可以正常工作。

实现这一目标的最佳方法是什么？我可以创建第三个网络并将两个容器相互连接，但这似乎有点过头了。有没有其他方法可以让 Docker 主机在两个网络之间路由流量？

自从更新到 Debian Buster 后，date在终端上运行会以 AM/PM 格式显示时钟，而不是 24 小时制。这是新的，并且在所有更新的安装中都会发生。

码头集装箱：

yeri@b9b3e889fd76 ~ $ date
Thu 01 Aug 2019 11:28:25 PM +08

本机主机：

liana ~ # date
Thu 01 Aug 2019 11:32:44 PM +08

数字海洋：

ui0 ~ # date
Thu 01 Aug 2019 05:33:11 PM CEST

这很烦人，我没有要求这个 - 但是找不到更改它的设置。

我唯一能想到的是语言环境设置为美国；但以前也是如此（Debian 9）：

ui0 ~ # cat /etc/default/locale 
#  File generated by update-locale
LANG=en_US.UTF-8

yeri@b9b3e889fd76 ~ $ locale
LANG=en_US.UTF-8
LANGUAGE=
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US.UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=en_US.UTF-8

yeri@b9b3e889fd76 ~ $ date
Sun 04 Aug 2019 04:39:14 PM +08

yeri@b9b3e889fd76 ~ $ locale date_fmt
%a %d %b %Y %r %Z

yeri@b9b3e889fd76 ~ $ locale -k LC_TIME
abday="Sun;Mon;Tue;Wed;Thu;Fri;Sat"
day="Sunday;Monday;Tuesday;Wednesday;Thursday;Friday;Saturday"
abmon="Jan;Feb;Mar;Apr;May;Jun;Jul;Aug;Sep;Oct;Nov;Dec"
mon="January;February;March;April;May;June;July;August;September;October;November;December"
am_pm="AM;PM"
d_t_fmt="%a %d %b %Y %r %Z"
d_fmt="%m/%d/%Y"
t_fmt="%r"
t_fmt_ampm="%I:%M:%S %p"
era=
era_year=""
era_d_fmt=""
alt_digits=
era_d_t_fmt=""
era_t_fmt=""
time-era-num-entries=0
time-era-entries="S"
week-ndays=7
week-1stday=19971130
week-1stweek=1
first_weekday=1
first_workday=2
cal_direction=1
timezone=""
date_fmt="%a %d %b %Y %r %Z"
time-codeset="UTF-8"
alt_mon="January;February;March;April;May;June;July;August;September;October;November;December"
ab_alt_mon="Jan;Feb;Mar;Apr;May;Jun;Jul;Aug;Sep;Oct;Nov;Dec"

我有一个 OpenVPN 服务器设置为通过 VPN（网关）重定向所有流量。

这在路由器上工作正常（一切都被重定向）。路由器设置为也为 lan (eth1) 提供服务。每当我启动 VPN 服务器时，局域网上的所有客户端都会失去互联网访问权限。这个想法是所有局域网客户端的流量也通过 VPN 服务器重定向。

我错过了什么？

# Generated by iptables-save v1.4.14 on Sat Jul 11 15:28:22 2015
*nat
:PREROUTING ACCEPT [256:26080]
:INPUT ACCEPT [37:4105]
:OUTPUT ACCEPT [28:1928]
:POSTROUTING ACCEPT [142:7940]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Jul 11 15:28:22 2015
# Generated by iptables-save v1.4.14 on Sat Jul 11 15:28:22 2015
*filter
:INPUT ACCEPT [494:30153]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [832:131016]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT ! -i eth1 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
-A INPUT ! -i eth1 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT ! -i eth1 -p tcp -m tcp --dport 0:1023 -j DROP
-A INPUT ! -i eth1 -p udp -m udp --dport 0:1023 -j DROP
-A FORWARD -d 10.13.37.0/24 -i eth1 -j DROP
-A FORWARD -s 10.13.37.0/24 -i eth1 -j ACCEPT
-A FORWARD -d 10.13.37.0/24 -i eth0 -j ACCEPT
-A FORWARD -d 10.13.37.0/24 -i tun0 -j ACCEPT
COMMIT
# Completed on Sat Jul 11 15:28:22 2015 

在一个系统上运行 dist-upgrade 后，我收到此错误：

Sorry: TypeError: compile() expected string without null bytesdpkg: error processing package python2.7 (--configure):
 subprocess installed post-installation script returned error exit status 1
dpkg: dependency problems prevent configuration of python:
 python depends on python2.7 (>= 2.7.9-1~); however:
  Package python2.7 is not configured yet.

做手册时也会发生同样的错误dpkg -i：

aleph /var/cache/apt/archives # dpkg -r python2.7
(Reading database ... 39002 files and directories currently installed.)
Removing python2.7 (2.7.9-2) ...
Processing triggers for man-db (2.7.0.2-5) ...
Processing triggers for mime-support (3.58) ...

aleph /var/cache/apt/archives # dpkg -i python2.7_2.7.9-2_amd64.deb 
(Reading database ... 39380 files and directories currently installed.)
Preparing to unpack python2.7_2.7.9-2_amd64.deb ...
Unpacking python2.7 (2.7.9-2) over (2.7.9-2) ...
Setting up python2.7 (2.7.9-2) ...
Sorry: TypeError: compile() expected string without null bytesdpkg: error processing package python2.7 (--install):
 subprocess installed post-installation script returned error exit status 1
Processing triggers for mime-support (3.58) ...
Processing triggers for man-db (2.7.0.2-5) ...
Errors were encountered while processing:
 python2.7

这也破坏了所有其他包（即rdiff-backup或xen）。

我有点困惑，因为我在网上找不到任何明确的参考资料。我重新启动了服务器，尝试了 apt-get (auto)clean 等。一切似乎都很好（不是损坏的包或 fs？）。

我可以尝试的下一步是什么？

如何在没有扩展名的情况下在 nginx 服务器上请求 html 页面？

即：example.com/about 应该返回 example.com/about.html。这对于所有 html 页面都应该是正确的。

我有一些类似的东西：

try_files $uri $uri.html;
index  index.html;

哪个有效，但访问 example.com/ 会导致 403 Forbidden：

2015/01/20 19:26:11 [error] 32618#0: *373061 access forbidden by rule

访问不存在的页面（example.com/bla）会导致重定向循环：

2015/01/20 19:26:57 [error] 32620#0: *373065 rewrite or internal redirection cycle while internally redirecting to "/bla.html.html.html.html.html.html.html.html.html.html.html"

更新了完整的 nginx 配置：

server {
    listen          [::]:80;
    server_name     example.com;

    access_log  /var/log/nginx/access.log;
    error_log   /var/log/nginx/error.log;
    root   /var/www/example/;
    try_files $uri $uri.html /index.html =404;
    index  index.html;
    expires max;
    autoindex off;

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
        deny  all;
    }
}

我有一个处理各种客户端的 VPN 服务器；一些只有 ipv4，一些有 ipv4 和 ipv6，还有一些只有 ipv6。其中一些客户端正在漫游，因此理想情况下，如果可用，它们应该连接到 ipv6，如果不可用，则回退到 ipv4。

在我当前的设置中，OpenVPN 监听 ipv4 和 ipv6：

proto udp
proto udp6
dev tun

我的第一个问题是：虽然这似乎可行，但在一个配置文件中包含两个 proto 是否安全且正确？

我的客户在配置中有两个远程实例：

remote vpn.domain.tld port udp6
remote vpn.domain.tld port udp

我的问题也在这里，因为这似乎有效（首先尝试 udp6，如果失败将回退到 udp），这是一个好方法吗？

根据主机名复制文件的最佳方法是什么？

我需要将具有不同内容但具有相同文件名的文件复制到多台机器上。

我有几个文件：

file.role1
file.role2
file.role3

根据主机名和/或角色，我想将其复制file.roleX并重命名为file

谢谢。

我正在尝试将电子邮件发送到例如：[email protected] 和 [email protected]。在这两种情况下，这些都是 Outlook 邮箱。

后缀回复：

（启用 ipv6 时）：

06F908112E      606 Thu Jun 19 10:20:40  [email protected]
(Host or domain name not found. Name service error for name=grassvalley-com.mail.protection.outlook.com type=AAAA: Host not found, try again)
                                         [email protected]

（仅限 ipv4）：

6946720087D     3117 Tue Jun 17 21:41:07  [email protected]
(delivery temporarily suspended: Host or domain name not found. Name service error for name=grassvalley-com.mail.protection.outlook.com type=A: Host not found, try again)
                                         [email protected]

检查 DNS 时，我确实收到了回复（我尝试过 Google DNS、IPv6 only DNS、Leaseweb DNS、OpenDNS，总是一样）：

grassvalley-com.mail.protection.outlook.com. 7 IN A 207.46.163.138
grassvalley-com.mail.protection.outlook.com. 7 IN A 207.46.163.170
grassvalley-com.mail.protection.outlook.com. 7 IN A 207.46.163.247

所以有一个正确的A回复。

现在，导致问题的原因似乎是 7 秒的低得离谱的 TTL，并且对这些 Outlook 域的每个 DNS 回复都需要超过 2 秒：Query time: 2039 msec.

这会导致 Postfix 超时并且不发送电子邮件。

如果我运行此命令dig grassvalley-com.mail.protection.outlook.com && postfix flush，电子邮件实际上会被发送，因为它发生在 7 秒的时间范围内（DNS 仍在缓存中）。

我可以告诉 Postfix 不那么快超时吗？我可以告诉绑定忽略来自 Outlook 的 TTL < 7 秒并将其缓存 2 小时吗？

我有一个混合配置的 Dom0：桥接网络和 NAT 已设置。有一个 NIC 连接到 Internet（还有 3 个未使用）。

这是我的接口文件：

# The primary network interface
iface eth0 inet manual

auto xenbr0
iface xenbr0 inet static
    bridge_ports eth0
    address 83.149.69.150
    gateway 83.149.69.190
    netmask 255.255.255.192

iface xenbr0 inet6 static
    address 2001:1AF8:3100:A00A:21::0000
    netmask 64
    gateway 2001:1AF8:3100:A00A::1

这是其中一个 VM (domU) 的 xen 配置文件中的 vif 行：

vif = [ 'ip=83.149.69.154,mac=00:16:3E:5E:96:D7,script=vif-bridge,bridge=xenbr0', 'ip=172.16.1.20,mac=00:16:3E:5E:96:D8' ]

这会在 domU 上产生两个接口：

eth0      Link encap:Ethernet  HWaddr 00:16:3e:5e:96:d7  
          inet addr:83.149.69.154  Bcast:83.149.69.191  Mask:255.255.255.192
          inet6 addr: 2001:1af8:3100:a00a:21::4/64 Scope:Global
          inet6 addr: fe80::216:3eff:fe5e:96d7/64 Scope:Link
          [...]

eth1      Link encap:Ethernet  HWaddr 00:16:3e:5e:96:d8  
          inet addr:172.16.1.20  Bcast:172.16.255.255  Mask:255.255.0.0
          inet6 addr: fe80::216:3eff:fe5e:96d8/64 Scope:Link
          [...]

但是，与这些 VM 建立的任何连接似乎都源自 Dom0（公共）IP。我说的是与 nginx、apache、ssh、openvpn 等的连接。连接客户端始终是83.149.69.150(= reverse dns: aleph.rootspirit.com)

例如who：

# who
root     pts/0        2014-06-14 14:47 (aleph.rootspirit.com)

或 openvpn（检查所有83.149.69.150地址）：

OpenVPN CLIENT LIST
Updated,Sat Jun 14 14:51:12 2014
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
broserv,83.149.69.150:49545,356124,137293,Sat Jun 14 14:13:26 2014
pi,83.149.69.150:56293,322082,214456,Sat Jun 14 14:13:35 2014
heartbeat,83.149.69.150:42122,549631,1264272,Sat Jun 14 14:13:26 2014
industry,83.149.69.150:37885,759137,365405,Sat Jun 14 14:13:06 2014

是什么导致了这种奇怪的行为？

编辑：

我有这个iptables：

iptables -t nat -A POSTROUTING -o xenbr0 -j MASQUERADE

当我删除该行时，它工作正常：

# who
root     pts/0        2014-06-14 19:39 (213.219.144.38.adsl.dyn.edpnet.net)

但是，我的仅通过 NAT 运行的 VM 无法再访问 Internet：

# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms

iptables：

aleph /etc # iptables -L -nv
Chain INPUT (policy ACCEPT 3321 packets, 5903K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 1677 packets, 117K bytes)
 pkts bytes target     prot opt in     out     source               destination         
14511 3725K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-is-bridged
18653 3752K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 1887 packets, 4659K bytes)
 pkts bytes target     prot opt in     out     source               destination         
aleph /etc # iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 1365 packets, 96941 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:12223 to:172.16.1.1:22
    2   124 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:25 to:172.16.1.1
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:53 to:172.16.1.1
  558 38901 DNAT       udp  --  *      *       0.0.0.0/0            83.149.69.128/26     udp dpt:53 to:172.16.1.1
    2   128 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:465 to:172.16.1.1
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:4950 to:172.16.1.1
    7   420 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:110 to:172.16.1.1
    2   104 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:143 to:172.16.1.1
   12   720 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:993 to:172.16.1.1
    4   208 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:995 to:172.16.1.1
    2   104 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:21 to:172.16.1.2
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:2121 to:172.16.1.2:21
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:20 to:172.16.1.2
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:4951 to:172.16.1.2
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpts:50000:51000 to:172.16.1.2
    5   300 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:12222 to:172.16.1.2:22

Chain INPUT (policy ACCEPT 48 packets, 2802 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 58 packets, 3688 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 637 packets, 43589 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1320 94863 MASQUERADE  all  --  *      xenbr0  0.0.0.0/0            0.0.0.0/0  

我运行带有 2 个经过 NAT 的 VM 的 Xen Dom0（其他 VM 已桥接，一切正常）。

这个 Dom0 有一个 IPv6 和 IPv4 地址。例如，对端口 25 的请求被转发到其中一个 VM 处理的 LAN 地址。

例如：

VM_DNS_MAIL=172.16.1.1
iptables -t nat -A PREROUTING -d 1.2.3.4/26 -p tcp --dport 25 -j DNAT --to $VM_DNS_MAIL
iptables -t nat -A PREROUTING -d 1.2.3.4/26 -p tcp --dport 53 -j DNAT --to $VM_DNS_MAIL

1.2.3.4 是我的 Dom0 的公共 IP。

这与 IPv4 完美配合。如何使用 IPv6 实现相同的目标？

我在 Bind 的主从配置中偶然发现了一个奇怪的错误。

该区域在主服务器上工作正常，但在从服务器上我遇到了这些错误：

21-May-2014 19:06:07.573 general: info: zone example.com/IN: refresh: failure trying master 1.2.3.4#53 (source 0.0.0.0#0): unexpected end of input

这是我的绑定文件的样子：

@   IN SOA  ns1.example.com.    admin.example.com. (
    2014052116    ; Serial
    28800         ; Refresh
    180           ; Retry
    604800        ; Expire
    21600       ) ; Minimum

                86400   IN A        1.2.3.4
                86400   IN MX       10 mail.example.com.
                86400   IN MX       20 mail2.example.com.
                86400   IN NS       ns1.example.com.
                86400   IN NS       ns2.example.com.
                86400   IN NS       ns3.example.com.
                86400   IN NS       ns1.example.net.
                86400   IN NS       ns2.example.net.
                86400   IN NS       ns3.example.net.
                86400   IN NS       ns1.example.org.

; until here it works -- if I uncomment the below here, I'll get "end of input" failures.
;               86400   IN NS       ns2.example.org.
;               86400   IN NS       ns3.example.org.


*               86400   IN A        1.2.3.4
[...]

如果我取消注释已注释的两条 NS 行 - 我将收到“输入结束”错误。如果我让他们评论，一切正常。

是否有最大数量的 NS 或文件大小导致它崩溃？

谢谢。

编辑：

命名检查区：

master # named-checkzone example.com example.com. 
zone example.com/IN: example.com/MX 'mail.example.com' is a CNAME (illegal)
zone example.com/IN: example.com/MX 'mail2.example.com' is a CNAME (illegal)
zone example.com/IN: loaded serial 2014052105
OK

全局选项：

options {
    directory "/var/cache/bind";
    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };
    listen-on { any; };
    dnssec-enable yes;
    recursion no;
    statistics-file "/var/log/named.stats";
    try-tcp-refresh yes;
};

版本（在所有三台服务器上相同）：

# named -v
BIND 9.8.4-rpz2+rl005.12-P1

我试图让这样的东西在我的 Puppet 清单中工作：

    if $hostname == 'host1' || $hostname == 'host2' {
        # Modified config.txt for portrait mode. 
        file { '/boot/config.txt' :
            ensure      => present,
            mode        => '0755',
            source      => 'puppet://puppet/files/boot/config.txt.portrait',
        }
    } else {
        # Normal config.txt for landscape mode.
        file { '/boot/config.txt' :
            ensure      => present,
            mode        => '0755',
            source      => 'puppet://puppet/files/boot/config.txt.landscape',
        }
    }

然而，这失败了。根据主机名，包含不同文件的最佳方法是什么？

我正在使用 PowerDNS 运行两台机器，一台是主机（SQL），一台是从机（绑定后端）。

在我修改域并碰撞序列后，我在日志中得到了这个：

Sep 30 22:13:20 localhost pdns[6884]: 1 domain for which we are master needs notifications
Sep 30 22:13:20 localhost pdns[6884]: Queued notification of domain 'netly.io' to 146.185.146.149
Sep 30 22:13:20 localhost pdns[6884]: Queued notification of domain 'netly.io' to 146.185.147.74
Sep 30 22:13:20 localhost pdns[6884]: Received NOTIFY for netly.io from 146.185.146.149 but slave support is disabled in the configuration
Sep 30 22:13:21 localhost pdns[6884]: Received unsuccessful notification report for 'netly.io' from 146.185.146.149:53, rcode: 4
Sep 30 22:13:21 localhost pdns[6884]: Removed from notification list: 'netly.io' to 146.185.146.149:53
Sep 30 22:13:23 localhost pdns[6884]: No master domains need notifications

我知道它正在通知自己（146.185.146.149），因为它被设置为名称服务器，并且可以忽略这些错误。它（看起来）也会通知其他服务器（146.185.147.74 或 162.243.29.199）。

但是，从服务器在该时间范围内的日志中没有显示任何内容，当我对域文件进行分类时，我可以看到旧的序列号和子域没有被更新。

dig @slave-server 还显示旧设置。

告诉它重新加载也不会更新绑定区域文件：

slave-server # pdns_control reload
Ok
slave-server # tail -f /var/log/daemon.log 
Sep 30 22:21:28 node-e31401 pdns[2259]: Zone 'netly.io' (/etc/powerdns/bind/netly.io.) needs reloading
Sep 30 22:21:28 node-e31401 pdns[2259]: Zone 'netly.io' (/etc/powerdns/bind/netly.io.) reloaded

但是，当我完全重新启动 PDNS 时，它最终发现它已过时并正确获取更新的区域：

slave-server # /etc/init.d/pdns restart
[ ok ] Restarting PowerDNS Authoritative Name Server: pdns.
slave-server # tail -f /var/log/daemon.log 
Sep 30 22:23:48 node-e31401 pdns[2911]: 2 slave domains need checking, 0 queued for AXFR
Sep 30 22:23:48 node-e31401 pdns[2911]: Received serial number updates for 2 zones, had 0 timeouts
Sep 30 22:23:48 node-e31401 pdns[2911]: Domain netly.io is stale, master serial 2013093004, our serial 2013093003
Sep 30 22:23:48 node-e31401 pdns[2911]: Domain titify.com is fresh (not presigned, no RRSIG check)
Sep 30 22:23:48 node-e31401 pdns[2911]: No master domains need notifications
Sep 30 22:23:48 node-e31401 pdns[2911]: Initiating transfer of 'netly.io' from remote '146.185.146.149'
Sep 30 22:23:48 node-e31401 pdns[2911]: AXFR started for 'netly.io', transaction started
Sep 30 22:23:48 node-e31401 pdns[2911]: Zone 'netly.io' (/etc/powerdns/bind/netly.io.) reloaded
Sep 30 22:23:48 node-e31401 pdns[2911]: AXFR done for 'netly.io', zone committed with serial number 2013093004
Sep 30 22:23:48 node-e31401 pdns[2911]: Done launching threads, ready to distribute questions

我在这里想念什么？是什么导致主服务器正确通知从服务器，但从服务器没有获取新区域？

编辑：

• 从站配置：https ://static.0x04.com/2013/10/slave.pdns_.txt
• 主配置：https ://static.0x04.com/2013/10/master.pdns_.txt

tcpdump：

node-fd1d01 ~ # tcpdump -n 'host 146.185.146.149 and port 53'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
09:51:38.042713 IP 146.185.146.149.42478 > 162.243.29.199.53: 61745 notify [b2&3=0x2400] SOA? netly.io. (26)
09:51:41.043323 IP 146.185.146.149.42478 > 162.243.29.199.53: 61745 notify [b2&3=0x2400] SOA? netly.io. (26)
09:51:46.044145 IP 146.185.146.149.42478 > 162.243.29.199.53: 61745 notify [b2&3=0x2400] SOA? netly.io. (26)
09:51:52.049533 IP 146.185.146.149.42478 > 162.243.29.199.53: 59408 notify [b2&3=0x2400] SOA? netly.io. (26)
09:51:55.050715 IP 146.185.146.149.42478 > 162.243.29.199.53: 61745 notify [b2&3=0x2400] SOA? netly.io. (26)
09:51:55.050753 IP 146.185.146.149.42478 > 162.243.29.199.53: 59408 notify [b2&3=0x2400] SOA? netly.io. (26)
09:52:00.053327 IP 146.185.146.149.42478 > 162.243.29.199.53: 59408 notify [b2&3=0x2400] SOA? netly.io. (26)
09:52:09.056321 IP 146.185.146.149.42478 > 162.243.29.199.53: 59408 notify [b2&3=0x2400] SOA? netly.io. (26)

日志没有显示任何新内容（最新于 09h48）：

node-fd1d01 /etc/powerdns/bind # tail -f /var/log/daemon.log 
Oct  2 09:47:59 localhost pdns[2253]: Domain netly.io is fresh (not presigned, no RRSIG check)
Oct  2 09:47:59 localhost pdns[2253]: Domain titify.com is fresh (not presigned, no RRSIG check)
Oct  2 09:47:59 localhost pdns[2253]: No master domains need notifications
Oct  2 09:47:59 localhost pdns[2253]: Done launching threads, ready to distribute questions
Oct  2 09:48:00 localhost ntpd[2144]: Listen normally on 6 tun0 172.17.24.1 UDP 123
Oct  2 09:48:00 localhost ntpd[2144]: Listen normally on 7 tun1 172.17.16.1 UDP 123
Oct  2 09:48:00 localhost ntpd[2144]: peers refreshed
Oct  2 09:48:12 localhost dbus[2093]: [system] Activating service name='org.freedesktop.ConsoleKit' (using servicehelper)
Oct  2 09:48:12 localhost dbus[2093]: [system] Successfully activated service 'org.freedesktop.ConsoleKit'
Oct  2 09:48:59 localhost pdns[2253]: No new unfresh slave domains, 0 queued for AXFR already

但是当我 cat 区域文件（以绑定格式）时，它没有更新。

在 OpenVPN 的默认配置中，在客户端到客户端的行中有这样的注释：

# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.

多年来，我一直想知道它们对接口的“适当”防火墙的实际含义。快速谷歌也没有给出任何特定的 iptables 规则来执行以“解决”这个问题。

此评论是什么意思，我如何使用 iptables 适当地对其进行防火墙保护？

由于搞砸了，我必须重新生成客户端和服务器证书。

据我所知，主证书是自动生成的。

所以我在客户端生成了密钥：

MASTER # puppet cert clean --all
Notice: Revoked certificate with serial 2
Notice: Revoked certificate with serial 6
Notice: Removing file Puppet::SSL::Certificate puppet.x.com at '/var/lib/puppet/ssl/ca/signed/puppet.x.com.pem'
Notice: Removing file Puppet::SSL::Certificate puppet.x.com at '/var/lib/puppet/ssl/certs/puppet.x.com.pem'
Notice: Removing file Puppet::SSL::Key puppet.x.com at '/var/lib/puppet/ssl/private_keys/puppet.x.com.pem'
Notice: Removing file Puppet::SSL::Certificate efikamx-9ba3ab.x.com at '/var/lib/puppet/ssl/ca/signed/efikamx-9ba3ab.x.com.pem'
Notice: Removing file Puppet::SSL::Certificate efikamx-9ba3ab.x.com at '/var/lib/puppet/ssl/certs/efikamx-9ba3ab.x.com.pem'

puppet agent --no-daemonize  --onetime --verbose --waitforcert 60 
notice: Did not receive certificate
info: Caching certificate for efikamx-561a37.botnet.corp.flatturtle.com
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client
notice: Using cached catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client

MASTER # puppet cert sign --all
Notice: Signed certificate request for efikamx-9ba3ab.x.com
Notice: Removing file Puppet::SSL::CertificateRequest efikamx-9ba3ab.x.com at '/var/lib/puppet/ssl/ca/requests/efikamx-9ba3ab.x.com.pem'

CLIENT # puppet agent -t
info: Caching certificate for efikamx-9ba3ab.x.com
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client

在你问之前，是的，ntp 正在运行并且两个客户端都有正确的时间。

清除两端所有证书并正确重新生成所有内容的正确方法是什么？

我跑过：

find /var/lib/puppet -type f -print0 |xargs -0r rm

和

rm -rf /var/lib/puppet/ssl/*

在客户端上，但这并没有帮助。

顺便说一句，这是 Puppet 2 和 Puppet 3 的混合体。

我在发送邮件时遇到问题，主要是使用 Outlook.com 作为邮件服务器的域。

例如：

Jul  5 15:38:20 vm-dns-mail postfix/smtp[29249]: B6A3A20113E: to=<[email protected]>, relay=none, delay=189023, delays=189019/0.05/4/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=grassvalley-com.mail.eo.outlook.com type=AAAA: Host not found, try again)

但它有一个正确的 MX 记录：

vm-dns-mail ~/bin # dig mx grassvalley.com
[...]
;; ANSWER SECTION:
grassvalley.com.        7362    IN      MX      5 grassvalley-com.mail.eo.outlook.com.

我可以远程登录它：

vm-dns-mail ~/bin # telnet grassvalley-com.mail.eo.outlook.com 25
EHLO
Trying 207.46.163.30...
Connected to grassvalley-com.mail.eo.outlook.com.
Escape character is '^]'.
220 CO9EHSMHS019.bigfish.com Microsoft ESMTP MAIL Service ready at Fri, 5 Jul 2013 19:45:12 +0000
250-CO9EHSMHS019.bigfish.com Hello [85.12.6.130]
250-SIZE 157286400
250-PIPELINING
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING

我认为这是 IPV6 问题，因为此 VM 无法连接到 IPV6。所以我在 main.cf 中添加了这一行：

inet_protocols = ipv4

但它只是将问题改为：

Jul  5 21:41:38 vm-dns-mail postfix/smtp[30661]: C1102201234: to=<[email protected]>, relay=none, delay=2, delays=0.01/0/2/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=cjp-be.mail.eo.outlook.com type=A: Host not found, try again)

什么可能导致这个相当烦人的问题？

今天，我已将 Puppet 客户端和 Puppet Master 更新为 Wheezy。

由于某些原因，Puppet 客户端更新到 3.1 版，但 master 保持在 2.7。所以我直接从 Puppetlabs 为 master 安装了最新的稳定版本，现在都是 3.1。

root@efikamx-5fb019 ~ # puppet --version
3.1.1
botmaster /etc/puppet # puppet --version
3.1.1

但是，我注意到它开始产生错误并随后失败：

root@efikamx-5fb019 ~ # puppet agent --test
Info: Retrieving plugin
Info: Caching catalog for efikamx-5fb019.botnet.corp.yeri.be
Info: Applying configuration version '1367772083'
Notice: /Stage[essential]/Repository/Apt::Key[[email protected]]/Exec[apt-key present [email protected]]/returns: executed successfully
Error: /Stage[essential]/Repository/File[/etc/apt/sources.list.d/flatturtle.list]: Could not evaluate: Error 400 on SERVER: Not authorized to call find on /file_metadata/files/etc/apt/sources.list.d/flatturtle.list Could not retrieve file metadata for puppet://puppet.corp.yeri.be/files/etc/apt/sources.list.d/flatturtle.list: Error 400 on SERVER: Not authorized to call find on /file_metadata/files/etc/apt/sources.list.d/flatturtle.list

这是我的 auth.conf：http://pastebin.com/GGCyck95

这是我的 fileserver.conf： http: //pastebin.com/XeeTX2a5

这是来自 site.pp 的片段：

    file { '/etc/apt/sources.list.d/flatturtle.list' :
        owner       => 'root',
        group       => 'root',
        mode        => '0644',
        source      => 'puppet://puppet.corp.yeri.be/files/etc/apt/sources.list.d/flatturtle.list',
        notify      => Exec['update'],
    }

我缺少什么来授予对文件的访问权限？