主页 / user-85534

natli's questions

Martin Hope
natli
Asked: 2025-03-25 02:19:20 +0800 CST
  • 5

因此,我正在运行一个带有 nginx 容器的 docker 服务器,该容器反向代理一堆其他容器。在主机上,我想使用 fail2ban 禁止试图闯入 wordpress 网站的 IP。非常简单,但我需要使用自定义操作,以便禁令在 DOCKER-USER 链中发生,否则 docker 转发(也使用 iptables)将覆盖禁令。为了实现这一点,我将 nginx 日志目录从主机安装到容器,以便 fail2ban 可以从主机监视它们。

一切似乎都运行良好,除了它没有禁止任何 IP。正则表达式在测试中匹配正确,手动禁止工作正常,fail2ban 日志没有显示任何异常;我被难住了。

以下是来自访问日志的模糊/匿名摘录;

132.321.555.777 - - [24/Mar/2025:17:12:07 +0000] "POST //xmlrpc.php HTTP/1.1" 200 423 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"
132.321.555.777 - - [24/Mar/2025:17:12:07 +0000] "POST //xmlrpc.php HTTP/1.1" 200 423 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"
132.321.555.777 - - [24/Mar/2025:17:12:07 +0000] "POST //xmlrpc.php HTTP/1.1" 200 423 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"
132.321.555.777 - - [24/Mar/2025:17:12:08 +0000] "POST //xmlrpc.php HTTP/1.1" 200 423 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"
132.321.555.777 - - [24/Mar/2025:17:12:08 +0000] "POST //xmlrpc.php HTTP/1.1" 200 423 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"
84.29.333.555 - - [24/Mar/2025:17:12:08 +0000] "GET /wp-content/uploads/2024/06/xx-32x32.png HTTP/1.1" 200 926 "-" "NetworkingExtension/8620.2.4.10.8 Network/4277.82.1 iOS/18.3.2"
84.29.333.555 - - [24/Mar/2025:17:12:08 +0000] "GET /wp-content/uploads/2024/06/xx-180x180.png HTTP/1.1" 200 5567 "-" "NetworkingExtension/8620.2.4.10.8 Network/4277.82.1 iOS/18.3.2"
132.321.555.777 - - [24/Mar/2025:17:12:09 +0000] "POST //xmlrpc.php HTTP/1.1" 200 423 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"
132.321.555.777 - - [24/Mar/2025:17:12:09 +0000] "POST //xmlrpc.php HTTP/1.1" 200 423 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"
132.321.555.777 - - [24/Mar/2025:17:12:09 +0000] "POST //xmlrpc.php HTTP/1.1" 200 423 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"
132.321.555.777 - - [24/Mar/2025:17:12:10 +0000] "POST //xmlrpc.php HTTP/1.1" 200 423 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"
43.166.222.22 - - [24/Mar/2025:17:12:02 +0000] "GET / HTTP/1.1" 400 248 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1"
84.29.123.32 - - [24/Mar/2025:17:12:08 +0000] "GET /wp-content/uploads/2023/01/xx-300x225.png HTTP/1.1" 200 115438 "-" "NetworkingExtension/8620.2.4.10.8 Network/4277.82.1 iOS/18.3.2"
84.29.123.32 - - [24/Mar/2025:17:12:08 +0000] "GET /wp-content/uploads/2024/06/xx-192x192.png HTTP/1.1" 200 5994 "-" "NetworkingExtension/8620.2.4.10.8 Network/4277.82.1 iOS/18.3.2"
84.29.123.32 - - [24/Mar/2025:17:12:09 +0000] "GET /wp-content/uploads/2024/06/xx-32x32.png HTTP/1.1" 200 926 "-" "NetworkingExtension/8620.2.4.10.8 Network/4277.82.1 iOS/18.3.2"

/etc/fail2ban/jail.local

[nginx-xmlrpc]
enabled  = true
filter   = nginx-xmlrpc
logpath  = /var/dockervolumes/nginx/logs/access.log
maxretry = 1
findtime = 5
bantime  = 3600
action   = iptables-docker

我把 maxretry 和 findtime 设置得非常低以进行测试,但这没有帮助。

/etc/fail2ban/filter.d/nginx-xmlrpc.conf

[INCLUDES]

before = nginx-bad-request.conf

[Definition]
failregex = ^<HOST>.*] "POST (|.*)\/xmlrpc\.php.*
            ^<HOST>.*] "GET (|.*)\/xmlrpc\.php.*
            ^<HOST> .* "POST .*wp-login.php
ignoreregex = ^<HOST>.*] "POST (|.*)\/xmlrpc\.php\?for=jetpack.*

datepattern = ^[^\[]*\[({DATE})
              {^LN-BEG}

正如您所看到的,我已经尝试过弄乱日期模式,但没有帮助。

/etc/fail2ban/action.d/iptables-docker.conf

[Definition]
actionstart =
actionstop =
actioncheck = /usr/sbin/iptables -n -L DOCKER-USER | grep -q '[<ip>]'
actionban = /usr/sbin/iptables -I DOCKER-USER -s <ip> -j DROP
actionunban = /usr/sbin/iptables -D DOCKER-USER -s <ip> -j DROP

测试正则表达式;fail2ban-regex /var/dockervolumes/nginx/logs/access.log /etc/fail2ban/filter.d/nginx-xmlrpc.conf

Running tests
=============

Use   failregex filter file : nginx-xmlrpc, basedir: /etc/fail2ban
Use      datepattern : ^[^\[]*\[({DATE})
{^LN-BEG} : Default Detectors
Use         log file : /var/dockervolumes/nginx/logs/access.log
Use         encoding : UTF-8


Results
=======

Failregex: 13345 total
|-  #) [# of hits] regular expression
|   1) [13299] ^<HOST>.*] "POST (|.*)\/xmlrpc\.php.*
|   2) [20] ^<HOST>.*] "GET (|.*)\/xmlrpc\.php.*
|   3) [26] ^<HOST> .* "POST .*wp-login.php
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [26486] ^[^\[]*\[(Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?)
`-

Lines: 26486 lines, 0 ignored, 13345 matched, 13141 missed
[processed in 2.39 sec]

手动测试禁令;fail2ban-client 设置 nginx-xmlrpc banip 1.2.5.9

产生日志:

2025-03-24 19:09:35,909 fail2ban.actions        [828254]: NOTICE  [nginx-xmlrpc] Ban 1.2.5.9

并正确列出被阻止的 IP;iptables -L DOCKER-USER

Chain DOCKER-USER (1 references)
target     prot opt source               destination
DROP       all  --  1.2.5.9              anywhere
DROP       all  --  1.2.4.9              anywhere
DROP       all  --  1.2.3.9              anywhere
DROP       all  --  1.2.3.8              anywhere
DROP       all  --  1.2.3.7              anywhere
DROP       all  --  1.2.3.6              anywhere
DROP       all  --  1.2.3.5              anywhere
RETURN     all  --  anywhere             anywhere

日志也没有显示任何异常;tail -f /var/log/fail2ban.log

2025-03-24 19:00:29,067 fail2ban.actions        [828254]: NOTICE  [nginx-xmlrpc] Restore Ban 1.2.3.5
2025-03-24 19:00:29,080 fail2ban.actions        [828254]: NOTICE  [nginx-xmlrpc] Restore Ban 1.2.3.6
2025-03-24 19:00:29,094 fail2ban.actions        [828254]: NOTICE  [nginx-xmlrpc] Restore Ban 1.2.3.7
2025-03-24 19:00:29,104 fail2ban.actions        [828254]: NOTICE  [nginx-xmlrpc] Restore Ban 1.2.3.8
2025-03-24 19:00:29,115 fail2ban.actions        [828254]: NOTICE  [nginx-xmlrpc] Restore Ban 1.2.3.9
2025-03-24 19:00:29,126 fail2ban.actions        [828254]: NOTICE  [nginx-xmlrpc] Restore Ban 1.2.4.9
2025-03-24 19:00:29,240 fail2ban.filtersystemd  [828254]: INFO    [nginx-xmlrpc] Jail is in operation now (process new journal entries)
2025-03-24 19:05:53,278 fail2ban.actions        [828254]: NOTICE  [nginx-xmlrpc] Unban 1.2.3.4
2025-03-24 19:09:33,024 fail2ban.actions        [828254]: WARNING [nginx-xmlrpc] 1.2.4.9 already banned
2025-03-24 19:09:35,909 fail2ban.actions        [828254]: NOTICE  [nginx-xmlrpc] Ban 1.2.5.9

更新:

~ fail2ban-客户端状态 nginx-xmlrpc

Status for the jail: nginx-xmlrpc
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:  _SYSTEMD_UNIT=nginx.service + _COMM=nginx
`- Actions
   |- Currently banned: 0
   |- Total banned:     8
   `- Banned IP list:

这 8 次禁令都是我手动测试的。

~ iptables-保存

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-51ec37449070 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-51ec37449070 -j DOCKER
-A FORWARD -i br-51ec37449070 ! -o br-51ec37449070 -j ACCEPT
-A FORWARD -i br-51ec37449070 -o br-51ec37449070 -j ACCEPT
-A DOCKER -d 172.18.0.39/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 2020 -j ACCEPT
-A DOCKER -d 172.18.0.39/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 2019 -j ACCEPT
-A DOCKER -d 172.18.0.39/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 2018 -j ACCEPT
-A DOCKER -d 172.18.0.39/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 2017 -j ACCEPT
-A DOCKER -d 172.18.0.39/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 2016 -j ACCEPT
-A DOCKER -d 172.18.0.39/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 2015 -j ACCEPT
-A DOCKER -d 172.18.0.39/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 2014 -j ACCEPT
-A DOCKER -d 172.18.0.39/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 2013 -j ACCEPT
-A DOCKER -d 172.18.0.39/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 2012 -j ACCEPT
-A DOCKER -d 172.18.0.39/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 2011 -j ACCEPT
-A DOCKER -d 172.18.0.39/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 2010 -j ACCEPT
-A DOCKER -d 172.18.0.39/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 2009 -j ACCEPT
-A DOCKER -d 172.18.0.39/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 2008 -j ACCEPT
-A DOCKER -d 172.18.0.39/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 2007 -j ACCEPT
-A DOCKER -d 172.18.0.39/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 2006 -j ACCEPT
-A DOCKER -d 172.18.0.39/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 2005 -j ACCEPT
-A DOCKER -d 172.18.0.39/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 2004 -j ACCEPT
-A DOCKER -d 172.18.0.39/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 2003 -j ACCEPT
-A DOCKER -d 172.18.0.39/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 2002 -j ACCEPT
-A DOCKER -d 172.18.0.39/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 2001 -j ACCEPT
-A DOCKER -d 172.18.0.39/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 2000 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i br-51ec37449070 -o br-51ec37449070 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-51ec37449070 ! -o br-51ec37449070 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-51ec37449070 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -s 1.14.96.192/32 -j DROP
-A DOCKER-USER -s 18.219.14.219/32 -j DROP
-A DOCKER-USER -s 174.138.27.210/32 -j DROP
-A DOCKER-USER -s 128.199.244.121/32 -j DROP
-A DOCKER-USER -s 45.130.145.4/32 -j DROP
-A DOCKER-USER -s 128.199.244.121/32 -j DROP
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Wed Mar 26 09:10:19 2025
# Generated by iptables-save v1.8.10 (nf_tables) on Wed Mar 26 09:10:19 2025
*nat
:PREROUTING ACCEPT [320032242:19224216945]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [396346224:30027564903]
:POSTROUTING ACCEPT [531692826:38140531338]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-51ec37449070 -j MASQUERADE
-A POSTROUTING -s 172.18.0.39/32 -d 172.18.0.39/32 -p tcp -m tcp --dport 2020 -j MASQUERADE
-A POSTROUTING -s 172.18.0.39/32 -d 172.18.0.39/32 -p tcp -m tcp --dport 2019 -j MASQUERADE
-A POSTROUTING -s 172.18.0.39/32 -d 172.18.0.39/32 -p tcp -m tcp --dport 2018 -j MASQUERADE
-A POSTROUTING -s 172.18.0.39/32 -d 172.18.0.39/32 -p tcp -m tcp --dport 2017 -j MASQUERADE
-A POSTROUTING -s 172.18.0.39/32 -d 172.18.0.39/32 -p tcp -m tcp --dport 2016 -j MASQUERADE
-A POSTROUTING -s 172.18.0.39/32 -d 172.18.0.39/32 -p tcp -m tcp --dport 2015 -j MASQUERADE
-A POSTROUTING -s 172.18.0.39/32 -d 172.18.0.39/32 -p tcp -m tcp --dport 2014 -j MASQUERADE
-A POSTROUTING -s 172.18.0.39/32 -d 172.18.0.39/32 -p tcp -m tcp --dport 2013 -j MASQUERADE
-A POSTROUTING -s 172.18.0.39/32 -d 172.18.0.39/32 -p tcp -m tcp --dport 2012 -j MASQUERADE
-A POSTROUTING -s 172.18.0.39/32 -d 172.18.0.39/32 -p tcp -m tcp --dport 2011 -j MASQUERADE
-A POSTROUTING -s 172.18.0.39/32 -d 172.18.0.39/32 -p tcp -m tcp --dport 2010 -j MASQUERADE
-A POSTROUTING -s 172.18.0.39/32 -d 172.18.0.39/32 -p tcp -m tcp --dport 2009 -j MASQUERADE
-A POSTROUTING -s 172.18.0.39/32 -d 172.18.0.39/32 -p tcp -m tcp --dport 2008 -j MASQUERADE
-A POSTROUTING -s 172.18.0.39/32 -d 172.18.0.39/32 -p tcp -m tcp --dport 2007 -j MASQUERADE
-A POSTROUTING -s 172.18.0.39/32 -d 172.18.0.39/32 -p tcp -m tcp --dport 2006 -j MASQUERADE
-A POSTROUTING -s 172.18.0.39/32 -d 172.18.0.39/32 -p tcp -m tcp --dport 2005 -j MASQUERADE
-A POSTROUTING -s 172.18.0.39/32 -d 172.18.0.39/32 -p tcp -m tcp --dport 2004 -j MASQUERADE
-A POSTROUTING -s 172.18.0.39/32 -d 172.18.0.39/32 -p tcp -m tcp --dport 2003 -j MASQUERADE
-A POSTROUTING -s 172.18.0.39/32 -d 172.18.0.39/32 -p tcp -m tcp --dport 2002 -j MASQUERADE
-A POSTROUTING -s 172.18.0.39/32 -d 172.18.0.39/32 -p tcp -m tcp --dport 2001 -j MASQUERADE
-A POSTROUTING -s 172.18.0.39/32 -d 172.18.0.39/32 -p tcp -m tcp --dport 2000 -j MASQUERADE
-A POSTROUTING -s 172.18.0.6/32 -d 172.18.0.6/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.18.0.6/32 -d 172.18.0.6/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-51ec37449070 -j RETURN
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 2020 -j DNAT --to-destination 172.18.0.39:2020
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 2019 -j DNAT --to-destination 172.18.0.39:2019
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 2018 -j DNAT --to-destination 172.18.0.39:2018
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 2017 -j DNAT --to-destination 172.18.0.39:2017
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 2016 -j DNAT --to-destination 172.18.0.39:2016
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 2015 -j DNAT --to-destination 172.18.0.39:2015
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 2014 -j DNAT --to-destination 172.18.0.39:2014
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 2013 -j DNAT --to-destination 172.18.0.39:2013
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 2012 -j DNAT --to-destination 172.18.0.39:2012
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 2011 -j DNAT --to-destination 172.18.0.39:2011
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 2010 -j DNAT --to-destination 172.18.0.39:2010
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 2009 -j DNAT --to-destination 172.18.0.39:2009
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 2008 -j DNAT --to-destination 172.18.0.39:2008
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 2007 -j DNAT --to-destination 172.18.0.39:2007
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 2006 -j DNAT --to-destination 172.18.0.39:2006
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 2005 -j DNAT --to-destination 172.18.0.39:2005
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 2004 -j DNAT --to-destination 172.18.0.39:2004
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 2003 -j DNAT --to-destination 172.18.0.39:2003
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 2002 -j DNAT --to-destination 172.18.0.39:2002
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 2001 -j DNAT --to-destination 172.18.0.39:2001
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 2000 -j DNAT --to-destination 172.18.0.39:2000
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.18.0.6:443
-A DOCKER ! -i br-51ec37449070 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.18.0.6:80
COMMIT
# Completed on Wed Mar 26 09:10:19 2025
nginx
Martin Hope
natli
Asked: 2012-11-13 16:44:12 +0800 CST
  • 4

我按照这本书设置了主从。我在LOAD DATA FROM MASTER;奴隶上运行了首字母,效果很好。但是当我将数据插入主服务器时,它根本没有被复制到从服务器。我已经尝试重新启动 master 和 slave mysqld 进程,并在 slave 上“slave stop / slave start”。这是怎么回事?

掌握

配置:

server-id               = 1
log_bin                 = /var/log/mysql/mysql-bin.log
expire_logs_days        = 10
max_binlog_size         = 100M
  binlog_do_db            = pchelp
  binlog_ignore_db        = mysql
  binlog_ignore_db        = test

mysql> 从 pchelp.test_table 中选择 *;

+----+---------+
| id | sometxt |
+----+---------+
|  1 | x       |
|  2 | x       |
|  3 | y       |
|  4 | z       |
|  5 | p       |
|  6 | i       |
+----+---------+
6 rows in set (0.00 sec)

mysql> 显示主机状态 \G

*************************** 1. row ***************************
            File: mysql-bin.000009
        Position: 106
    Binlog_Do_DB: pchelp
Binlog_Ignore_DB: mysql,test
1 row in set (0.00 sec)

奴隶

配置:

server-id               = 2
  master-host               = hidden.x.xx
  master-user               = replication
  master-password           = hidden
  master-port               = 3308
  replicate_do_db           = pchelp

mysql> 从 pchelp.test_table 中选择 *;

+----+---------+
| id | sometxt |
+----+---------+
|  1 | x       |
|  2 | x       |
|  3 | y       |
|  4 | z       |
|  5 | p       |
|  6 | i       |
+----+---------+
6 rows in set (0.00 sec)

mysql> 显示从站状态 \G

*************************** 1. row ***************************
               Slave_IO_State: Waiting for master to send event
                  Master_Host: hidden.x.xx
                  Master_User: replication
                  Master_Port: 3308
                Connect_Retry: 60
              Master_Log_File: mysql-bin.000009
          Read_Master_Log_Pos: 106
               Relay_Log_File: mysqld-relay-bin.000002
                Relay_Log_Pos: 251
        Relay_Master_Log_File: mysql-bin.000009
             Slave_IO_Running: Yes
            Slave_SQL_Running: Yes
              Replicate_Do_DB: pchelp
          Replicate_Ignore_DB:
           Replicate_Do_Table:
       Replicate_Ignore_Table:
      Replicate_Wild_Do_Table:
  Replicate_Wild_Ignore_Table:
                   Last_Errno: 0
                   Last_Error:
                 Skip_Counter: 0
          Exec_Master_Log_Pos: 106
              Relay_Log_Space: 407
              Until_Condition: None
               Until_Log_File:
                Until_Log_Pos: 0
           Master_SSL_Allowed: No
           Master_SSL_CA_File:
           Master_SSL_CA_Path:
              Master_SSL_Cert:
            Master_SSL_Cipher:
               Master_SSL_Key:
        Seconds_Behind_Master: 0
Master_SSL_Verify_Server_Cert: No
                Last_IO_Errno: 0
                Last_IO_Error:
               Last_SQL_Errno: 0
               Last_SQL_Error:
1 row in set (0.01 sec)

掌握

插入 pchelp.test_table (id,sometxt) 值 (7,'q');

Query OK, 1 row affected (0.00 sec)

mysql> 从 pchelp.test_table 中选择 *;

+----+---------+
| id | sometxt |
+----+---------+
|  1 | x       |
|  2 | x       |
|  3 | y       |
|  4 | z       |
|  5 | p       |
|  6 | i       |
|  7 | q       |
+----+---------+
7 rows in set (0.01 sec)

mysql> 显示主机状态 \G

*************************** 1. row ***************************
            File: mysql-bin.000009
        Position: 106
    Binlog_Do_DB: pchelp
Binlog_Ignore_DB: mysql,test
1 row in set (0.00 sec)

奴隶(插入主人后)

mysql> 从 pchelp.test_table 中选择 *;

+----+---------+
| id | sometxt |
+----+---------+
|  1 | x       |
|  2 | x       |
|  3 | y       |
|  4 | z       |
|  5 | p       |
|  6 | i       |
+----+---------+
6 rows in set (0.01 sec)

mysql> 显示从站状态 \G

*************************** 1. row ***************************
               Slave_IO_State: Waiting for master to send event
                  Master_Host: hidden.x.xx
                  Master_User: replication
                  Master_Port: 3308
                Connect_Retry: 60
              Master_Log_File: mysql-bin.000009
          Read_Master_Log_Pos: 106
               Relay_Log_File: mysqld-relay-bin.000002
                Relay_Log_Pos: 251
        Relay_Master_Log_File: mysql-bin.000009
             Slave_IO_Running: Yes
            Slave_SQL_Running: Yes
              Replicate_Do_DB: pchelp
          Replicate_Ignore_DB:
           Replicate_Do_Table:
       Replicate_Ignore_Table:
      Replicate_Wild_Do_Table:
  Replicate_Wild_Ignore_Table:
                   Last_Errno: 0
                   Last_Error:
                 Skip_Counter: 0
          Exec_Master_Log_Pos: 106
              Relay_Log_Space: 407
              Until_Condition: None
               Until_Log_File:
                Until_Log_Pos: 0
           Master_SSL_Allowed: No
           Master_SSL_CA_File:
           Master_SSL_CA_Path:
              Master_SSL_Cert:
            Master_SSL_Cipher:
               Master_SSL_Key:
        Seconds_Behind_Master: 0
Master_SSL_Verify_Server_Cert: No
                Last_IO_Errno: 0
                Last_IO_Error:
               Last_SQL_Errno: 0
               Last_SQL_Error:
1 row in set (0.00 sec)

任何人对可能出现的问题有什么好主意?用户“复制”具有完全权限(在主从上运行);

grant replication slave on *.* to replication@'%' identified by 'hidden';
GRANT ALL PRIVILEGES ON pchelp.* TO replication;

再一次,LOAD DATA FROM MASTER;命令工作得很好..我不明白。

linux
Martin Hope
natli
Asked: 2012-06-21 07:49:49 +0800 CST
  • 1

我在 debian-squeeze 服务器上设置了一个 pptp VPN 服务器就好了,我可以从 Windows 7 连接到它,但是 ping 任何外部主机(比如 google.com)都失败了。Ping 10.0.0.1 或 10.0.0.10 按预期工作。

到目前为止,我已经尝试了很多,但没有任何帮助。难道我做错了什么?

我设置了pptpd

ms-dns 8.8.8.8
ms-dns 8.8.4.4

localip 10.0.0.1
remoteip 10.0.0.10-100

添加了 iptable 规则;

iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i ppp+ -j ACCEPT
iptables -A FORWARD -i ppp+ -j ACCEPT
iptables -A FORWARD -o ppp+ -j ACCEPT

启用net.ipv4.ip_forward=1/etc/sysctl.conf

并添加了伪装;

iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -o ppp0 -j MASQUERADE

任何人都可以发现错误吗?

消息日志:

Jun 20 15:25:01 server1 pppd[6089]: pppd 2.4.5 started by root, uid 0
Jun 20 15:25:01 server1 pppd[6089]: Using interface ppp0
Jun 20 15:25:01 server1 pppd[6089]: Connect: ppp0 <--> /dev/pts/2
Jun 20 15:25:05 server1 pppd[6089]: local  IP address 10.0.0.1
Jun 20 15:25:05 server1 pppd[6089]: remote IP address 10.0.0.10

调试日志:

Jun 20 15:24:47 server1 pptpd[6053]: CTRL: Reaping child PPP[6054]

pptpd日志:

Jun 20 15:25:01 server1 pptpd[6088]: CTRL: Client 8X.XX.2XX.X4 control connection started
Jun 20 15:25:01 server1 pptpd[6088]: CTRL: Starting call (launching pppd, opening GRE)
Jun 20 15:25:04 server1 pptpd[6088]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!

Linux服务器上的ifconfig:

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ppp0      Link encap:Point-to-Point Protocol  
          inet addr:10.0.0.1  P-t-P:10.0.0.10  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1400  Metric:1
          RX packets:156 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:16390 (16.0 KiB)  TX bytes:137 (137.0 B)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:127.0.0.2  P-t-P:127.0.0.2  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:29264 errors:0 dropped:0 overruns:0 frame:0
          TX packets:30152 errors:0 dropped:88 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:4129198 (3.9 MiB)  TX bytes:25084183 (23.9 MiB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:1X9.XX.1XX.XX9  P-t-P:1X9.XX.1XX.XX9  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

Windows客户端上的ipconfig:

PPP adapter Chicago:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 10.0.0.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::dc99:4aef:5221:b5e3%11
   IPv4 Address. . . . . . . . . . . : 192.168.1.102
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1

Tunnel adapter isatap.{290FC5BA-1A1F-48E5-9FAA-621E96CF4AED}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:2c53:3789:f5ff:fff5
   Link-local IPv6 Address . . . . . : fe80::2c53:3789:f5ff:fff5%13
   Default Gateway . . . . . . . . . : ::

Tunnel adapter isatap.{A22A1F34-B6D4-4BD7-BCA4-FAECB71D2D14}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

tracert -d www.google.com在客户端:

Tracing route to www.l.google.com [74.125.132.105]
over a maximum of 30 hops:

  1   117 ms   121 ms   117 ms  10.0.0.1 
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
vpn linux networking pptp