系统环境:
Oracle Linux 5.8

操作过程:
应同事需求,想对一台服务器做IP限制,让它只能访问某几个IP。
用iptables做output限制

如限制只能访问192.168.0.9
#iptables -I OUTPUT -d 192.168.0.9 -j ACCEPT
前面有做所有DROP

然而ssh登录192.168.0.9时报错

#ssh 192.168.0.9
do_ypcall: clnt_call: RPC: Unable to send; errno = Operation not permitted
do_ypcall: clnt_call: RPC: Unable to send; errno = Operation not permitted

加上-vvv看详细过程

#ssh -vvv 192.168.0.9
debug3: Trying to reverse map address 172.28.9.164.
do_ypcall: clnt_call: RPC: Unable to send; errno = Operation not permitted

好像也看不出来什么

用strace来跟踪

#strace -o ssh.log ssh 192.168.0.9

查看ssh.log
跳到最后

open("/lib64/libnss_nis.so.2", O_RDONLY) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\37\0\0\0\0\0\0"..., 832) = 832
fstat(4, {st_mode=S_IFREG|0755, st_size=53472, ...}) = 0
mmap(NULL, 2139320, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7f9eb9501000
mprotect(0x7f9eb950b000, 2093056, PROT_NONE) = 0
mmap(0x7f9eb970a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x9000) = 0x7f9eb970a000
close(4) = 0
mprotect(0x7f9eb970a000, 4096, PROT_READ) = 0
munmap(0x7f9ebcf2a000, 187830) = 0
uname({sys="Linux", node="SFALCAP1", ...}) = 0
open("/var/yp/binding/testidc.2", O_RDONLY) = 4
pread(4, "\1\0\0\0\254\34\t\16\2Z\0\0", 12, 2) = 12
socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 5
bind(5, {sa_family=AF_INET, sin_port=htons(624), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
ioctl(5, FIONBIO, [1]) = 0
setsockopt(5, SOL_IP, IP_RECVERR, [1], 4) = 0
futex(0x7f9ebb154700, FUTEX_WAKE_PRIVATE, 2147483647) = 0
fcntl(5, F_SETFD, FD_CLOEXEC) = 0
close(4) = 0
sendto(5, "\21\31c\23\0\0\0\0\0\0\0\2\0\1\206\244\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0\0"..., 84, 0, {sa_family=AF_INET, sin_port=htons(602), sin_addr=inet_addr("172.28.9.14")}, 16) = -1 EPERM (Operation not permitted)
futex(0x7f9ebb154720, FUTEX_WAKE_PRIVATE, 2147483647) = 0
write(2, "do_ypcall: clnt_call: RPC: Unabl"..., 75) = 75
close(5) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
bind(4, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
connect(4, {sa_family=AF_INET, sin_port=htons(111), sin_addr=inet_addr("127.0.0.1")}, 16) = ? ERESTARTSYS (To be restarted)
--- SIGINT (Interrupt) @ 0 (0) ---
+++ killed by SIGINT +++

发现是访问ypbind服务时,开始出错。

后来一查,这台以前的确启动过ypbind服务,当时是想加入windows域的

取消nis登录
#setup
取消其中的nis认证和krb5认证

再登录192.168.0.9成功



发表评论