azure linux 防火墙,Azure上Linux VM误配防火墙的恢复方法

在实际运维中，防火墙把自己挡在机器外面的情况会时有发生。如何快速的恢复对运维人员是很重要的。

本文将介绍如何用Azure Extension实现不通过ssh对VM进行操作的方法。

之前写过一遍Blog介绍如何部署Azure的CustomScriptExtension：

在CustomScriptExtension的基础上，如果实现关闭防火墙。

1.添加防火墙规则

通过添加iptables规则关闭外部访问该VM的ssh：

iptables -A INPUT -p tcp --dport 22 -j DROP

所有22端口都被关闭了。

通过psping进行观察VM 22端口的情况：

psping -t 139.219.237.69:22Connecting to139.219.237.69:22: 177.94ms

Connecting to139.219.237.69:22: 201.50ms

Connecting to139.219.237.69:22: 200.93ms

Connecting to139.219.237.69:22: 196.51ms

Connecting to139.219.237.69:22: 200.42ms

Connecting to139.219.237.69:22: 175.54ms

Connecting to139.219.237.69:22: 178.16ms

Connecting to139.219.237.69:22: This operation returned because the timeout period expired.

Connecting to139.219.237.69:22: This operation returned because the timeout period expired.

Connecting to139.219.237.69:22: This operation returned because the timeout period expired.

Connecting to139.219.237.69:22: This operation returned because the timeout period expired.

为防止出现脚本不成功，导致再不能访问VM的情况，执行如下脚本，过5分钟自动去除防火墙：

[root@hwcentos ~]#./remove_iptables.sh &

#!/bin/bashwhile truedosleep 300iptables-Fecho `date` >>a.txtdone

2.通过CustomScriptExtension去除防火墙规则

运行PowerShell脚本：

$mycred = Get-Credential -UserName admin@xxx.partner.onmschina.cn -Message hello

Login-AzureRmAccount -EnvironmentName AzureChinaCloud -Credential $mycred#定义Resource Group、VM和Location变量

$RGName ='hwextensiontest'$VmName ='hwcentos'$Location ='China East'#定义Extension相关信息

$ExtensionName ='CustomScriptForLinux'$Publisher ='Microsoft.OSTCExtensions'$version = '1.5'$PublicConf = '{"commandToExecute": "iptables -F"}'#执行Set-AzureRmVMExtension命令，安装extension：

Set-AzureRmVMExtension -ResourceGroupName $RGName -VMName $VmName -Location $Location`-Name $ExtensionName -Publisher $Publisher`-ExtensionType $ExtensionName -TypeHandlerVersion $Version`-Settingstring $PublicConfRequestId IsSuccessStatusCode StatusCode ReasonPhrase--------- ------------------- ---------- ------------

True OK OK

通过iptables -F的命令关闭所有的防火墙。

PsPing的输出结果如下：

Connecting to 139.219.237.69:22: This operation returned because the timeout period expired.

Connecting to139.219.237.69:22: This operation returned because the timeout period expired.

Connecting to139.219.237.69:22: This operation returned because the timeout period expired.

Connecting to139.219.237.69:22: This operation returned because the timeout period expired.

Connecting to139.219.237.69:22: This operation returned because the timeout period expired.

Connecting to139.219.237.69:22: 3210.12ms

Connecting to139.219.237.69:22: 197.16ms

Connecting to139.219.237.69:22: 202.64ms

这时已经可以通过ssh登录这台VM。

观察extension的日志：

[root@hwcentos 1.5.2.0]# pwd

/var/log/azure/Microsoft.OSTCExtensions.CustomScriptForLinux/1.5.2.0[root@hwcentos1.5.2.0]# lessextension.log

..........2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Config decoded correctly.2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Will try to download files, number of retries = 10, wait SECONDS between retrievals =20s2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Command to execute:iptables -F2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]fileUris value provided is empty or invalid. Continue with executing command...2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Succeeded to download files, retry count = 0

2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Internal DNS is ready, retry count = 0

2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Command to execute:iptables -F2016/10/22 03:04:50 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Command is finished.2016/10/22 03:04:50 ---stdout---

2016/10/22 03:04:50

2016/10/22 03:04:50 ---errout---

2016/10/22 03:04:50

2016/10/22 03:04:50

2016/10/22 03:04:50 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Daemon,success,0,Command is finished.2016/10/22 03:04:50 ---stdout---

2016/10/22 03:04:50

2016/10/22 03:04:50 ---errout---

2016/10/22 03:04:50

查看防火墙状态：

[root@hwcentos ~]# iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

防火墙已经关闭。

3.延展

有时客户VM没有响应的原因并不是因为防火墙，但原因并不是防火墙。此时我们可以通过收集sosreport的信息，通过复制到其他VM等方法获得这个文件后，进行分析。

当然也可以通过ping其它VM，并在另外一台VM上抓包，看这台VM是否网络存活，以进行下一步的分析和动作。

4.需要注意的问题

当多次执行CustomScript时，这个extension会判断内容是否相同，如果相同extension会认为是重复执行，脚本将不再执行。

更新：

Azure VM的Extension的通讯机制是通过HTTPS对外发起的。如下的输出：

[root@hwcentos ~]# netstat -tunp

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp0 0 10.3.0.4:22 167.220.255.53:65428 SYN_RECV -tcp0 0 10.3.0.4:51542 168.63.129.16:80 TIME_WAIT -tcp0 0 10.3.0.4:42505 40.126.88.72:443 TIME_WAIT -tcp0 52 10.3.0.4:22 167.220.255.53:61944 ESTABLISHED 32399/sshd

tcp0 0 10.3.0.4:42506 40.126.88.72:443 TIME_WAIT -tcp0 0 10.3.0.4:42508 40.126.88.72:443 TIME_WAIT -tcp0 0 10.3.0.4:42509 40.126.88.72:443 TIME_WAIT -tcp0 0 10.3.0.4:51545 168.63.129.16:80 TIME_WAIT -

可以看到VM上很多到40.x.x.x的https请求。只要VM可以访问外部的HTTPS，VM Extension就可以工作。

所以，我们的INPUT方向的iptables添加：

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

或

iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

可以确保出方向的流量不被防火墙挡住。

在添加如下防火墙规则后，VM extension仍然可以把iptables的规则清除：

iptables -A INPUT -s 0/0 -j DROP