版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
1. 查看跳转机ip
[root@node-2 ~]# ip a show br-pub
13: br-pub: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN qlen 1000
link/ether 26:78:e9:13:76:49 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.3/24 brd 172.18.0.255 scope global br-pub
valid_lft forever preferred_lft forever
inet 172.18.0.2/32 scope global br-pub
valid_lft forever preferred_lft forever
2. 查看30900端口是否打开
[root@node-2 ~]# ss -nlut | grep 30900
tcp LISTEN 0 128 :::30900 :::*
3. 查看iptables的路由规则
[root@node-2 ~]# iptables -nvL INPUT --line
Chain INPUT (policy ACCEPT 44 packets, 3545 bytes)
num pkts bytes target prot opt in out source destination
1 22M 83G ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 44M 13G ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8001
3 52M 4678M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4789
4 5591M 4734G KUBE-SERVICES all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */
5 5591M 4734G KUBE-FIREWALL all -- * * 0.0.0.0/0 0.0.0.0/0
6 2355K 198M ACCEPT icmp -- br-pub * 0.0.0.0/0 0.0.0.0/0
7 34M 3853M ACCEPT tcp -- br-pub * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
8 4774K 869M ACCEPT tcp -- br-pub * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
9 62963 3335K ACCEPT tcp -- br-pub * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8899 /* Allow sysreport */
10 1383K 55M ACCEPT all -- br-pub * 0.0.0.0/0 224.0.0.0/8 /* Allow VRRP */
11 5476M 4723G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
12 19328 1163K DROP all -- br-pub * 0.0.0.0/0 0.0.0.0/0
4. 在第四行添加路由规则
[root@node-2 ~]#iptables -I INPUT 4 -p tcp --dport 30900 -j ACCEPT
5. 删除该路由规则
[root@node-2 ~]# iptables -D INPUT 4
6. 示例
(1) 访问内网另一台prometheus服务,报错
root@xhw xhw]# curl 10.8.0.254:9090
curl: (7) Failed connect to 10.8.0.254:9090; No route to host
(2) 报错原因被访问机器的防火墙没有放行9090端口
[root@master ~]# iptables -nvL INPUT --line
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
2 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
4 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
5 3680 4358K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
6 99 5940 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
7 1150 146K INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
8 1150 146K INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
9 1150 146K INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
11 1146 146K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
(3) 通过iptables命令放行该机器的9090端口号
[root@master ~]# iptables -I INPUT 5 -p tcp --dport 9090 -j ACCEPT
[root@master ~]# iptables -nvL INPUT --line
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
2 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
4 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090
6 4164 4616K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
7 104 6240 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
8 1179 150K INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
9 1179 150K INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
10 1179 150K INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
11 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
12 1175 150K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
(4) 再次尝试访问
[root@xhw xhw]# curl 10.8.0.254:9090
<a href="/graph">Found</a>.