jupyter notebook 的 iptables 规则
[英]iptables rules for jupyter notebook
问题描述
having trouble with the iptables setting for jupyter notebook. 
jupyter notebook 的 iptables 设置有问题。 with the following rules (assume notebook port 8888), jupyter notebook server would be launched successfully, but the actual notebook kernel would fail to start/establish.使用以下规则(假设笔记本端口为 8888),jupyter 笔记本服务器将成功启动,但实际笔记本内核将无法启动/建立。
by commenting out the last iptables rule "-A OUTPUT -j DROP", everything works fine.通过注释掉最后的 iptables 规则“-A OUTPUT -j DROP”,一切正常。
any thoughts?有什么想法吗?
-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 8888 -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED --sport 8888 -j ACCEPT
-A OUTPUT -p tcp -m state --state ESTABLISHED --sport 8888 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 8888 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -j DROP
2 个解决方案
解决方案1
1 已采纳 2019-09-16 07:57:58
Often tools like jupyter use the loopback device (localhost) to access certain features.通常像 jupyter 这样的工具使用环回设备 (localhost) 来访问某些功能。 For example, jupyter has a frontend that communicates over HTTP with the notebook server, which sends messages via sockets to the IPython Kernel (see: https://jupyter.readthedocs.io/en/latest/architecture/how_jupyter_ipython_work.html ).例如,jupyter 有一个前端,它通过 HTTP 与笔记本服务器通信,它通过套接字将消息发送到 IPython 内核(请参阅: https : //jupyter.readthedocs.io/en/latest/architecture/how_jupyter_ipython_work.html )。
I would add the following rules:我会添加以下规则:
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
These rules allow input and output to and from the loopback device (localhost).这些规则允许与回送设备 (localhost) 之间的输入和输出。
解决方案2
0 2021-02-25 11:16:51
The above answer is the right fix however the documentation pointed to is broken, the current documentation about Jupyter client's communication with IPython kernel is updated here: https://jupyter-client.readthedocs.io/en/latest/messaging.html上面的答案是正确的修复但是指向的文档已损坏,有关 Jupyter 客户端与 IPython 内核通信的当前文档在此处更新: https ://jupyter-client.readthedocs.io/en/latest/messaging.html
Additionally this is the correct order of adding iptable rules for anyone struggling with this:此外,这是为任何有此问题的人添加 iptable 规则的正确顺序:
iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 8888 -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED --sport 8888 -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state ESTABLISHED --sport 8888 -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 8888 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptable rules exist as chains. iptable 规则以链的形式存在。 Incoming, Outgoing, and Pass-through packets are examined one rule at a time in the corresponding chain, and are handled based on the first rule that's matched.传入、传出和传递数据包在相应链中一次检查一个规则,并根据匹配的第一个规则进行处理。 With the above ordering, packets with loopback address are allowed to go through freely, but all other traffic is blocked.按照上述顺序,具有回送地址的数据包可以自由通过,但所有其他流量都被阻止。 This blocks pip installs, apt-updates, telnet, netcat etc.这会阻止 pip 安装、apt-updates、telnet、netcat 等。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.