(iptables) 如何丢弃除少数 IP 范围之外的所有传入流量(默认丢弃;仅允许一个国家)

tag-icon tag-icon iptables firewall debian
(iptables) 如何丢弃除少数 IP 范围之外的所有传入流量(默认丢弃;仅允许一个国家)

我的目标是使用 iptables 删除来自非德国国家/地区的几乎所有请求。

2022 年最有效的解决方案就是这个五年前的脚本。

(来源:https://www.cyberciti.biz/faq/block-entier-country-using-iptables/

在该脚本模板和一些 iptables 教程的帮助下,我能够(或多或少准确地)仅允许德国 IP 范围。

这是我修改后的脚本:(它尚未优化,但应该可以阻止每个非德国 IP 请求)

ISO="de" 
 
IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep
 
SPAMLIST="countrydrop"
ZONEROOT="/root/iptables"
DLROOT="http://www.ipdeny.com/ipblocks/data/countries"
 
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT
 
$IPT -F
 
$IPT -N $SPAMLIST
 
for c  in $ISO
do 
    tDB=$ZONEROOT/$c.zone
    $WGET -O $tDB $DLROOT/$c.zone
    BADIPS=$(egrep -v "^#|^$" $tDB)
    for ipblock in $BADIPS
    do
       $IPT -A $SPAMLIST ! -s $ipblock -j DROP
    done
done
exit 0

但是如果我让脚本运行,它会创建规则,然后我想让默认规则“传入流量”下降,他会立即将我锁定。

我知道,IP 表正在从顶部到按钮处理规则,但现在我不确定如何在脚本中处理它。

或者我不需要制定默认传入链/规则来阻止所有内容,因为我已经阻止了除德国 IP 地址之外的所有内容?或者我应该将默认的 drop 放在脚本顶部?这是我编辑默认传入规则的方式:

iptables --policy 输入删除

...但如果我让默认传入规则保持不变,感觉有点糟糕......你怎么看?

最后我想:

  • 默认阻止所有内容
    • 除德国 IP 地址外
    • 并开放约 5 个端口(仅适用于德国 IP 地址)

如果我只能用一个脚本来处理这个问题,并且该脚本始终在启动时运行,我会非常高兴!:-)

附言:我确信,我不是唯一一个为这个任务寻找 up2date 解决方案的人,如果有人能帮忙找到这个案例的解决方案那就太好了:-)

答案1

您的脚本存在多个问题。此答案使用您的基本结构,但建议您改用 ipset 作为允许列表(将来我可能会在此答案中添加 ipset 方法)。修改后的脚本:

#!/bin/bash

ISO="de"

IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep

ALLOWLIST="countryaccept"
ZONEROOT="/home/doug/iptables/misc/ask1412134/iptables"
DLROOT="http://www.ipdeny.com/ipblocks/data/countries"
UNIVERSE="0.0.0.0/0"

# The network interface card is set for my test computer. Change to users NIC name.
#
NIC=br0

echo ask1412134 begin.

[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT

# set default policy to ACCEPT while we build the list
#
$IPT -P INPUT ACCEPT

# flush all rules
#
$IPT -F

$IPT -N $ALLOWLIST

# build the list
#
for c  in $ISO
do
    tDB=$ZONEROOT/$c.zone
    $WGET -O $tDB $DLROOT/$c.zone
    GOODIPS=$(egrep -v "^#|^$" $tDB)
    for ippermit in $GOODIPS
    do
       $IPT -A $ALLOWLIST -s $ippermit -j ACCEPT
    done
done

# add the usual INPUT ACCEPT rules
#
# loopback interfaces are valid.
#
$IPT -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# Allow any related traffic coming back to the server in.
#
$IPT -A INPUT -i $NIC -m state --state ESTABLISHED,RELATED -j ACCEPT

# All other traffic needs to be verified as being from Germany
#
$IPT -A INPUT -i $NIC -j $ALLOWLIST

# SPECIAL: For my test computer:
# Allow new SSH connections from my desktop
# The end user will remove this.
#
$IPT -A INPUT -i $NIC -s 192.168.111.122 -d 192.168.111.136 -p tcp --dport 22 -j ACCEPT

# For unknown reasons the INPUT chain policy packet counter is not incrementing,
# even though it seems to be working fine. Specifically add a log-n-drop rule pair here.
#
$IPT -A INPUT -j LOG --log-prefix "IBLOCK:" --log-level info
$IPT -A INPUT -j DROP

# Now we are ready for DROP default policy
#
$IPT -P INPUT DROP

echo ask1412134 done.

使用示例:

doug@s19:~/iptables/misc/ask1412134$ sudo iptables -xvnL | head -20
Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       2      100 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
     154     9024 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
     208    42712 countryaccept  all  --  br0    *       0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     tcp  --  br0    *       192.168.111.122      192.168.111.136      tcp dpt:22
     208    42712 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "IBLOCK:"
     208    42712 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain countryaccept (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  *      *       192.69.234.0/24      0.0.0.0/0
       0        0 ACCEPT     all  --  *      *       198.176.223.0/24     0.0.0.0/0
       0        0 ACCEPT     all  --  *      *       198.176.224.0/22     0.0.0.0/0

并且,我从一台未经授权的计算机发出了 ping 操作:

doug@s19:~/iptables/misc/ask1412134$ grep IBLOCK /var/log/syslog
Jun  4 08:20:11 s19 kernel: [686010.878096] IBLOCK:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:b8:27:eb:f7:ec:c9:08:00 SRC=192.168.111.133 DST=192.168.111.136 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39198 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1056
Jun  4 08:20:12 s19 kernel: [686011.918074] IBLOCK:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:b8:27:eb:f7:ec:c9:08:00 SRC=192.168.111.133 DST=192.168.111.136 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39211 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1057
Jun  4 08:20:13 s19 kernel: [686012.709961] IBLOCK:IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:84:ea:ed:46:57:cc:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
Jun  4 08:20:13 s19 kernel: [686012.958083] IBLOCK:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:b8:27:eb:f7:ec:c9:08:00 SRC=192.168.111.133 DST=192.168.111.136 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39224 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1058
Jun  4 08:20:14 s19 kernel: [686013.998108] IBLOCK:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:b8:27:eb:f7:ec:c9:08:00 SRC=192.168.111.133 DST=192.168.111.136 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39269 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1059
Jun  4 08:20:15 s19 kernel: [686015.038138] IBLOCK:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:b8:27:eb:f7:ec:c9:08:00 SRC=192.168.111.133 DST=192.168.111.136 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39345 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1060

相关内容