阻止访问 IP

阻止访问 IP

我的一个应用程序正在连接到 Google,但我不知道为什么。我通过查看

sudo netstat -atupen

tcp        0      0 <local_ip>:36038    172.217.166.110:443     ESTABLISHED 1000       133785     6456/perl 

进行whois反对,得到:

NetRange:       172.217.0.0 - 172.217.255.255
CIDR:           172.217.0.0/16

我想阻止所有往返于该 IP 或 IP 范围 (172.217.0.0/16) 的连接,以便不发送或接收任何数据包。

我如何使用 UFW 或 IPtables 来做到这一点,以及如何验证范围内的任何 IP172.217.0.0 - 172.217.255.255是否被阻止?

我正在使用 Ubuntu 20.04 ufw 0.36。

答案1

问题 1:如何使用 UFW 或 IPtables 来实现这一点?
这个答案是关于 iptables 的。

要阻止某个范围的 IP 地址,请在任何全局 ACCEPT 之前在 INPUT 和 OUTPUT 链中尽早将其 DROP。

例子:

#!/bin/sh
FWVER=0.01
#
# vxsa4_rules Smythies 2020.10.11 Ver:0.01
#       See here:
#       https://askubuntu.com/questions/1281796/block-access-to-an-ip
#
#       run as sudo on s18.
#
#       Note: These rules likely need to be merged with
#       any existing iptables rules set.

echo "Loading vxsa4_rules rule set version $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Set for Smythies (for testing). Edit for vxsa4 settings.
EXTIF="enp3s0"
EXTIP="192.168.111.122"

NETWORK="192.168.111.0/24"

UNIVERSE="0.0.0.0/0"

# Clearing any previous configuration
# Be careful here. I can do this on s18, but do not know
# about vxsa4's computer.
#
echo "  Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
# Smythies: While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z

# Do not allow in any traffic from 172.217.0.0/16
$IPTABLES -A INPUT -s 172.217.0.0/16 -i $EXTIF -j DROP

# Do not allow out any traffic to 172.217.0.0/16
$IPTABLES -A OUTPUT -d 172.217.0.0/16 -j DROP

# At this point carry on. You need to merge this into your existing iptables rule set.
#
echo vxsa4_rules rule set version $FWVER done.

导致:

doug@s18:~/iptables/misc$ sudo iptables -xvnL
Chain INPUT (policy ACCEPT 95 packets, 6543 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 DROP       all  --  enp3s0 *       172.217.0.0/16       0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 60 packets, 6821 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       9      756 DROP       all  --  *      *       0.0.0.0/0            172.217.0.0/16

问题 2:如何验证 172.217.0.0 - 172.217.255.255 范围内的任何 IP 是否被阻止?
上面的规则列表包含数据包/字节计数器,您可以观察到该规则被触发了 9 次。同时,我做了以下事情:

$ ping google.com
PING google.com (172.217.3.174) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
...
ping: sendmsg: Operation not permitted
^C
--- google.com ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8230ms

在加载 iptables 规则之前(如图所示)和之后(没有任何传出,符合预期),我也运行了 tcpdump:

doug@s18:~$ sudo tcpdump -n -tttt -i enp3s0 net 172.217.0.0/16
[sudo] password for doug:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp3s0, link-type EN10MB (Ethernet), capture size 262144 bytes
2020-10-11 14:56:54.896447 IP 192.168.111.122 > 172.217.3.174: ICMP echo request, id 3, seq 1, length 64
2020-10-11 14:56:54.919209 IP 172.217.3.174 > 192.168.111.122: ICMP echo reply, id 3, seq 1, length 64
2020-10-11 14:56:56.381115 IP 192.168.111.122 > 172.217.3.174: ICMP echo request, id 3, seq 2, length 64
2020-10-11 14:56:56.404016 IP 172.217.3.174 > 192.168.111.122: ICMP echo reply, id 3, seq 2, length 64

相关内容