我的一个应用程序正在连接到 Google,但我不知道为什么。我通过查看
sudo netstat -atupen
tcp 0 0 <local_ip>:36038 172.217.166.110:443 ESTABLISHED 1000 133785 6456/perl
进行whois反对,得到:
NetRange: 172.217.0.0 - 172.217.255.255
CIDR: 172.217.0.0/16
我想阻止所有往返于该 IP 或 IP 范围 (172.217.0.0/16) 的连接,以便不发送或接收任何数据包。
我如何使用 UFW 或 IPtables 来做到这一点,以及如何验证范围内的任何 IP172.217.0.0 - 172.217.255.255是否被阻止?
我正在使用 Ubuntu 20.04 ufw 0.36。
答案1
问题 1:如何使用 UFW 或 IPtables 来实现这一点?
这个答案是关于 iptables 的。
要阻止某个范围的 IP 地址,请在任何全局 ACCEPT 之前在 INPUT 和 OUTPUT 链中尽早将其 DROP。
例子:
#!/bin/sh
FWVER=0.01
#
# vxsa4_rules Smythies 2020.10.11 Ver:0.01
# See here:
# https://askubuntu.com/questions/1281796/block-access-to-an-ip
#
# run as sudo on s18.
#
# Note: These rules likely need to be merged with
# any existing iptables rules set.
echo "Loading vxsa4_rules rule set version $FWVER..\n"
# The location of the iptables program
#
IPTABLES=/sbin/iptables
#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Set for Smythies (for testing). Edit for vxsa4 settings.
EXTIF="enp3s0"
EXTIP="192.168.111.122"
NETWORK="192.168.111.0/24"
UNIVERSE="0.0.0.0/0"
# Clearing any previous configuration
# Be careful here. I can do this on s18, but do not know
# about vxsa4's computer.
#
echo " Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
# Smythies: While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z
# Do not allow in any traffic from 172.217.0.0/16
$IPTABLES -A INPUT -s 172.217.0.0/16 -i $EXTIF -j DROP
# Do not allow out any traffic to 172.217.0.0/16
$IPTABLES -A OUTPUT -d 172.217.0.0/16 -j DROP
# At this point carry on. You need to merge this into your existing iptables rule set.
#
echo vxsa4_rules rule set version $FWVER done.
导致:
doug@s18:~/iptables/misc$ sudo iptables -xvnL
Chain INPUT (policy ACCEPT 95 packets, 6543 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- enp3s0 * 172.217.0.0/16 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 60 packets, 6821 bytes)
pkts bytes target prot opt in out source destination
9 756 DROP all -- * * 0.0.0.0/0 172.217.0.0/16
问题 2:如何验证 172.217.0.0 - 172.217.255.255 范围内的任何 IP 是否被阻止?
上面的规则列表包含数据包/字节计数器,您可以观察到该规则被触发了 9 次。同时,我做了以下事情:
$ ping google.com
PING google.com (172.217.3.174) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
...
ping: sendmsg: Operation not permitted
^C
--- google.com ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8230ms
在加载 iptables 规则之前(如图所示)和之后(没有任何传出,符合预期),我也运行了 tcpdump:
doug@s18:~$ sudo tcpdump -n -tttt -i enp3s0 net 172.217.0.0/16
[sudo] password for doug:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp3s0, link-type EN10MB (Ethernet), capture size 262144 bytes
2020-10-11 14:56:54.896447 IP 192.168.111.122 > 172.217.3.174: ICMP echo request, id 3, seq 1, length 64
2020-10-11 14:56:54.919209 IP 172.217.3.174 > 192.168.111.122: ICMP echo reply, id 3, seq 1, length 64
2020-10-11 14:56:56.381115 IP 192.168.111.122 > 172.217.3.174: ICMP echo request, id 3, seq 2, length 64
2020-10-11 14:56:56.404016 IP 172.217.3.174 > 192.168.111.122: ICMP echo reply, id 3, seq 2, length 64