我试图通过以下方式阻止特定接口(外部无线)上的所有流量,但浏览除外ufw:
sudo ufw enable
sudo ufw deny out on wlx00252245ed96
sudo ufw allow out on wlx00252245ed96 to any from any port 80 proto tcp
sudo ufw allow out on wlx00252245ed96 to any from any port 80 proto udp
sudo ufw allow out on wlx00252245ed96 to any from any port 443 proto tcp
sudo ufw allow out on wlx00252245ed96 to any from any port 443 proto udp
但是,仍然无法浏览!我是不是漏掉了什么?
这是 ufw 状态:
~$ sudo ufw status
Status: active
To Action From
-- ------ ----
Anywhere DENY OUT Anywhere on wlx00252245ed96
Anywhere ALLOW OUT 80/tcp on wlx00252245ed96
Anywhere ALLOW OUT 80/udp on wlx00252245ed96
Anywhere ALLOW OUT 443/tcp on wlx00252245ed96
Anywhere ALLOW OUT 443/udp on wlx00252245ed96
Anywhere (v6) DENY OUT Anywhere (v6) on wlx00252245ed96
Anywhere (v6) ALLOW OUT 80/tcp (v6) on wlx00252245ed96
Anywhere (v6) ALLOW OUT 80/udp (v6) on wlx00252245ed96
Anywhere (v6) ALLOW OUT 443/tcp (v6) on wlx00252245ed96
Anywhere (v6) ALLOW OUT 443/udp (v6) on wlx00252245ed96
这是 iptables -L -v:
Chain INPUT (policy DROP 1 packets, 32 bytes)
pkts bytes target prot opt in out source destination
2329 780K ACCEPT udp -- ens33 any anywhere anywhere udp dpt:bootps
0 0 ACCEPT tcp -- ens33 any anywhere anywhere tcp dpt:bootps
232 14695 ACCEPT udp -- ens33 any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- ens33 any anywhere anywhere tcp dpt:domain
13379 3073K ufw-before-logging-input all -- any any anywhere anywhere
13379 3073K ufw-before-input all -- any any anywhere anywhere
787 782K ufw-after-input all -- any any anywhere anywhere
761 779K ufw-after-logging-input all -- any any anywhere anywhere
761 779K ufw-reject-input all -- any any anywhere anywhere
761 779K ufw-track-input all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
10621 1128K ACCEPT all -- any ens33 anywhere 10.42.0.0/24 state RELATED,ESTABLISHED
845 89027 ACCEPT all -- ens33 any 10.42.0.0/24 anywhere
0 0 ACCEPT all -- ens33 ens33 anywhere anywhere
0 0 REJECT all -- any ens33 anywhere anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- ens33 any anywhere anywhere reject-with icmp-port-unreachable
8 528 ufw-before-logging-forward all -- any any anywhere anywhere
8 528 ufw-before-forward all -- any any anywhere anywhere
8 528 ufw-after-forward all -- any any anywhere anywhere
8 528 ufw-after-logging-forward all -- any any anywhere anywhere
8 528 ufw-reject-forward all -- any any anywhere anywhere
8 528 ufw-track-forward all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 1 packets, 48 bytes)
pkts bytes target prot opt in out source destination
22932 2072K ufw-before-logging-output all -- any any anywhere anywhere
22932 2072K ufw-before-output all -- any any anywhere anywhere
920 162K ufw-after-output all -- any any anywhere anywhere
920 162K ufw-after-logging-output all -- any any anywhere anywhere
920 162K ufw-reject-output all -- any any anywhere anywhere
920 162K ufw-track-output all -- any any anywhere anywhere
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
6 468 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-ns
1 229 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-dgm
0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:netbios-ssn
0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:microsoft-ds
0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootps
0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootpc
0 0 ufw-skip-to-policy-input all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
1 32 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 ufw-user-forward all -- any any anywhere anywhere
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
49 3100 ACCEPT all -- lo any anywhere anywhere
5 803 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ufw-logging-deny all -- any any anywhere anywhere ctstate INVALID
0 0 DROP all -- any any anywhere anywhere ctstate INVALID
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
1 360 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
8 729 ufw-not-local all -- any any anywhere anywhere
0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns
0 0 ACCEPT udp -- any any anywhere 239.255.255.250 udp dpt:1900
8 729 ufw-user-input all -- any any anywhere anywhere
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
49 3100 ACCEPT all -- any lo anywhere anywhere
13 2099 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
67 8696 ufw-user-output all -- any any anywhere anywhere
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
1 32 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type MULTICAST
7 697 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- any any anywhere anywhere limit: avg 3/min burst 10
0 0 DROP all -- any any anywhere anywhere
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
7 697 DROP all -- any any anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere anywhere ctstate NEW
6 1968 ACCEPT udp -- any any anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
59 6632 DROP all -- any wlx00252245ed96 anywhere anywhere
0 0 ACCEPT tcp -- any wlx00252245ed96 anywhere anywhere tcp spt:http
0 0 ACCEPT udp -- any wlx00252245ed96 anywhere anywhere udp spt:http
0 0 ACCEPT tcp -- any wlx00252245ed96 anywhere anywhere tcp spt:https
0 0 ACCEPT udp -- any wlx00252245ed96 anywhere anywhere udp spt:https
答案1
至少存在两个问题。首先,您的总体拒绝规则先于您的具体允许规则,因此您永远不会触及允许规则。其次,您的允许规则基于源端口,但它们需要基于目标端口。
顺便说一句,对于您想要做的事情,您不需要 udp。
为了正常运行,可能还存在一些其他问题。例如,您可能需要允许端口 53 用于 DNS 服务(tcp 和 udp)。
因此(免责声明,我不使用 ufw,只使用 iptables,因此猜测语法):
sudo ufw allow out on wlx00252245ed96 to any port 80 proto tcp from any
sudo ufw allow out on wlx00252245ed96 to any port 443 proto tcp from any
sudo ufw deny out on wlx00252245ed96
在 iptables 中,您需要的允许规则是(在我的测试计算机上。我无法执行 DROP 规则示例,因为它会破坏我的测试计算机):
Chain OUTPUT (policy ACCEPT 55 packets, 3244 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * enp9s0 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * enp9s0 0.0.0.0/0 0.0.0.0/0 tcp dpt:443