如何在 iptables 中允许特定 IP 上的端口流量

如何在 iptables 中允许特定 IP 上的端口流量

我想限制端口 5041 上除 10.2.3.4 之外的所有 IP 的流量

首先我授予端口 IP 的访问权限,如下所示:

iptables -A IN_public_allow -s 10.2.3.4 -p tcp -m tcp --dport 5041 -m conntrack --ctstate NEW -j ACCEPT

然后我限制了所有 IP 的访问:

iptables -A IN_public_allow -p tcp -m tcp --dport 5041 -m conntrack --ctstate NEW -j DROP

因此从理论上讲,我应该只能从 IP 10.2.3.4 访问该端口,但事实并非如此。我使用 ncat 进行测试,通过使用 -s 选项来更改源地址:

ncat.exe -s 10.2.3.5 -zv  10.78.21.51 5041
libnsock mksock_bind_addr(): Bind to 10.2.3.5:0 failed (IOD #1): The requested address is not valid in its context.  (10049)
Ncat: Connected to :10.78.21.51:5041.
Ncat: 0 bytes sent, 0 bytes received in 0.12 seconds

因此,该命令看起来像是从 IP 10.2.3.5 连接到端口,尽管它不应该如此。我不知道libnsock mksock_bind_addr(): Bind to 10.2.3.5:0 failed错误是什么意思。请帮忙,谢谢。

iptables -xvnL编辑:根据要求输出命令:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
642614522 702873881336 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  454146 27240797 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
  392972 20241510 INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  392972 20241510 INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  392972 20241510 INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       3      120 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    4070   483366 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
       0        0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
       0        0 FORWARD_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 FORWARD_IN_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 FORWARD_OUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
       0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 326255 packets, 205303698 bytes)
    pkts      bytes target     prot opt in     out     source               destination
488899038 266093163662 OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD_IN_ZONES (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 FWDI_public  all  --  bond1  *       0.0.0.0/0            0.0.0.0/0           [goto]
       0        0 FWDI_public  all  --  bond0  *       0.0.0.0/0            0.0.0.0/0           [goto]
       0        0 FWDI_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain FORWARD_OUT_ZONES (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 FWDO_public  all  --  *      bond1   0.0.0.0/0            0.0.0.0/0           [goto]
       0        0 FWDO_public  all  --  *      bond0   0.0.0.0/0            0.0.0.0/0           [goto]
       0        0 FWDO_public  all  --  *      +       0.0.0.0/0            0.0.0.0/0           [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain FORWARD_direct (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain FWDI_public (3 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 FWDI_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 FWDI_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 FWDI_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FWDI_public_allow (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain FWDI_public_deny (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain FWDI_public_log (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain FWDO_public (3 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 FWDO_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 FWDO_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 FWDO_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FWDO_public_allow (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain FWDO_public_deny (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain FWDO_public_log (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain INPUT_ZONES (1 references)
    pkts      bytes target     prot opt in     out     source               destination
    4307   492298 IN_public  all  --  bond1  *       0.0.0.0/0            0.0.0.0/0           [goto]
  388631 19744052 IN_public  all  --  bond0  *       0.0.0.0/0            0.0.0.0/0           [goto]
      34     5160 IN_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto]

Chain INPUT_ZONES_SOURCE (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain INPUT_direct (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain IN_public (3 references)
    pkts      bytes target     prot opt in     out     source               destination
  392972 20241510 IN_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  392972 20241510 IN_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  392972 20241510 IN_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0

Chain IN_public_allow (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3179 ctstate NEW
    2477   145924 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5534 ctstate NEW
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5524 ctstate NEW
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8434 ctstate NEW
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5056 ctstate NEW
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3189 ctstate NEW
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW
       0        0 ACCEPT     tcp  --  *      *       10.2.3.4        0.0.0.0/0            tcp dpt:5041 ctstate NEW
       5      260 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5041 ctstate NEW

Chain IN_public_deny (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain IN_public_log (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT_direct (1 references)
    pkts      bytes target     prot opt in     out     source               destination

答案1

好的,经过一些检查,我发现 iptables 规则完全按照我的要求过滤了 ip 数据包,问题是 netcat 命令ncat.exe -s 10.2.3.5 -zv 10.78.21.51 5041实际上并没有像“-s”选项那样更改源地址,它仍然使用默认源地址。有人知道如何使用不同的源地址进行 telnet 吗?这可能吗?

相关内容