为什么 UFW 会阻止 ICMP 目的地不可达消息,尽管显然有规则允许它们?

为什么 UFW 会阻止 ICMP 目的地不可达消息,尽管显然有规则允许它们?

Ubuntu 20.04.2 LTS,我正在运行 UFW,主要采用默认配置,已使用“ufw allow”允许某些端口通过,但没有进行任何手动阻止或配置文件编辑。

我正在检查 UFW 日志并注意到传入的 ICMP 目的地不可达消息(IPv4 和 IPv6)由于不明原因而被阻止。

UFW 似乎具有默认配置以允许这些通过:

root@hostname:/etc/ufw# grep -R icmp * | grep dest
before.rules:-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
before.rules:-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
before6.rules:-A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
before6.rules:-A ufw6-before-output -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
before6.rules:-A ufw6-before-forward -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT

以下是我在日志中看到的内容:

IPV4:

Apr 26 07:50:04 hostname kernel: [721900.768277] [UFW BLOCK] IN=eth0 OUT= MAC=XXX SRC=(foreignIPV4) DST=(myIPV4) LEN=104 TOS=0x00 PREC=0x00 TTL=50 ID=11553 PROTO=ICMP TYPE=3 CODE=3 [SRC=(myIPV4) DST=(foreignIPV4) LEN=76 TOS=0x00 PREC=0x00 TTL=50 ID=55473 DF PROTO=UDP SPT=123 DPT=30516 LEN=56 ]

注意:TYPE=3 CODE=3 = 目标不可达/端口不可达

IPv6:

Apr 25 17:58:36 hostname kernel: [672013.171362] [UFW BLOCK] IN=eth0 OUT= MAC=XXX SRC=(foreignIPV6) DST=(myIPV6) LEN=144 TC=40 HOPLIMIT=240 FLOWLBL=0 PROTO=ICMPv6 TYPE=1 CODE=4 [SRC=(myIPV6) DST=(foreignIPV6) LEN=96 TC=32 HOPLIMIT=50 FLOWLBL=950125 PROTO=UDP SPT=123 DPT=48280 LEN=56 ]

注意:TYPE=1 CODE=4 = 目标不可达/端口不可达

ICMP 消息与 NTP 流量(UDP 端口 123)有关;我为 ntppool.org 运行 NTP 服务器,有时当我的服务器响应客户端时,客户端会回复一条 ICMP 消息,表明他们发送初始 NTP 请求的端口不可访问。目前,我不太想知道为什么有些客户端会这样回复,我只是想弄清楚为什么 UFW 会阻止 ICMP 消息。

为了进行测试,我找到了一个名为“nping”的程序,我可以从家用 Windows 系统运行它来向我的服务器发送自定义 ICMP 消息。我尝试发送目标无法访问的消息,看看它们是否会出现在 UFW 日志中,但没有。因此,UFW 可能没有 100% 阻止这些消息,但根据未知标准阻止了一些消息。

添加“iptables -xvnL”输出:

root@hostname:/var/log# sudo iptables -xvnL
Chain INPUT (policy DROP 12439 packets, 776590 bytes)
    pkts      bytes target     prot opt in     out     source               destination
145170103 11118327896 ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
145170103 11118327896 ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 3633596 110434934 ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 3630280 110246698 ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 3630280 110246698 ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 3630280 110246698 ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 ufw-track-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 16 packets, 960 bytes)
    pkts      bytes target     prot opt in     out     source               destination
79090294 6301946512 ufw-before-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
79090294 6301946512 ufw-before-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   15895   983433 ufw-after-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   15895   983433 ufw-after-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   15895   983433 ufw-reject-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   15895   983433 ufw-track-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-after-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-after-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination
      37     2886 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137
       0        0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138
      11      548 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:139
     187     9508 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
       0        0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
       0        0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
       0        0 ufw-skip-to-policy-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination
     786    47222 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-after-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-before-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
       0        0 ufw-user-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-before-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination
      34    29905 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 6164343 472366977 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
     845    74528 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
     845    74528 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    9836   782534 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
 4502728 342015963 ufw-not-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            239.255.255.250      udp dpt:1900
 4502702 342013987 ufw-user-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-before-logging-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-before-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination
      34    29905 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
 5271469 405354822 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
      62     4258 ufw-user-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-logging-allow (0 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
    pkts      bytes target     prot opt in     out     source               destination
     620    55772 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID limit: avg 3/min burst 10
     165    13988 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
    pkts      bytes target     prot opt in     out     source               destination
 4502728 342015963 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
       0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
       0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
       0        0 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-reject-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-reject-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-reject-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-skip-to-policy-forward (0 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-skip-to-policy-input (7 references)
    pkts      bytes target     prot opt in     out     source               destination
     235    12942 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-skip-to-policy-output (0 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-track-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-track-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-track-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       9      540 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
      37     2758 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain ufw-user-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-user-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination
     401    23204 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
     329    19016 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
 4489126 341176077 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:123
     132     3750 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:37

Chain ufw-user-limit (0 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
       0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-user-logging-forward (0 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-user-logging-input (0 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-user-logging-output (0 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-user-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination

答案1

这与我编辑了 before.rules 和 before6.rules 以禁用 NTP 流量的连接跟踪有关。这显然会导致与该流量相关的 ICMP 消息被标记为“无效”连接跟踪状态

在标准配置中,“无效”丢弃发生在 ICMP 允许之前:

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

我编辑了 before.rules 和 before6.rules 来交换这两个块,以便在发生“无效”检查之前允许 ICMP:

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
# moved to after ICMP to prevent NTP stuff from being blocked
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

相关内容