Ubuntu 20.04.2 LTS,我正在运行 UFW,主要采用默认配置,已使用“ufw allow”允许某些端口通过,但没有进行任何手动阻止或配置文件编辑。
我正在检查 UFW 日志并注意到传入的 ICMP 目的地不可达消息(IPv4 和 IPv6)由于不明原因而被阻止。
UFW 似乎具有默认配置以允许这些通过:
root@hostname:/etc/ufw# grep -R icmp * | grep dest
before.rules:-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
before.rules:-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
before6.rules:-A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
before6.rules:-A ufw6-before-output -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
before6.rules:-A ufw6-before-forward -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
以下是我在日志中看到的内容:
IPV4:
Apr 26 07:50:04 hostname kernel: [721900.768277] [UFW BLOCK] IN=eth0 OUT= MAC=XXX SRC=(foreignIPV4) DST=(myIPV4) LEN=104 TOS=0x00 PREC=0x00 TTL=50 ID=11553 PROTO=ICMP TYPE=3 CODE=3 [SRC=(myIPV4) DST=(foreignIPV4) LEN=76 TOS=0x00 PREC=0x00 TTL=50 ID=55473 DF PROTO=UDP SPT=123 DPT=30516 LEN=56 ]
注意:TYPE=3 CODE=3 = 目标不可达/端口不可达
IPv6:
Apr 25 17:58:36 hostname kernel: [672013.171362] [UFW BLOCK] IN=eth0 OUT= MAC=XXX SRC=(foreignIPV6) DST=(myIPV6) LEN=144 TC=40 HOPLIMIT=240 FLOWLBL=0 PROTO=ICMPv6 TYPE=1 CODE=4 [SRC=(myIPV6) DST=(foreignIPV6) LEN=96 TC=32 HOPLIMIT=50 FLOWLBL=950125 PROTO=UDP SPT=123 DPT=48280 LEN=56 ]
注意:TYPE=1 CODE=4 = 目标不可达/端口不可达
ICMP 消息与 NTP 流量(UDP 端口 123)有关;我为 ntppool.org 运行 NTP 服务器,有时当我的服务器响应客户端时,客户端会回复一条 ICMP 消息,表明他们发送初始 NTP 请求的端口不可访问。目前,我不太想知道为什么有些客户端会这样回复,我只是想弄清楚为什么 UFW 会阻止 ICMP 消息。
为了进行测试,我找到了一个名为“nping”的程序,我可以从家用 Windows 系统运行它来向我的服务器发送自定义 ICMP 消息。我尝试发送目标无法访问的消息,看看它们是否会出现在 UFW 日志中,但没有。因此,UFW 可能没有 100% 阻止这些消息,但根据未知标准阻止了一些消息。
添加“iptables -xvnL”输出:
root@hostname:/var/log# sudo iptables -xvnL
Chain INPUT (policy DROP 12439 packets, 776590 bytes)
pkts bytes target prot opt in out source destination
145170103 11118327896 ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
145170103 11118327896 ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
3633596 110434934 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
3630280 110246698 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
3630280 110246698 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
3630280 110246698 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 16 packets, 960 bytes)
pkts bytes target prot opt in out source destination
79090294 6301946512 ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
79090294 6301946512 ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
15895 983433 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
15895 983433 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
15895 983433 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
15895 983433 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
37 2886 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
11 548 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
187 9508 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
786 47222 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
34 29905 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
6164343 472366977 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
845 74528 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
845 74528 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
9836 782534 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
4502728 342015963 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
4502702 342013987 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
34 29905 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
5271469 405354822 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
62 4258 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
620 55772 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
165 13988 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
4502728 342015963 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
235 12942 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
9 540 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
37 2758 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
401 23204 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
329 19016 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
4489126 341176077 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
132 3750 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:37
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
答案1
这与我编辑了 before.rules 和 before6.rules 以禁用 NTP 流量的连接跟踪有关。这显然会导致与该流量相关的 ICMP 消息被标记为“无效”连接跟踪状态
在标准配置中,“无效”丢弃发生在 ICMP 允许之前:
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
我编辑了 before.rules 和 before6.rules 来交换这两个块,以便在发生“无效”检查之前允许 ICMP:
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
# moved to after ICMP to prevent NTP stuff from being blocked
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP