我对 ufw 的工作原理感到困惑。我搜索过该网站,但大多数问题都阻止流量进入,而我的问题允许流量进入。
我已经将 ufw 设置为仅允许我的自定义 ssh 端口;但是,我在服务器上运行一个通过端口 4246 连接到另一台服务器的 Java 程序,尽管我没有将端口 4246/tcp 设置为打开,但来自另一台服务器的所有数据都被允许进入我的服务器。我也没有允许任何 http 或 https,但所有 apt 命令都可以正常工作。
据我了解,ufw 的默认功能是“拒绝(传入)、允许(传出)”。这是否意味着只要从服务器内部创建连接,任何响应数据都可以进入?有没有实际的方法可以防止这种情况,并且只允许在 ufw 中配置的数据进入,而不管连接是否从服务器内部建立?
提前致谢!
答案1
问题是关于 UFW 的,但是这个答案直接使用 iptables,可能不是想要的。
您可以使用此 iptables 脚本阻止传出和传入的网络数据包(SSH 数据包除外):
#!/bin/sh
FWVER=0.01
#
# ask1393247 Smythies 2022.02.16 Ver:0.01
# See here:
# https://askubuntu.com/questions/1393247/does-ufw-allow-all-incoming-traffic-in-response-to-outbound-requests?noredirect=1#comment2409932_1393247
# run as sudo on s19.
# Started from the below:
#
# ask1368071 Smythies 2021.10.08 Ver:0.01
# See here:
# https://askubuntu.com/questions/1368071/iptables-that-only-allow-incoming-traffic-to-openssh-and-block-all-other-traffic
# run as sudo on s19.
# log entries are only for each NEW ssh packet. It seems unreasonable to log every ssh packet, but it could be done.
#
echo "Loading ask1393247 rule set version $FWVER..\n"
# The location of the iptables program
#
IPTABLES=/sbin/iptables
#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Set for Smythies s19 computer (for testing). Edit for ask1393247's computer.
EXTIF="br0"
EXTIP="192.168.111.136"
NETWORK="192.168.111.0/24"
UNIVERSE="0.0.0.0/0"
# Clearing any previous configuration
# Be careful here. I can do this on s19, but do not know
# about other users computer.
#
echo " Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
# Smythies: While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z
# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# Allow any related traffic coming back to the server in.
# For unknown reason's, ask1393247 does not want the generic version. So commented out.)
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
# ask1393247 seems to want this:
echo "flag 1"
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -p tcp --dport 22 -j ACCEPT
echo "flag 2"
# Allow and log new SSH connections. Not needed if you don't want to log sessions, but then you need to add NEW above.
# Note: I use port 22, because nobody else can get here anyhow. Change to your port.
#
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j LOG --log-prefix "ssh traffic:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT
# Now, also only let out ssh:
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Note: if your computer uses DCHP, then you will need to allow it, both in and out.
# Done.
#
echo ask1393247 rule set version $FWVER done.
结果如下:
doug@s19:~/iptables/misc$ sudo iptables -xvnL
Chain INPUT (policy DROP 133 packets, 11819 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
202 13689 ACCEPT tcp -- br0 * 0.0.0.0/0 192.168.111.136 state RELATED,ESTABLISHED tcp dpt:22
4 280 LOG tcp -- br0 * 0.0.0.0/0 192.168.111.136 state NEW tcp dpt:22 LOG flags 0 level 6 prefix "ssh traffic:"
4 280 ACCEPT tcp -- br0 * 0.0.0.0/0 192.168.111.136 state NEW tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 14 packets, 3240 bytes)
pkts bytes target prot opt in out source destination
164 25505 ACCEPT tcp -- * br0 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state RELATED,ESTABLISHED