最近,我wget尝试通过80端口拉取一些包。它被iptable阻止(服务iptables停止后,wget可以下载包)。有人可以帮我分析一下我的 iptable 规则吗?
192.168.0.0/16我想我已经打开了本地IP( 、 )的所有端口10.0.0.0/8,那么为什么它被阻止呢?
我电脑的IP是192.168.1.168.
如果我准备了一个网络服务器192.168.1.170,我可以从下载页面192.168.1.170。
table:filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/8 0.0.0.0/0
3 ACCEPT all -- 10.0.0.0/8 0.0.0.0/0
4 ACCEPT all -- 127.0.0.0/8 0.0.0.0/0
5 ACCEPT all -- 169.254.0.0/16 0.0.0.0/0
6 ACCEPT all -- 172.16.0.0/12 0.0.0.0/0
7 ACCEPT all -- 192.168.0.0/16 0.0.0.0/0
8 ACCEPT all -- 224.0.0.0/4 0.0.0.0/0
9 ACCEPT all -- 240.0.0.0/4 0.0.0.0/0
10 ACCEPT all -- 144.168.60.32 0.0.0.0/0
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21701 state NEW,ESTABLISHED
12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:21701 state ESTABLISHED
13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:26941 state ESTABLISHED
14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:21713 state ESTABLISHED
15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:21715 state ESTABLISHED
16 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:21714 state ESTABLISHED
17 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED
18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
19 ACCEPT tcp -- 23.105.194.21 0.0.0.0/0 tcp spt:8170 state ESTABLISHED
20 ACCEPT udp -- 114.114.114.114 0.0.0.0/0 udp spt:53 dpts:1024:65535
21 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
22 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
23 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
24 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 state NEW,ESTABLISHED
25 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:123
Chain FORWARD (policy DROP)
num target prot opt source destination
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/8
3 ACCEPT all -- 0.0.0.0/0 10.0.0.0/8
4 ACCEPT all -- 0.0.0.0/0 127.0.0.0/8
5 ACCEPT all -- 0.0.0.0/0 169.254.0.0/16
6 ACCEPT all -- 0.0.0.0/0 172.16.0.0/12
7 ACCEPT all -- 0.0.0.0/0 192.168.0.0/16
8 ACCEPT all -- 0.0.0.0/0 208.0.0.0/4
9 ACCEPT all -- 0.0.0.0/0 240.0.0.0/4
10 ACCEPT all -- 0.0.0.0/0 144.168.60.32
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:21701 state ESTABLISHED
12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21701 state NEW,ESTABLISHED
13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:26941 state NEW,ESTABLISHED
14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21713 state NEW,ESTABLISHED
15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21715 state NEW,ESTABLISHED
16 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21714 state NEW,ESTABLISHED
17 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED
19 ACCEPT tcp -- 0.0.0.0/0 23.105.194.26 tcp dpt:8170 state NEW,ESTABLISHED
20 ACCEPT udp -- 0.0.0.0/0 114.114.114.114 udp spts:1024:65535 dpt:53
21 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:8080 state ESTABLISHED
23 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:8080 state ESTABLISHED
24 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123
table:nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.17.42.1:80
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
2 MASQUERADE tcp -- 172.17.0.3 172.17.0.3 tcp dpt:80
3 MASQUERADE tcp -- 172.17.0.3 172.17.0.3 tcp dpt:22
4 MASQUERADE tcp -- 172.17.0.3 172.17.0.3 tcp dpt:21
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
答案1
该链必须是接受的,这是错误的:
Chain INPUT (policy DROP)
然后你需要最后一条规则来阻止其他一切:
13740 717586 LOG all -- eth1 * 0.0.0.0/0 0.0.0.0/0 LOG flags 8 level 4 prefix "[iptables] A: "
13740 717586 REJECT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
我个人喜欢在orLOG之前。两者之间的区别在于发送回复而只是停止。我用于某些事情和其他事情......DROPREJECTREJECTDROPDROPREJECT
在大多数情况下,FORWARD仅当您希望 LAN 上的本地计算机访问 Internet 连接时才需要这样做。不然那个人还能留下来DROP。在输入工作之前我不会定义任何输出规则。
要查看您的规则,我建议如下:
iptables -L -nvx | less -S
这会给你计数。这使您可以看到数据包在哪里被阻止。在你的情况下,它会出现在Chain INPUT:
Chain INPUT (policy DROP 10 packets, 1240 bytes)
答案2
我犯了一个错误。不知何故,我不知道为什么我的设备名称从 eth0 更改为 eth1。所以所有的规则只对eth0有效。
@Alexis Wilke,感谢您的回复!
因此,任何询问有关 iptables 问题的人都应该粘贴“iptables -L -v”而不是“iptables -L”。