我没有对默认防火墙规则做任何事情,只是从 wan 打开一个 ssh 端口,并添加本教程中定义的 OpenVPN 规则:http://wiki.openwrt.org/doc/howto/vpn.openvpn,但我担心由于输出 iptables -L,我留下了比预期更多的开放端口。我已将完整的输出放在下方,但特别是:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
input_rule all -- anywhere anywhere
input all -- anywhere anywhere
from the:
ACCEPT all -- anywhere anywhere
但这是否意味着任何地方的一切都可以被接受?
完整的 IP 表输出以供参考:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
input_rule all -- anywhere anywhere
input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
forwarding_rule all -- anywhere anywhere
forward all -- anywhere anywhere
reject all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
output_rule all -- anywhere anywhere
output all -- anywhere anywhere
Chain forward (1 references)
target prot opt source destination
zone_lan_forward all -- anywhere anywhere
zone_wan_forward all -- anywhere anywhere
zone_vpn_forward all -- anywhere anywhere
Chain forwarding_lan (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
Chain forwarding_vpn (1 references)
target prot opt source destination
Chain forwarding_wan (1 references)
target prot opt source destination
Chain input (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
zone_lan all -- anywhere anywhere
zone_wan all -- anywhere anywhere
zone_vpn all -- anywhere anywhere
Chain input_lan (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain input_vpn (1 references)
target prot opt source destination
Chain input_wan (1 references)
target prot opt source destination
Chain output (1 references)
target prot opt source destination
zone_lan_ACCEPT all -- anywhere anywhere
zone_wan_ACCEPT all -- anywhere anywhere
zone_vpn_ACCEPT all -- anywhere anywhere
Chain output_rule (1 references)
target prot opt source destination
Chain reject (7 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP all -- anywhere anywhere
Chain zone_lan (1 references)
target prot opt source destination
input_lan all -- anywhere anywhere
zone_lan_ACCEPT all -- anywhere anywhere
Chain zone_lan_ACCEPT (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain zone_lan_DROP (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain zone_lan_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere
reject all -- anywhere anywhere
Chain zone_lan_forward (1 references)
target prot opt source destination
zone_wan_ACCEPT all -- anywhere anywhere
forwarding_lan all -- anywhere anywhere
zone_lan_REJECT all -- anywhere anywhere
Chain zone_vpn (1 references)
target prot opt source destination
input_vpn all -- anywhere anywhere
zone_vpn_ACCEPT all -- anywhere anywhere
Chain zone_vpn_ACCEPT (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain zone_vpn_DROP (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain zone_vpn_REJECT (0 references)
target prot opt source destination
reject all -- anywhere anywhere
reject all -- anywhere anywhere
Chain zone_vpn_forward (1 references)
target prot opt source destination
zone_wan_ACCEPT all -- anywhere anywhere
zone_lan_ACCEPT all -- anywhere anywhere
forwarding_vpn all -- anywhere anywhere
zone_vpn_ACCEPT all -- anywhere anywhere
Chain zone_wan (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:23232
input_wan all -- anywhere anywhere
zone_wan_REJECT all -- anywhere anywhere
Chain zone_wan_ACCEPT (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain zone_wan_DROP (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain zone_wan_REJECT (2 references)
target prot opt source destination
reject all -- anywhere anywhere
reject all -- anywhere anywhere
Chain zone_wan_forward (1 references)
target prot opt source destination
forwarding_wan all -- anywhere anywhere
zone_wan_REJECT all -- anywhere anywhere
答案1
抱歉,我看不出问题出在哪里。是的,你的防火墙允许任何数据包让 INPUT 和 FORWARD 都通过。这是新安装的 OpenWRT 防火墙的标准配置,我的配置也是一样。
基本上,iptables规则应按顺序读取:从第一个读取到最后一个,第一个符合的规则将被应用,其余规则甚至无需测试。如果测试了所有规则,但没有一个符合,则应用默认策略(例如,对于 INPUT 链,默认策略为 ACCEPT)。
以您的 INPUT 链为例,测试传入的数据包以确定它是否与现有连接相关;如果相关,则应用规则,因此数据包被接受。如果不是(因此数据包属于尚未建立的连接),我们转到第二条规则。第二条规则没有要满足的标准,因此所有数据包都符合该规则;因此应用该规则,其应用意味着:接受。
其余规则永远不会成为问题。这就是为什么您应该在永久保存 iptables 规则之前仔细检查它们:您提供规则的顺序可能与应用规则的顺序不同,从而导致不愉快的后果。
这个总体策略(应用第一个适合的规则,忽略后面的规则)不同于内核应用路由规则的策略:在这种情况下,最合适的限制性规则都会被应用,无论路由规则的存储顺序如何。