我一直在做一个即将完成的项目:只需按一下按钮即可切断我孩子的互联网连接。我通过以下基本调用实现了部分解决方案:
ufw 拒绝来自 IP
威胁关闭他们的互联网一半时间有效,而上述方法在另一半时间有效。我遇到的问题是较长的 YouTube 视频。有时继续现有连接很方便,但我还想有一个按钮可以关闭所有现有 IP 流量。事实证明这比预期的要困难得多。
我试过 cutter,但它似乎在 Ubuntu 14.04 上都不起作用。我试过 tcpkill。它似乎可以运行,但似乎什么也没做(我提供了两个以太网接口),而且似乎想要持续运行。虽然我的 ufw 是持久的,但我宁愿立即终止,它是无状态的,只是断开所有现有连接。
Conntrack 听起来很有希望(http://conntrack-tools.netfilter.org/manual.html),并具有以下内容:
删除一个条目,这可用于在以下情况下阻止流量:
您有一个状态规则集,可以阻止处于无效状态的流量。
您已将 /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose 或 /proc/sys/net/netfilter/nf_conntrack_tcp_loose(取决于您的内核版本)设置为零。
命令
conntrack -D -s <IP>
似乎删除了某些内容,但 YouTube 视频仍在继续播放,而且我这样做时可以看到连接重新建立
conntrack -L
我已经搞定了
echo 0 > nf_conntrack_tcp_loose
并对其进行 cat 以确保它卡住,但它似乎并没有删除连接。
我不能 100% 确定“阻止处于无效状态的流量的状态规则集”是什么意思,但我确实看到了以下规则
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
当执行“iptables -L -n”时,如果这是它所引用的。
我发现了以下情况:
iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP
它对我来说不起作用,但可能是因为它遵循了允许内部网络上所有流量的一般规则,并且通过重新排序它可能会起作用。我宁愿不将 iptables 命令与 ufw 命令混合使用。鉴于 UFW 已经设置了 iptables 以拒绝任何新连接,在 iptables 中设置 drop 似乎是多余的,如果可以的话,我真的不想将 UFW 与 iptable 命令混合使用。
有人能告诉我如何使用“conntrack -D”来结束与主机的现有连接,或者其他一些不需要关闭网络或接口然后再恢复的方法吗?弄清楚如何做到这一点比想象的更难。
谢谢,
标记
我做了一些更多的测试,想与大家分享一下。
首先,仅使用 ssh 连接开始检查 kill。这实际上相当容易。tcpkill 方法和conntrack -D方法都有效。(我还尝试使用 nf_conntrack_tcp_loose=1(我的系统默认设置),并确认您确实需要将其设置为 0 才能使该conntrack -D方法有效)。
我不知道 YouTube 连接是如何工作的,但它们似乎很难被终止。如果我只调用conntrack -D IP一次方法,它就不会终止。但如果我设置以下循环
while sleep 1 ; do conntrack -D -s 10.42.43.25 ; done
它最终会死去。
日志内容如下:
conntrack v1.4.1 (conntrack-tools): 17 flow entries have been deleted.
udp 17 10 src=___.___.43.25 dst=___.___.43.1 sport=57859 dport=53 src=___.___.43.1 dst=___.___.43.25 sport=53 dport=57859 mark=0 use=1
tcp 6 431980 ESTABLISHED src=___.___.43.25 dst=___.___.163.19 sport=59023 dport=80 src=___.___.163.19 dst=___.___.221.222 sport=80 dport=59023 [ASSURED] mark=0 use=1
tcp 6 431980 ESTABLISHED src=___.___.43.25 dst=___.___.218.3 sport=59033 dport=443 src=___.___.218.3 dst=___.___.221.222 sport=443 dport=59033 [ASSURED] mark=0 use=1
tcp 6 102 TIME_WAIT src=___.___.43.25 dst=___.___.242.247 sport=59044 dport=443 src=___.___.242.247 dst=___.___.221.222 sport=443 dport=59044 [ASSURED] mark=0 use=1
tcp 6 431980 ESTABLISHED src=___.___.43.25 dst=___.___.247.248 sport=59024 dport=443 src=___.___.247.248 dst=___.___.221.222 sport=443 dport=59024 [ASSURED] mark=0 use=1
tcp 6 299 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59042 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59042 [ASSURED] mark=0 use=1
udp 17 0 src=___.___.43.25 dst=___.___.43.1 sport=60775 dport=53 src=___.___.43.1 dst=___.___.43.25 sport=53 dport=60775 mark=0 use=1
tcp 6 431980 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.78 sport=59035 dport=443 src=sss.sss.sss.78 dst=___.___.221.222 sport=443 dport=59035 [ASSURED] mark=0 use=1
tcp 6 97 TIME_WAIT src=___.___.43.25 dst=___.___.234.25 sport=59039 dport=443 src=___.___.234.25 dst=___.___.221.222 sport=443 dport=59039 [ASSURED] mark=0 use=1
udp 17 11 src=___.___.43.25 dst=___.___.43.1 sport=56527 dport=53 src=___.___.43.1 dst=___.___.43.25 sport=53 dport=56527 mark=0 use=1
tcp 6 431980 ESTABLISHED src=___.___.43.25 dst=___.___.218.110 sport=59020 dport=443 src=___.___.218.110 dst=___.___.221.222 sport=443 dport=59020 [ASSURED] mark=0 use=1
tcp 6 431999 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59043 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59043 [ASSURED] mark=0 use=1
tcp 6 431948 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.97 sport=59025 dport=443 src=sss.sss.sss.97 dst=___.___.221.222 sport=443 dport=59025 [ASSURED] mark=0 use=1
udp 17 6 src=___.___.43.25 dst=___.___.43.1 sport=53498 dport=53 src=___.___.43.1 dst=___.___.43.25 sport=53 dport=53498 mark=0 use=1
tcp 6 431988 ESTABLISHED src=___.___.43.25 dst=___.___.10.188 sport=58987 dport=5228 src=___.___.10.188 dst=___.___.221.222 sport=5228 dport=58987 [ASSURED] mark=0 use=1
tcp 6 431999 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.138 sport=59021 dport=443 src=sss.sss.sss.138 dst=___.___.221.222 sport=443 dport=59021 [ASSURED] mark=0 use=1
tcp 6 431979 ESTABLISHED src=___.___.43.25 dst=___.___.103.74 sport=59038 dport=443 src=___.___.103.74 dst=___.___.221.222 sport=443 dport=59038 [ASSURED] mark=0 use=1
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 2 flow entries have been deleted.
tcp 6 299 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59049 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59049 [ASSURED] mark=0 use=1
tcp 6 299 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59050 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59050 [ASSURED] mark=0 use=1
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 1 flow entries have been deleted.
tcp 6 299 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59052 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59052 [ASSURED] mark=0 use=1
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 1 flow entries have been deleted.
tcp 6 299 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59053 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59053 [ASSURED] mark=0 use=1
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 1 flow entries have been deleted.
tcp 6 431999 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59055 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59055 [ASSURED] mark=0 use=1
...
tcp 6 299 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59089 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59089 [ASSURED] mark=0 use=1
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 1 flow entries have been deleted.
tcp 6 300 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59090 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59090 [ASSURED] mark=0 use=1
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 1 flow entries have been deleted.
tcp 6 299 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59092 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59092 [ASSURED] mark=0 use=2
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 1 flow entries have been deleted.
tcp 6 300 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.138 sport=59094 dport=443 src=sss.sss.sss.138 dst=___.___.221.222 sport=443 dport=59094 [ASSURED] mark=0 use=1
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 1 flow entries have been deleted.
tcp 6 299 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59095 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59095 [ASSURED] mark=0 use=1
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
... (finally dead)
所以现在的问题是这里发生了什么?在我最初删除所有流之后,流条目是如何建立的?我遗漏了什么?这一切是如何运作的,我不能简单地用一个命令关闭它吗?
只是一些更多信息。我已经说服自己,本地缓冲不会影响我对正在发生的事情的感知。在我删除一次后,我可以看到缓冲区中的数据量继续增长。此外,我可以拍摄一段长视频,并将 YouTube 帧时间大大拖到超出缓冲区水印的未来,并且视频在更晚的日期可以正常工作。
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ssh (1 references)
target prot opt source destination
REJECT all -- 116.31.116.41 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138
ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68
ufw-skip-to-policy-input all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ufw-user-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
ufw-not-local all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900
ufw-user-input all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ufw-user-output all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT all -- 10.42.43.25 0.0.0.0/0
ACCEPT all -- 10.42.43.0/24 0.0.0.0/0
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
当我改变状态以关闭特定机器时,日志变化显示为以下差异:
158c157
< ACCEPT all -- 10.42.43.25 0.0.0.0/0
---
> DROP all -- 10.42.43.25 0.0.0.0/0