我httpd在 Linux 操作系统上使用服务。
我的结果iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere state NEW tcp dpt:http recent: UPDATE seconds: 10 hit_count: 3 name: http_flood side: source
tcp -- anywhere anywhere state NEW tcp dpt:http recent: SET name: http_flood side: source
DROP all -- 185.103.253.167 anywhere
DROP all -- 185.130.4.197 anywhere
DROP all -- 185.130.4.120 anywhere
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
ACCEPT icmp -- anywhere anywhere limit: avg 1/sec burst 1
LOG icmp -- anywhere anywhere limit: avg 1/sec burst 1 LOG level warning prefix `PING-DROP:'
DROP icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:http
DROP all -- 108.162.222.0 anywhere
DROP all -- 66.249.0.0/16 anywhere
DROP all -- 108.162.222.0/24 anywhere
DROP all -- 162.158.176.0/24 anywhere
DROP all -- 108.162.221.0/24 anywhere
请参阅DROP all -- 66.249.0.0/16 anywhere。
我有sudo service iptables save,restart但是访问日志这个IP仍然可以向我的服务器发送请求。
这是访问日志:
66.249.71.130 - - [30/Jul/2016:19:18:39 +0700] "GET /zad_rgano/15330.htm HTTP/1.1" 404 37728
66.249.71.130 - - [30/Jul/2016:19:18:43 +0700] "GET /28060/szekntws/mmqmmxxmkgw/9768/45828_frftp_fqs_uxnenjp HTTP/1.1" 404 37674
66.249.79.144 - - [30/Jul/2016:19:18:46 +0700] "GET /38164/szekntws/mmqmmxxmkgw/9765/45828_frftp_fqs_uxnenjp HTTP/1.1" 404 37674
66.249.71.128 - - [30/Jul/2016:19:18:48 +0700] "GET /27501/szekntws/mmqmmxxmkgw/9756/45828_frftp_fqs_uxnenjp HTTP/1.1" 301 -
66.249.71.130 - - [30/Jul/2016:19:18:50 +0700] "GET /zaa_rgano/22063.htm HTTP/1.1" 404 37728
66.249.71.130 - - [30/Jul/2016:19:18:54 +0700] "GET /zae_rgano/18374.htm HTTP/1.1" 404 37728
66.249.71.130 - - [30/Jul/2016:19:18:56 +0700] "GET /29265/szekntws/mmqmmxxmkgw/9761/45828_frftp_fqs_uxnenjp HTTP/1.1" 404 37674
66.249.71.130 - - [30/Jul/2016:19:19:19 +0700] "GET /zac_rgano/16315.htm HTTP/1.1" 404 37728
66.249.71.130 - - [30/Jul/2016:19:19:22 +0700] "GET /index.php?kj=1&kjsite=aHR0cDovL3d3dy5rYW1pYmlqaW5zaG9wLnh5ei9pbmRleC5waHA/bWFpbl9wYWdlPXByb2R1Y3RfaW5mbyZwcm9kdWN0c19pZD0yNDQyOQ== HTTP/1.1" 200 110629
66.249.71.130 - - [30/Jul/2016:19:19:26 +0700] "GET /23989/szekntws/mmqmmxxmkgw/9754/45828_frftp_fqs_uxnenjp HTTP/1.1" 404 37845
66.249.71.130 - - [30/Jul/2016:19:19:29 +0700] "GET /zab_rgano/36033.htm HTTP/1.1" 404 37728
66.249.71.130 - - [30/Jul/2016:19:19:47 +0700] "GET /wp-content/uploads/2016/01/Chuong-8-Tac-dong-cua-chinh-sach-thue.pdf HTTP/1.1" 200 496413
66.249.71.130 - - [30/Jul/2016:19:19:49 +0700] "GET /index.php?kj=1&kjsite=aHR0cDovL3d3dy5tc3N5c3RlbS54eXovaW5kZXgucGhwP21haW5fcGFnZT1wcm9kdWN0X2luZm8mcHJvZHVjdHNfaWQ9MzM3NzU= HTTP/1.1" 200 110586
66.249.79.144 - - [30/Jul/2016:19:19:47 +0700] "GET /index.php?kj=1&kjsite=aHR0cDovL3d3dy5rYW1pYmlqaW5zaG9wLnh5ei9pbmRleC5waHA/bWFpbl9wYWdlPXByb2R1Y3RfaW5mbyZwcm9kdWN0c19pZD0zOTE1NQ== HTTP/1.1" 200 110634
66.249.71.130 - - [30/Jul/2016:19:19:52 +0700] "GET /zaa_rgano/17556.htm HTTP/1.1" 404 37728
答案1
iptables按顺序阅读规则;一旦找到适用的规则,就使用它;无需进一步阅读以下规则。
就你的情况而言,规则
DROP all -- 66.249.0.0/16 anywhere
是先于经过
ACCEPT tcp -- anywhere anywhere tcp dpt:http
这条规则当然适用于任何人,因此它特别适用于网络66.249.0.0/16。因此,作为适用于此网络的第一条规则,它确实适用(抱歉,没有双关语),并且来自网络的数据包被防火墙接受。
为了禁止恶意网络,你必须删除规则
ACCEPT tcp -- anywhere anywhere tcp dpt:http
并将其放在列表的最底部,否则它将优先于您的自定义规则。