我有一个家庭网络和一台充当桥接器的 Ubuntu 机器。家庭网络的 IP 范围为 192.168.1.x。桥接器机器的 eth0 接口连接到互联网。eth1 和 wlan2 连接到家庭网络。
我有以下一组 iptable 规则:
*filter
:INPUT DROP [8215:416305]
-I INPUT -p tcp --dport 53 -j ACCEPT
-I INPUT -p udp --dport 53 -j ACCEPT
:FORWARD DROP [7:840]
:OUTPUT ACCEPT [491625:112606364]
-A INPUT -i wlan2 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -m state --state INVALID,NEW -j DROP
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A INPUT -s 127.0.0.1 -d 10.176.128.1 -j REJECT
-A FORWARD -i wlan2 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT [321559:236814105]
:INPUT ACCEPT [295343:232451823]
:FORWARD ACCEPT [27130:5384293]
:OUTPUT ACCEPT [491625:112606364]
:POSTROUTING ACCEPT [522195:118153702]
COMMIT
不幸的是,输出iptables -L显示以下内容:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID,NEW
ACCEPT all -- 127.0.0.1 127.0.0.1
REJECT all -- 127.0.0.1 10.176.128.1 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
我不明白为什么我会看到
ACCEPT all -- anywhere anywhere
以及为什么我的内部网络可能会遭受来自互联网的 DOS 攻击。
有什么建议么?