在安装了 Iptables 的主机的终端中输入这些命令后,连接到可以访问互联网的无线网络后,没有加载任何网页。
我知道这很简单,但我不知道是什么。
sudo iptables --policy INPUT DROP
sudo iptables --policy OUTPUT DROP
sudo iptables --policy FORWARD DROP
sudo iptables -A OUTPUT -j ACCEPT -p tcp --destination-port 53
sudo iptables -A OUTPUT -j ACCEPT -p tcp --destination-port 80
sudo iptables -A OUTPUT -j ACCEPT -p tcp --destination-port 443
sudo iptables -A OUTPUT -j ACCEPT -p udp --destination-port 53
sudo /sbin/iptables-save
前面命令后列出的配置:
user@debian:~$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:domain
user@debian:~$ sudo iptables -L -v
Chain INPUT (policy DROP 1095 packets, 131K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 33 packets, 2574 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain
8 480 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
1072 70910 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
在这种情况下,我只是在寻找基本 DNS、HTTP 和 HTTPS。出了什么问题?
答案1
sudo iptables --policy INPUT DROP
默认情况下,这会丢弃所有传入流量。您没有对此策略做出例外处理的规则,即您只有允许传出流量的 OUTPUT 规则。通常,至少会有一条规则允许从内部建立的输入匹配连接,例如:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT