在一台机器上,我有一个正在运行(apache)并在端口 80 和 443 上响应的 Web 服务器。在这台机器上,我有一个防火墙(shorewall),它阻止除我授权之外的所有内容,因此我有以下规则(我有还有很多其他的,但这些不是这里的主题,所以我保持简单):
?SECTION NEW
Web(ACCEPT) net fw
Web(ACCEPT) fw net
一切都很完美。除了在防火墙日志中,我意识到我有很多源端口 80 和 443 拒绝的传出请求。而且我不明白为什么发送这些请求,也不明白为什么拒绝它们根本不会阻止 Web 服务器的操作。
请注意,我对邮件服务器和端口 25,110,143,465,993,995 有完全相同的问题。
我试图理解,如果它没有用,不一定要纠正它。
编辑:
在 shorewall 邮件列表上提出的问题,已确认一切正常,这对应于已关闭的连接,并且为了不再看到这些行出现在日志中,我只需将 dropInvalid 添加到
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
Shorewall 中默认配置
但这根本不起作用。无论我在 REJECT_DEFAULT 中输入什么,我的日志中总是有这些行。
编辑2:
iptables-save -c在评论中询问(我删除了所有fail2ban规则):
# Generated by iptables-save v1.8.9 on Fri Oct 27 16:43:40 2023
*mangle
:PREROUTING ACCEPT [294959:300247330]
:INPUT ACCEPT [294959:300247330]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [271994:270207145]
:POSTROUTING ACCEPT [271932:270200193]
[0:0] -A FORWARD -j MARK --set-xmark 0x0/0xff
COMMIT
# Completed on Fri Oct 27 16:43:40 2023
# Generated by iptables-save v1.8.9 on Fri Oct 27 16:43:40 2023
*nat
:PREROUTING ACCEPT [22019:1019969]
:INPUT ACCEPT [10536:410458]
:OUTPUT ACCEPT [9493:687413]
:POSTROUTING ACCEPT [9493:685796]
COMMIT
# Completed on Fri Oct 27 16:43:40 2023
# Generated by iptables-save v1.8.9 on Fri Oct 27 16:43:40 2023
*raw
:PREROUTING ACCEPT [294959:300247330]
:OUTPUT ACCEPT [271994:270207145]
COMMIT
# Completed on Fri Oct 27 16:43:40 2023
# Generated by iptables-save v1.8.9 on Fri Oct 27 16:43:40 2023
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:dynamic - [0:0]
:eth0_fwd - [0:0]
:eth0_in - [0:0]
:fw-net - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:reject - [0:0]
:sfilter - [0:0]
:sha-lh-1550d655e9a1cad182eb - [0:0]
:sha-rh-dee8631b410018e6f7d8 - [0:0]
:shorewall - [0:0]
:sshok-fw - [0:0]
:tcpflags - [0:0]
:~log0 - [0:0]
:~log1 - [0:0]
:~log2 - [0:0]
:~log3 - [0:0]
:~log4 - [0:0]
[287639:299139087] -A INPUT -i eth0 -j eth0_in
[1702:777139] -A INPUT -m iface --dev-in --loopback -j ACCEPT
[0:0] -A INPUT -m conntrack --ctstate INVALID -g ~log2
[0:0] -A INPUT -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "INPUT REJECT " --log-level 6
[0:0] -A INPUT -g reject
[0:0] -A FORWARD -i eth0 -j eth0_fwd
[0:0] -A FORWARD -m conntrack --ctstate INVALID -g ~log4
[0:0] -A FORWARD -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "FORWARD REJECT " --log-level 6
[0:0] -A FORWARD -g reject
[270273:269429246] -A OUTPUT -o eth0 -j fw-net
[1721:777899] -A OUTPUT -m iface --dev-out --loopback -j ACCEPT
[0:0] -A OUTPUT -m conntrack --ctstate INVALID -g ~log3
[0:0] -A OUTPUT -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "OUTPUT REJECT " --log-level 6
[0:0] -A OUTPUT -g reject
[0:0] -A eth0_fwd -o eth0 -g sfilter
[0:0] -A eth0_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
[0:0] -A eth0_fwd -p tcp -j tcpflags
[16554:699778] -A eth0_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
[261014:296956611] -A eth0_in -p tcp -j tcpflags
[148579:24762560] -A eth0_in -m set --match-set sshok src -j sshok-fw
[123729:273762557] -A eth0_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[1120:52679] -A eth0_in -m geoip --source-country CN,RU -g ~log1
[651:51460] -A eth0_in -s MyIP -j ACCEPT
[8233:263993] -A eth0_in -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT
[1139:63657] -A eth0_in -p tcp -m multiport --dports 25,465,587,143,993,110,995,80,443 -m comment --comment "Mail, IMAP, IMAPS, POP3, POP3S, Web" -j ACCEPT
[0:0] -A eth0_in -s MyIP -p tcp -m multiport --dports 9418,8000,9101:9102 -j ACCEPT
[0:0] -A eth0_in -m addrtype --dst-type BROADCAST -j DROP
[0:0] -A eth0_in -m addrtype --dst-type ANYCAST -j DROP
[0:0] -A eth0_in -m addrtype --dst-type MULTICAST -j DROP
[4837:233521] -A eth0_in -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "net-fw DROP " --log-level 6
[4837:233521] -A eth0_in -j DROP
[253629:268207796] -A fw-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A fw-net -m geoip --destination-country CN,RU -g ~log0
[1:60] -A fw-net -d MyIP -p tcp -m multiport --dports 9101:9103,19101:19103,19112,19122 -j ACCEPT
[0:0] -A fw-net -p icmp -m icmp --icmp-type 2 -j ACCEPT
[0:0] -A fw-net -p udp -m udp --dport 33434:33524 -m comment --comment Trcrt -j ACCEPT
[138:11592] -A fw-net -p icmp -m icmp --icmp-type 8 -m comment --comment Trcrt -j ACCEPT
[14996:1113778] -A fw-net -p udp -m udp --dport 53 -m comment --comment DNS -j ACCEPT
[1311:78660] -A fw-net -p tcp -m multiport --dports 53,22,80,443,21,25,465,587 -m comment --comment "DNS, SSH, HTTP, HTTPS, FTP, Mail" -j ACCEPT
[118:8968] -A fw-net -p udp -m udp --dport 123 -m comment --comment NTP -j ACCEPT
[4:240] -A fw-net -p tcp -m multiport --dports 43,4321,2703 -m comment --comment "Whois and others, Razor" -j ACCEPT
[2:384] -A fw-net -d 154.61.86.89/32 -p udp -m udp --dport 24441 -j ACCEPT
[12:816] -A fw-net -p udp -m udp --dport 6277 -m comment --comment DCC -j ACCEPT
[0:0] -A fw-net -p tcp -m tcp --dport 873 -m comment --comment Rsync -j ACCEPT
[0:0] -A fw-net -d 187.33.4.179/32 -j ACCEPT
[0:0] -A fw-net -p tcp -m multiport --dports 8000,8001,8080,8276 -j ACCEPT
[43:1804] -A fw-net -m conntrack --ctstate INVALID -g ~log0
[19:5148] -A fw-net -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "fw-net REJECT " --log-level 6
[19:5148] -A fw-net -g reject
[0:0] -A logdrop -j DROP
[2:120] -A logflags -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "logflags DROP " --log-level 6 --log-ip-options
[2:120] -A logflags -j DROP
[0:0] -A logreject -j reject
[0:0] -A reject -m addrtype --src-type BROADCAST -j DROP
[0:0] -A reject -s 224.0.0.0/4 -j DROP
[0:0] -A reject -p igmp -j DROP
[19:5148] -A reject -p tcp -j REJECT --reject-with tcp-reset
[0:0] -A reject -p udp -j REJECT --reject-with icmp-port-unreachable
[0:0] -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
[0:0] -A reject -j REJECT --reject-with icmp-host-prohibited
[0:0] -A sfilter -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "sfilter DROP " --log-level 6
[0:0] -A sfilter -j DROP
[0:0] -A shorewall -m recent --set --name %CURRENTTIME --mask 255.255.255.255 --rsource
[147356:24676752] -A sshok-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[572:34348] -A sshok-fw -p tcp -m tcp --dport 22 -m comment --comment SSH -j ACCEPT
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags
[1:60] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
[1:60] -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -g logflags
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,PSH,ACK FIN,PSH -g logflags
[0:0] -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
[43:1804] -A ~log0 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "fw-net DROP " --log-level 6
[43:1804] -A ~log0 -j DROP
[1120:52679] -A ~log1 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "net-fw DROP " --log-level 6
[1120:52679] -A ~log1 -j DROP
[0:0] -A ~log2 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "INPUT DROP " --log-level 6
[0:0] -A ~log2 -j DROP
[0:0] -A ~log3 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "OUTPUT DROP " --log-level 6
[0:0] -A ~log3 -j DROP
[0:0] -A ~log4 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "FORWARD DROP " --log-level 6
[0:0] -A ~log4 -j DROP
COMMIT
# Completed on Fri Oct 27 16:43:40 2023