我正在尝试配置一个防火墙(在 Docker 主机上使用 iptables),允许来自任何地方的入站 HTTP 和 HTTPS、来自特定 IP 集的 SSH,并且不允许其他传入连接。我喜欢我读到的有关 ipset 的内容,因为它似乎比原始 iptables 更容易配置,并且还允许更轻松地自动重新配置集。但不知怎的,它似乎不起作用:我无法通过 HTTPS 连接,尽管端口 443 应该打开。 SSH 连接可以工作(尽管我没有尝试将自己锁在外面)。在尝试调试此问题时,我向 ipset 中的各个集合添加了计数器。但尽管 iptables 中的计数器增加,但它们仍保持在 0。为什么我的连接数没有计入 ipset?还有其他/更好的方法来调试 list:set 吗?我该如何解决它?
这是防火墙脚本(意图:允许来自 93.241.223.2 的端口 22、端口 80 和 443 上的任何端口,仅允许其他端口):
#!/bin/sh
# suffix for set names, to avoid overwriting old sets
timestamp=$(date +%s)
# allow HTTP in general (duplicate sets are due to automated generation of script)
ipset create mds-c-allowhttp4-$timestamp bitmap:port range 0-1024 counters
ipset add mds-c-allowhttp4-$timestamp 80
ipset add mds-c-allowhttp4-$timestamp 443
ipset create mds-c-allowhttp6-$timestamp bitmap:port range 0-1024 counters
ipset add mds-c-allowhttp6-$timestamp 80
ipset add mds-c-allowhttp6-$timestamp 443
# create set with allowed IPv4 ssh connections
ipset create mds-c-allowssh4-$timestamp hash:ip,port family inet counters
ipset add mds-c-allowssh4-$timestamp 93.241.223.2,22
# create set with allowed IPv6 ssh connections
ipset create mds-c-allowssh6-$timestamp hash:ip,port family inet6 counters
# create union of allowed sets
ipset create mds-c-allowcombined-$timestamp list:set counters
ipset add mds-c-allowcombined-$timestamp mds-c-allowhttp4-$timestamp
ipset add mds-c-allowcombined-$timestamp mds-c-allowhttp6-$timestamp
ipset add mds-c-allowcombined-$timestamp mds-c-allowssh4-$timestamp
ipset add mds-c-allowcombined-$timestamp mds-c-allowssh6-$timestamp
# create mds-allowcombined if not already there
ipset create mds-allowcombined list:set counters
# activate new sets
ipset swap mds-c-allowcombined-$timestamp mds-allowcombined
# add iptables rule if not already there
iptables -C DOCKER-USER -i eth0 -m set ! --match-set mds-allowcombined src,dst -j DROP || iptables -I DOCKER-USER -i eth0 -m set ! --match-set mds-allowcombined src,dst -j DROP
ip6tables -C INPUT -i eth0 -m set ! --match-set mds-allowcombined src,dst -j DROP || ip6tables -I INPUT -i eth0 -m set ! --match-set mds-allowcombined src,dst -j DROP
这是“ipset --list”的输出:
Name: mds-c-allowhttp4-1712053688
Type: bitmap:port
Revision: 3
Header: range 0-1024 counters
Size in memory: 16608
References: 1
Number of entries: 2
Members:
80 packets 0 bytes 0
443 packets 0 bytes 0
Name: mds-c-allowhttp6-1712053688
Type: bitmap:port
Revision: 3
Header: range 0-1024 counters
Size in memory: 16608
References: 1
Number of entries: 2
Members:
80 packets 0 bytes 0
443 packets 0 bytes 0
Name: mds-c-allowssh4-1712053688
Type: hash:ip,port
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 counters bucketsize 12 initval 0xac582e33
Size in memory: 280
References: 1
Number of entries: 1
Members:
93.241.223.2,tcp:22 packets 0 bytes 0
Name: mds-c-allowssh6-1712053688
Type: hash:ip,port
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536 counters bucketsize 12 initval 0x0bd9d478
Size in memory: 216
References: 1
Number of entries: 0
Members:
Name: mds-allowcombined
Type: list:set
Revision: 3
Header: size 8 counters
Size in memory: 336
References: 2
Number of entries: 4
Members:
mds-c-allowhttp4-1712053688 packets 0 bytes 0
mds-c-allowhttp6-1712053688 packets 0 bytes 0
mds-c-allowssh4-1712053688 packets 0 bytes 0
mds-c-allowssh6-1712053688 packets 0 bytes 0
这是 iptables --list --verbose 的输出:
Chain INPUT (policy ACCEPT 14268 packets, 12M bytes)
pkts bytes target prot opt in out source destination
11611 11M f2b-sshd tcp -- any any anywhere anywhere multiport dports ssh
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8765 525K DOCKER-USER all -- any any anywhere anywhere
1939 116K DOCKER-ISOLATION-STAGE-1 all -- any any anywhere anywhere
0 0 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- any docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 !docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
0 0 ACCEPT all -- any br-34e695d35afc anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- any br-34e695d35afc anywhere anywhere
1939 116K ACCEPT all -- br-34e695d35afc !br-34e695d35afc anywhere anywhere
0 0 ACCEPT all -- br-34e695d35afc br-34e695d35afc anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !br-34e695d35afc br-34e695d35afc anywhere 172.18.0.2 tcp dpt:snpp
0 0 ACCEPT tcp -- !br-34e695d35afc br-34e695d35afc anywhere 172.18.0.2 tcp dpt:https
0 0 ACCEPT tcp -- !br-34e695d35afc br-34e695d35afc anywhere 172.18.0.2 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 anywhere anywhere
1939 116K DOCKER-ISOLATION-STAGE-2 all -- br-34e695d35afc !br-34e695d35afc anywhere anywhere
1939 116K RETURN all -- any any anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any docker0 anywhere anywhere
0 0 DROP all -- any br-34e695d35afc anywhere anywhere
1939 116K RETURN all -- any any anywhere anywhere
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
6826 409K DROP all -- eth0 any anywhere anywhere ! match-set mds-allowcombined src,dst
1939 116K RETURN all -- any any anywhere anywhere
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
11522 11M RETURN all -- any any anywhere anywhere
答案1
一位同事帮助我理解了这个问题:
- 到目前为止,DOCKER-USER 链仅从 FORWARD 调用,而不是从 INPUT 调用。因此,SSH 数据包不会触及它,只有 HTTPS 数据包才会触及它。
- “bitmap:port”类型的集合是通过源端口(由于“src,dst”)而不是目标端口来调用的。因此,它们不匹配(这是无意的)
- 其他组也不匹配。这是有意的。
- 由于没有任何组匹配,因此没有计数器增加。
- 为了调试目的将“bitmap:port”设置更改为“hash:ip,port”后,计数器开始工作。
现在我只需要找到一种方法来构造一组针对源 IP 和目标端口的过滤和一组仅针对目标端口的过滤的并集。但这是另一个问题了。