为什么我的 ipset 计数器没有增加?

为什么我的 ipset 计数器没有增加?

我正在尝试配置一个防火墙(在 Docker 主机上使用 iptables),允许来自任何地方的入站 HTTP 和 HTTPS、来自特定 IP 集的 SSH,并且不允许其他传入连接。我喜欢我读到的有关 ipset 的内容,因为它似乎比原始 iptables 更容易配置,并且还允许更轻松地自动重新配置集。但不知怎的,它似乎不起作用:我无法通过 HTTPS 连接,尽管端口 443 应该打开。 SSH 连接可以工作(尽管我没有尝试将自己锁在外面)。在尝试调试此问题时,我向 ipset 中的各个集合添加了计数器。但尽管 iptables 中的计数器增加,但它们仍保持在 0。为什么我的连接数没有计入 ipset?还有其他/更好的方法来调试 list:set 吗?我该如何解决它?

这是防火墙脚本(意图:允许来自 93.241.223.2 的端口 22、端口 80 和 443 上的任何端口,仅允许其他端口):

#!/bin/sh

# suffix for set names, to avoid overwriting old sets
timestamp=$(date +%s)

# allow HTTP in general (duplicate sets are due to automated generation of script)
ipset create mds-c-allowhttp4-$timestamp bitmap:port range 0-1024 counters
ipset add mds-c-allowhttp4-$timestamp 80
ipset add mds-c-allowhttp4-$timestamp 443
ipset create mds-c-allowhttp6-$timestamp bitmap:port range 0-1024 counters
ipset add mds-c-allowhttp6-$timestamp 80
ipset add mds-c-allowhttp6-$timestamp 443

# create set with allowed IPv4 ssh connections
ipset create mds-c-allowssh4-$timestamp hash:ip,port family inet counters
ipset add mds-c-allowssh4-$timestamp 93.241.223.2,22
# create set with allowed IPv6 ssh connections
ipset create mds-c-allowssh6-$timestamp hash:ip,port family inet6 counters

# create union of allowed sets
ipset create mds-c-allowcombined-$timestamp list:set counters
ipset add mds-c-allowcombined-$timestamp mds-c-allowhttp4-$timestamp
ipset add mds-c-allowcombined-$timestamp mds-c-allowhttp6-$timestamp
ipset add mds-c-allowcombined-$timestamp mds-c-allowssh4-$timestamp
ipset add mds-c-allowcombined-$timestamp mds-c-allowssh6-$timestamp
# create mds-allowcombined if not already there
ipset create mds-allowcombined list:set counters
# activate new sets
ipset swap mds-c-allowcombined-$timestamp mds-allowcombined

# add iptables rule if not already there
iptables -C DOCKER-USER -i eth0 -m set ! --match-set mds-allowcombined src,dst -j DROP || iptables -I DOCKER-USER -i eth0 -m set ! --match-set mds-allowcombined src,dst -j DROP
ip6tables -C INPUT -i eth0 -m set ! --match-set mds-allowcombined src,dst -j DROP || ip6tables -I INPUT -i eth0 -m set ! --match-set mds-allowcombined src,dst -j DROP

这是“ipset --list”的输出:

Name: mds-c-allowhttp4-1712053688
Type: bitmap:port
Revision: 3
Header: range 0-1024 counters
Size in memory: 16608
References: 1
Number of entries: 2
Members:
80 packets 0 bytes 0
443 packets 0 bytes 0

Name: mds-c-allowhttp6-1712053688
Type: bitmap:port
Revision: 3
Header: range 0-1024 counters
Size in memory: 16608
References: 1
Number of entries: 2
Members:
80 packets 0 bytes 0
443 packets 0 bytes 0

Name: mds-c-allowssh4-1712053688
Type: hash:ip,port
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 counters bucketsize 12 initval 0xac582e33
Size in memory: 280
References: 1
Number of entries: 1
Members:
93.241.223.2,tcp:22 packets 0 bytes 0

Name: mds-c-allowssh6-1712053688
Type: hash:ip,port
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536 counters bucketsize 12 initval 0x0bd9d478
Size in memory: 216
References: 1
Number of entries: 0
Members:

Name: mds-allowcombined
Type: list:set
Revision: 3
Header: size 8 counters
Size in memory: 336
References: 2
Number of entries: 4
Members:
mds-c-allowhttp4-1712053688 packets 0 bytes 0
mds-c-allowhttp6-1712053688 packets 0 bytes 0
mds-c-allowssh4-1712053688 packets 0 bytes 0
mds-c-allowssh6-1712053688 packets 0 bytes 0

这是 iptables --list --verbose 的输出:

Chain INPUT (policy ACCEPT 14268 packets, 12M bytes)
 pkts bytes target     prot opt in     out     source               destination
11611   11M f2b-sshd   tcp  --  any    any     anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 8765  525K DOCKER-USER  all  --  any    any     anywhere             anywhere
 1939  116K DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  any    docker0  anywhere             anywhere
    0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere
    0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere
    0     0 ACCEPT     all  --  any    br-34e695d35afc  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  any    br-34e695d35afc  anywhere             anywhere
 1939  116K ACCEPT     all  --  br-34e695d35afc !br-34e695d35afc  anywhere             anywhere
    0     0 ACCEPT     all  --  br-34e695d35afc br-34e695d35afc  anywhere             anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !br-34e695d35afc br-34e695d35afc  anywhere             172.18.0.2           tcp dpt:snpp
    0     0 ACCEPT     tcp  --  !br-34e695d35afc br-34e695d35afc  anywhere             172.18.0.2           tcp dpt:https
    0     0 ACCEPT     tcp  --  !br-34e695d35afc br-34e695d35afc  anywhere             172.18.0.2           tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  anywhere             anywhere
 1939  116K DOCKER-ISOLATION-STAGE-2  all  --  br-34e695d35afc !br-34e695d35afc  anywhere             anywhere
 1939  116K RETURN     all  --  any    any     anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    docker0  anywhere             anywhere
    0     0 DROP       all  --  any    br-34e695d35afc  anywhere             anywhere
 1939  116K RETURN     all  --  any    any     anywhere             anywhere

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
 6826  409K DROP       all  --  eth0   any     anywhere             anywhere             ! match-set mds-allowcombined src,dst
 1939  116K RETURN     all  --  any    any     anywhere             anywhere

Chain f2b-sshd (1 references)
 pkts bytes target     prot opt in     out     source               destination
11522   11M RETURN     all  --  any    any     anywhere             anywhere

答案1

一位同事帮助我理解了这个问题:

  • 到目前为止,DOCKER-USER 链仅从 FORWARD 调用,而不是从 INPUT 调用。因此,SSH 数据包不会触及它,只有 HTTPS 数据包才会触及它。
  • “bitmap:port”类型的集合是通过源端口(由于“src,dst”)而不是目标端口来调用的。因此,它们不匹配(这是无意的)
  • 其他组也不匹配。这是有意的。
  • 由于没有任何组匹配,因此没有计数器增加。
  • 为了调试目的将“bitmap:port”设置更改为“hash:ip,port”后,计数器开始工作。

现在我只需要找到一种方法来构造一组针对源 IP 和目标端口的过滤和一组仅针对目标端口的过滤的并集。但这是另一个问题了。

相关内容