我在 linode 上为我的 Ubuntu 服务器设置了 ufw 防火墙,如下所示:
请注意,这是在 Lish 终端中,不幸的是,一旦我打开 ufw,我就无法:
通过浏览器的 80 端口查看我的测试网站,甚至使用 curl -I 获取其响应标头;
我无法 ssh 到服务器,即使端口 22“允许访问”;
ufw 的默认操作是拒绝,我认为这对于“防御性”防火墙来说是一种很好的做法。我对系统管理还不熟悉,所以我不太确定我做错了哪一部分...
有什么想法吗?
根据建议进行更新: 以下是 iptables-save 的打印输出:
# Generated by iptables-save v1.4.4 on Tue Dec 14 09:55:24 2010
*security
:INPUT ACCEPT [80376:49275670]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [39230:5028423]
COMMIT
# Completed on Tue Dec 14 09:55:24 2010
# Generated by iptables-save v1.4.4 on Tue Dec 14 09:55:24 2010
*raw
:PREROUTING ACCEPT [81286:49365430]
:OUTPUT ACCEPT [39230:5028423]
COMMIT
# Completed on Tue Dec 14 09:55:24 2010
# Generated by iptables-save v1.4.4 on Tue Dec 14 09:55:24 2010
*nat
:PREROUTING ACCEPT [1419:87729]
:POSTROUTING ACCEPT [2334:168647]
:OUTPUT ACCEPT [2334:168647]
COMMIT
# Completed on Tue Dec 14 09:55:24 2010
# Generated by iptables-save v1.4.4 on Tue Dec 14 09:55:24 2010
*mangle
:PREROUTING ACCEPT [81286:49365430]
:INPUT ACCEPT [81274:49361314]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [39230:5028423]
:POSTROUTING ACCEPT [39230:5028423]
COMMIT
# Completed on Tue Dec 14 09:55:24 2010
# Generated by iptables-save v1.4.4 on Tue Dec 14 09:55:24 2010
*filter
:INPUT ACCEPT [713:54735]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [666:62866]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -s 224.0.0.0/4 -j ACCEPT
-A ufw-before-input -d 224.0.0.0/4 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j ACCEPT
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-input -p tcp -m state --state NEW -j ACCEPT
-A ufw-track-input -p udp -m state --state NEW -j ACCEPT
-A ufw-track-output -p tcp -m state --state NEW -j ACCEPT
-A ufw-track-output -p udp -m state --state NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 23 -j DROP
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Tue Dec 14 09:55:24 2010
答案1
如果我是你,我会认真考虑使用类似 iptables 防火墙生成器的东西来制定你的规则,我花了两天时间尝试使用 iptables 作为路由器,使用这个网站后,我在 5 分钟内就让它工作了。
以下是链接:http://easyfwgen.morizot.net/gen/
希望有所帮助,RayQuang
答案2
我放弃了 ufw,改用 Shorewall。它可以作为软件包安装。/usr/share/doc/shorewall/examples 目录具有良好的起始配置。它将记录在 海岸线防火墙站点以及 shorewall-doc 包中。
答案3
也许你的 iptables-save 在这里不完整?
如果您运行 iptables-save - 它会转储当前规则。要使实际的 ufw 规则成为当前规则 - 您应该在配置 ufw 后运行:
# ufw enable
# /lib/ufw/ufw-init restart
我的规则确实包含一个链,阻止所有输入流量通过:
*filter
...
-A INPUT -j ufw-before-input
...
-A ufw-before-input -j ufw-not-local
...
-A ufw-not-local -j DROP
丢弃所有输入流量:input => ufw-before-input => ufw-not-local => DROP
我设法通过修改 /etc/ufw/before.rules 来解决这个问题:删除此行
-A ufw-before-input -j ufw-not-local