自从我重新安装了操作系统后,我的消息日志中出现了很多 UDP_IN Blocked 错误。有人能解释一下这个错误到底是什么吗,以及我可以做些什么来消除这个错误吗?
Aug 8 22:02:19 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:f6:f3:49:7e:0a:54:08:00 SRC=178.162.xxx.xx DST=178.162.xxx.xxx LEN=131 TOS=0x00 PREC=0x00 TTL=128 ID=11061 PROTO=UDP SPT=17500 DPT=17500 LEN=111
Aug 8 22:02:22 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:ba:08:45:88:fc:a1:08:00 SRC=192.168.x.xx DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=13132 PROTO=UDP SPT=58878 DPT=1947 LEN=48
Aug 8 22:02:49 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:f6:f3:49:7e:0a:54:08:00 SRC=178.162.xxx.xx DST=255.255.255.255 LEN=131 TOS=0x00 PREC=0x00 TTL=128 ID=12046 PROTO=UDP SPT=17500 DPT=17500 LEN=111
Aug 8 22:02:49 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:f6:f3:49:7e:0a:54:08:00 SRC=178.162.xxx.xx DST=178.162.xxx.xxx LEN=131 TOS=0x00 PREC=0x00 TTL=128 ID=12047 PROTO=UDP SPT=17500 DPT=17500 LEN=111
Aug 8 22:03:01 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:ba:08:45:88:fc:a1:08:00 SRC=192.168.x.xx DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=13134 PROTO=UDP SPT=58878 DPT=1947 LEN=48
Aug 8 22:03:12 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:62:83:46:e6:0d:15:08:00 SRC=178.162.xxx.xxx DST=255.255.255.255 LEN=115 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=5678 DPT=5678 LEN=95
Aug 8 22:03:19 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:f6:f3:49:7e:0a:54:08:00 SRC=178.162.xxx.xx DST=255.255.255.255 LEN=131 TOS=0x00 PREC=0x00 TTL=128 ID=13070 PROTO=UDP SPT=17500 DPT=17500 LEN=111
Aug 8 22:03:19 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:f6:f3:49:7e:0a:54:08:00 SRC=178.162.xxx.xx DST=178.162.xxx.xxx LEN=131 TOS=0x00 PREC=0x00 TTL=128 ID=13071 PROTO=UDP SPT=17500 DPT=17500 LEN=111
Aug 8 22:03:39 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:ba:08:45:88:fc:a1:08:00 SRC=192.168.x.xx DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=13136 PROTO=UDP SPT=58878 DPT=1947 LEN=48
发出 iptables-save 会产生以下结果:
# Generated by iptables-save v1.4.7 on Fri Aug 8 16:42:05 2014
*mangle
:PREROUTING ACCEPT [158298:41039552]
:INPUT ACCEPT [131187:38557000]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [79668:17293129]
:POSTROUTING ACCEPT [79637:17291305]
COMMIT
# Completed on Fri Aug 8 16:42:05 2014
# Generated by iptables-save v1.4.7 on Fri Aug 8 16:42:05 2014
*nat
:PREROUTING ACCEPT [93313:9541674]
:POSTROUTING ACCEPT [896:63899]
:OUTPUT ACCEPT [896:63899]
COMMIT
# Completed on Fri Aug 8 16:42:05 2014
# Generated by iptables-save v1.4.7 on Fri Aug 8 16:42:05 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:ALLOWIN - [0:0]
:ALLOWOUT - [0:0]
:CONNLIMIT - [0:0]
:DENYIN - [0:0]
:DENYOUT - [0:0]
:INVALID - [0:0]
:INVDROP - [0:0]
:LOCALINPUT - [0:0]
:LOCALOUTPUT - [0:0]
:LOGDROPIN - [0:0]
:LOGDROPOUT - [0:0]
:PORTFLOOD - [0:0]
-A INPUT -s 8.8.4.4/32 ! -i lo -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 8.8.4.4/32 ! -i lo -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 8.8.4.4/32 ! -i lo -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -s 8.8.4.4/32 ! -i lo -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -s 4.2.2.4/32 ! -i lo -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 4.2.2.4/32 ! -i lo -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 4.2.2.4/32 ! -i lo -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -s 4.2.2.4/32 ! -i lo -p udp -m udp --sport 53 -j ACCEPT
-A INPUT ! -i lo -j LOCALINPUT
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -p tcp -j INVALID
-A INPUT ! -i lo -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name 22 --rsource
-A INPUT ! -i lo -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 250 --hitcount 2 --name 22 --rsource -j PORTFLOOD
-A INPUT ! -i lo -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 2 --connlimit-mask 32 -j CONNLIMIT
-A INPUT ! -i lo -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2222 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 46734 -j ACCEPT
-A INPUT ! -i lo -p udp -m state --state NEW -m udp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p udp -m state --state NEW -m udp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT ! -i lo -j LOGDROPIN
-A OUTPUT -d 8.8.4.4/32 ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -d 8.8.4.4/32 ! -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 8.8.4.4/32 ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -d 8.8.4.4/32 ! -o lo -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -d 4.2.2.4/32 ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -d 4.2.2.4/32 ! -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 4.2.2.4/32 ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -d 4.2.2.4/32 ! -o lo -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT ! -o lo -j LOCALOUTPUT
-A OUTPUT ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT ! -o lo -p tcp -j INVALID
-A OUTPUT ! -o lo -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 113 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 2222 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 46734 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m state --state NEW -m udp --dport 20 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m state --state NEW -m udp --dport 21 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m state --state NEW -m udp --dport 113 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT
-A OUTPUT ! -o lo -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A OUTPUT ! -o lo -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT ! -o lo -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A OUTPUT ! -o lo -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A OUTPUT ! -o lo -j LOGDROPOUT
-A ALLOWIN -s 37.254.xxx.xxx/32 ! -i lo -j ACCEPT
-A ALLOWOUT -d 37.254.xxx.xxx/32 ! -o lo -j ACCEPT
-A CONNLIMIT -p tcp -j REJECT --reject-with tcp-reset
-A DENYIN -s 97.77.xxx.xxx/32 ! -i lo -j DROP
-A DENYOUT -d 97.77.xxx.xxx/32 ! -o lo -j LOGDROPOUT
-A INVALID -m state --state INVALID -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,ACK FIN -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags PSH,ACK PSH -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags ACK,URG URG -j INVDROP
-A INVALID -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j INVDROP
-A INVDROP -j DROP
-A LOCALINPUT ! -i lo -j ALLOWIN
-A LOCALINPUT ! -i lo -j DENYIN
-A LOCALOUTPUT ! -o lo -j ALLOWOUT
-A LOCALOUTPUT ! -o lo -j DENYOUT
-A LOGDROPIN -p tcp -m tcp --dport 67 -j DROP
-A LOGDROPIN -p udp -m udp --dport 67 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 68 -j DROP
-A LOGDROPIN -p udp -m udp --dport 68 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 111 -j DROP
-A LOGDROPIN -p udp -m udp --dport 111 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 113 -j DROP
-A LOGDROPIN -p udp -m udp --dport 113 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 135:139 -j DROP
-A LOGDROPIN -p udp -m udp --dport 135:139 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 445 -j DROP
-A LOGDROPIN -p udp -m udp --dport 445 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 500 -j DROP
-A LOGDROPIN -p udp -m udp --dport 500 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 513 -j DROP
-A LOGDROPIN -p udp -m udp --dport 513 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 520 -j DROP
-A LOGDROPIN -p udp -m udp --dport 520 -j DROP
-A LOGDROPIN -p tcp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *TCP_IN Blocked* "
-A LOGDROPIN -p udp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *UDP_IN Blocked* "
-A LOGDROPIN -p icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP_IN Blocked* "
-A LOGDROPIN -j DROP
-A LOGDROPOUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 30/min -j LOG --log-prefix "Firewall: *TCP_OUT Blocked* " --log-uid
-A LOGDROPOUT -p udp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *UDP_OUT Blocked* " --log-uid
-A LOGDROPOUT -p icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP_OUT Blocked* " --log-uid
-A LOGDROPOUT -j DROP
-A PORTFLOOD -m limit --limit 30/min -j LOG --log-prefix "Firewall: *Port Flood* "
-A PORTFLOOD -j DROP
COMMIT
# Completed on Fri Aug 8 16:42:05 2014
由于我已经使用 CSF 配置我的防火墙,因此我将仅附加我接触过的行。
TESTING = "0"
TESTING_INTERVAL = "5"
RESTRICT_SYSLOG = "3"
RESTRICT_SYSLOG_GROUP = "mysyslog"
RESTRICT_UI = "1"
AUTO_UPDATES = "1"
TCP_IN = "20,21,22,25,53,80,110,443,587,995,2222,46734"
TCP_OUT = "20,21,22,25,53,80,110,113,443,2222,46734"
UDP_IN = "20,21,53"
UDP_OUT = "20,21,53,113,123"
ICMP_IN = "1"
ICMP_IN_RATE = "1/s"
ICMP_OUT = "1"
ICMP_OUT_RATE = "0"
IPV6 = "1"
IPV6_ICMP_STRICT = "0"
IPV6_SPI = "1"
TCP6_IN = "20,21,22,25,53,80,110,443,587,995,2222"
TCP6_OUT = "20,21,22,25,53,80,110,113,443,2222"
UDP6_IN = "20,21,53"
UDP6_OUT = "20,21,53,113,123"
ETH_DEVICE = ""
ETH6_DEVICE = ""
ETH_DEVICE_SKIP = ""
USE_CONNTRACK = "0"
SYSLOG_CHECK = "600"
IGNORE_ALLOW = "0"
DNS_STRICT = "0"
DNS_STRICT_NS = "0"
DENY_IP_LIMIT = "200"
DENY_TEMP_IP_LIMIT = "100"
LF_DAEMON = "1"
LF_CSF = "1"
答案1
您不应该运行 iptables-save,因为您运行的是 CSF,并且规则是通过 /etc/csf/csf.conf 进行管理的。问题是您没有将端口 17500 UDP 列入白名单,这就是您看到连接断开的原因。根据http://www.speedguide.net/port.php?port=17500
其他端口也是一样,它们只是没有被列入白名单,所以你会看到它们被丢弃。
答案2
好吧,我不会说你的防火墙配置错误......
将 Drop 作为默认策略始终没问题,只是意味着所有未明确允许的内容都会被删除。唯一的问题是这里的日志记录。
我不知道为什么,但是您为某些端口(例如 520)定义了 LOGDROP 规则,这意味着到(LOGDROPIN)或来自(LOGDROPOUT)此端口的连接将被丢弃并记录,这就是导致日志泛滥的原因(您可以高兴地看到防火墙规则将其限制为每分钟 30 条日志)。您可以删除这些条目,因为指定的端口已被您的默认策略丢弃。
确保只接受您实际使用的端口,因为据我所知,您的防火墙对 DNS、邮件(110,995,587,25)FTP、SSH、HTTP 和 HTTPS 以及端口 2222(可能是 DirectAdmin)和 46734(不知道)都是开放的。
因此按正确的顺序:
- 执行 iptables-save > /root/firewall
- 打开此文件(/root/firewall)并删除 logdrop 条目(使用 vi 或 nano 等)
- 执行 iptables-restore < /root/firewall
- iptables-保存
我不知道您使用的是哪种操作系统,但如果您自己没有配置这些防火墙规则,您可能需要在每次启动时加载这些防火墙设置。
您必须提供一些额外的信息,因为我给您的答案可以解决您的问题,但如果有外部程序操纵您的防火墙(例如 GUI 软件),则不会有帮助。有趣的信息是:
- 你使用什么操作系统?
- 您正在使用一种特殊的硬件吗?
- 您是如何设置防火墙的?
- 你用这台机器做什么用途?