我一直在努力解决 iptables 上的一个问题:
由于单个数据包被发送到特定端口,我试图使端口范围对特定 IP 打开 x 秒/分钟。
不完全适合端口敲门,但原理相同 - 但我就是无法使其工作。这是我到目前为止所做的 - 我可能完全误解了一些东西,因为我才刚刚开始使用防火墙,尤其是 iptables。
代码:
######### UPnP ###########
#Opens up for all udp ports on local network - not so good.
#-A INPUT -s 10.10.10.254/24 -i eno1 -p udp -m udp -j ACCEPT
#Opens for the needed ports for syncthing but still too many
#-A INPUT -s 10.10.10.254/24 -i eno1 -p udp --match multiport --dports 40000:65000 -j ACCEPT
#allows for related ports to be opened along with ones already established. Does not work
-A INPUT -s 10.10.10.254/24 -i eno1 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
###### Opening op selected portrange when udp package is received on port 1900 for x seconds
#Creating chain STATE0-1
-N STATE0
-A INPUT -j STATE0
#Opening and receiving package from port 1900
-A STATE0 -s 10.10.10.254/24 -i eno1 -m state --state NEW -p udp -m udp --dport 1900 -m recent --name UPnPpacket --set -j ACCEPT
-A STATE0 -j DROP
-N STATE1
#Looking at recent with name UPnPpacket and if it exists open ports 40000:65000 for 10 seconds
###
#-A STATE1 -s 10.10.10.254/24 -i eno1 -m state --state NEW -p udp --match multiport --dports 40000:65000 -m recent --rcheck --seconds 10 --name UPnPpacket -j ACCEPT
###
#trying this instead
-A STATE1 -m recent --name UPnPpacket --remove
-A STATE1 -s 10.10.10.254/24 -i eno1 -p udp --match multiport --dports 40000:65000 -j ACCEPT
-A STATE1 -j STATE0
正如你所看到的,我正在尝试让 UPnP 与 arch linux 一起工作......我可能会补充说这不是一个简单的任务:-)
干杯,
----------##########------------
更新:
########################################
######### UPnP ###########
#allows for related ports to be opened along with ones already established. Does not work on its own
-A INPUT -s 10.10.10.254/24 -i eno1 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
#Open up for the multicast discovery (THESE SHOULD BE DELETED ONE BY ONE TO TEST WHICH ARE NEEDED)
-A INPUT -i eno1 -d 224.0.0.0/8 -p igmp -j ACCEPT
-A INPUT -i eno1 -s 0.0.0.0/32 -d 224.0.0.1/32 -p igmp -j ACCEPT
-A INPUT -p igmp -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Upon a udp package being received on port 1900 from the local subnet
# the port range 40000:65000 is opened for 30 seconds.
#0 Create chain and give packages received name
-N INTO-PHASE2
#3 Take all packages arriving in chain INTO-PHASE2 and rename them from PHASE1 to PHASE 2 and log the event
-A INTO-PHASE2 -m recent --name PHASE1 --remove
-A INTO-PHASE2 -m recent --name PHASE2 --set
-A INTO-PHASE2 -j LOG --log-prefix "INTO PHASE2: "
#1 Name incoming packages
-A INPUT -s 10.10.10.254/24 -p udp -m recent --update --name PHASE1
#1 Name packages from port 1900 from local subnet and name it PHASE1
-A INPUT -s 10.10.10.254/24 -i eno1 -p udp -m udp --dport 1900 -m recent --set --name PHASE1 -j INTO-PHASE2
# Check for whether a package received on portrange has a sender with the same IP as sender of package PHASE1, if so, pass package into the INTO-PHASE2 chain.
-A INPUT -s 10.10.10.254/24 -p udp --match multiport --dports 30000:65000 -m recent --rcheck --name PHASE1 -j ACCEPT
# Check packages arriving at portrange from local subnet to see if they have the name "PHASE2" - they they do and they are recent open accepting all packages the portrange for 30 seconds
-A INPUT -s 10.10.10.254/24 -p udp --match multiport --dports 30000:65000 -m recent --rcheck --seconds 30 --name PHASE2 -j ACCEPT
#test
#-A INPUT -s 10.10.10.254/24 -p udp --match multiport --dports 30000:65000 -j ACCEPT
#############
我不知道问题是什么,但包裹已在 1900 udp 处收到并接受,但它拒绝打开 portrange....
答案1
这是一个可以实现您想要的规则集。 (修改自用于允许敲击外部端口的类似规则。
-A INPUT -p udp --dport 30000:65000 -m recent --rcheck --seconds 60 --name UPnP -j ACCEPT'
-A INPUT -p upd --dport 1899 -m recent --name UPnP --remove -j DROP
-A INPUT -p udp --dport 1900 -m recent --name UPnP --set -j DROP
-A INPUT -p udp --dport 1901 -m recent --name UPnP --remove -j DROP
您可能会更好地使用真正的 UPnP 守护程序,例如miniupnpd.它将以更合适的方式管理防火墙。某些守护程序可以配置为将开放端口限制为请求客户端而不是网络上的所有主机。