我已配置 UFW 来尝试阻止一些不需要的 IP 和相关请求。
#ufw status |less
Status: active
To Action From
-- ------ ----
37.187.183.206 DENY Anywhere
Anywhere DENY 37.187.183.206
198.41.249.59 DENY Anywhere
Anywhere DENY 198.41.249.59
162.159.251.59 DENY Anywhere
Anywhere DENY 162.159.251.59
状态活动确认已启用 UFW,我这里有 3 个 IP 被阻止,包括入站和出站。这些规则是通过“ufw insert 1”插入的,因此是处理的第一条规则。但是 ping 和请求仍然通过
# ping 193.201.224.10
PING 193.201.224.10 (193.201.224.10) 56(84) bytes of data.
64 bytes from 193.201.224.10: icmp_req=1 ttl=52 time=354 ms
64 bytes from 193.201.224.10: icmp_req=2 ttl=52 time=356 ms
实际请求也是如此
#wget 37.187.183.206
--2015-02-13 06:37:23-- http://37.187.183.206/
Connecting to 37.187.183.206:80... connected.
HTTP request sent, awaiting response... 302 Found
对于原因有什么想法吗?
编辑:iptables 输出按要求
Chain INPUT (policy DROP 27 packets, 1100 bytes)
pkts bytes target prot opt in out source destination
105M 11G fail2ban-apache-overflows tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
105M 11G fail2ban-apache-noscript tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
105M 11G fail2ban-apache tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
0 0 fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
1107M 884G ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
1107M 884G ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
1109 49748 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
1109 49748 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
1109 49748 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
1109 49748 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 108 packets, 4992 bytes)
pkts bytes target prot opt in out source destination
746M 274G ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
746M 274G ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
54M 3681M ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
54M 3681M ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
54M 3681M ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
54M 3681M ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-apache (1 references)
pkts bytes target prot opt in out source destination
105M 11G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-apache-noscript (1 references)
pkts bytes target prot opt in out source destination
105M 11G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-apache-overflows (1 references)
pkts bytes target prot opt in out source destination
105M 11G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
149 6980 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
54M 7592M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1042M 875G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4052K 435M ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
4052K 435M DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
6880K 500M ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
6880K 500M ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
54M 7592M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
638M 263G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
54M 3681M ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
3915 189K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID limit: avg 3/min burst 10
3805 185K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
pkts bytes target prot opt in out source destination
54M 7592M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1042M 875G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4052K 435M ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
4052K 435M DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
6880K 500M ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
6880K 500M ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
54M 7592M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
638M 263G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
54M 3681M ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
3915 189K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID limit: avg 3/min burst 10
3805 185K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
6880K 500M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
16M 979M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
38M 2701M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain ufw-user-forward (1 references)
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 37.187.183.206
0 0 DROP all -- * * 37.187.183.206 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 198.41.249.59
0 0 DROP all -- * * 198.41.249.59 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 162.159.251.59
0 0 DROP all -- * * 162.159.251.59 0.0.0.0/0
10 600 DROP all -- * * 220.181.108.153 0.0.0.0/0
0 0 DROP all -- * * 220.176.172.157 0.0.0.0/0
0 0 DROP all -- * * 222.70.153.55 0.0.0.0/0
0 0 DROP all -- * * 94.153.11.136 0.0.0.0/0
0 0 DROP all -- * * 178.63.95.202 0.0.0.0/0
270 10920 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1433
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1433
11 488 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:81
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:81
3838 206K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2222
16 832 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:10000
1019 51256 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3096
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3096
0 0 ACCEPT tcp -- * * 27.131.130.17 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 27.131.130.19 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 61.7.147.82 0.0.0.0/0 tcp dpt:21
844 42932 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:21
1057 63508 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8010
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:8010
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8011
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:8011
答案1
简短的回答是:你制定的规则ufw位于 INPUT 链中,不会影响来自运行 ufw 的系统的网络流量。您需要 OUTPUT 链中的规则来管理该流量。
龙族回答: 首先要了解的是 netfilter 防火墙(内核包过滤防火墙的项目名称)规则按顺序检查并且数据包的命运(接受、丢弃、拒绝等)是根据首次匹配来确定的。
从你iptables -L -n -v可以看到,你有两种互补的技术来管理你的数据包过滤器,ufw和fail2ban已经创建 ipchains 规则集。
首先处理由 fail2ban 管理的规则集,因为在 INPUT 链中,fail2ban 链被首先列出。这些适用于默认 Web 服务器端口 80 和 443 或 ssh 端口 22。
由于显然没有检测到滥用者,fail2ban 规则没有排除任何 ip 地址,它们尚未匹配任何内容,并使用 RETURN 进一步处理由 ufw 规则集完成的数据包。
您可以在那里看到所有自定义的 ufw 规则,ufw-user-input并且计数器确实显示了您已经从wget 37.187.183.206命令中推断出的内容:这些规则显然从未匹配。
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 37.187.183.206
0 0 DROP all -- * * 37.187.183.206 0.0.0.0/0
...
原因在于,来自您的系统的数据包(例如从 wget 命令创建的数据包)应该在 OUTPUT 链中被过滤,并且永远不会在 INPUT 链中匹配。
来自 37.187.183.206 的所有流量都会被阻止,如果您的系统是服务器和 37.187.183.206 之间的路由器/防火墙,那么流量也会被阻止,但创建的数据包通过您的服务器是一种特殊情况,并没有被阻止。
ufw-user-output对于那个特殊用例,它们也应该在链中。
允许来自 37.187.183.206 的 ping 请求的原因是,在链中,ufw-before-input接受回显请求(ICMP 类型 8)的规则在引用包含自定义规则的链之前就被接受。
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
<snip>
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
<snip>
6880K 500M ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0