UFW 规则已实施并启用,但仍允许流量

UFW 规则已实施并启用,但仍允许流量

我已配置 UFW 来尝试阻止一些不需要的 IP 和相关请求。

#ufw status |less
Status: active

To                         Action      From
--                         ------      ----
37.187.183.206             DENY        Anywhere
Anywhere                   DENY        37.187.183.206
198.41.249.59              DENY        Anywhere
Anywhere                   DENY        198.41.249.59
162.159.251.59             DENY        Anywhere
Anywhere                   DENY        162.159.251.59

状态活动确认已启用 UFW,我这里有 3 个 IP 被阻止,包括入站和出站。这些规则是通过“ufw insert 1”插入的,因此是处理的第一条规则。但是 ping 和请求仍然通过

# ping 193.201.224.10
PING 193.201.224.10 (193.201.224.10) 56(84) bytes of data.
64 bytes from 193.201.224.10: icmp_req=1 ttl=52 time=354 ms
64 bytes from 193.201.224.10: icmp_req=2 ttl=52 time=356 ms

实际请求也是如此

#wget 37.187.183.206
--2015-02-13 06:37:23--  http://37.187.183.206/
Connecting to 37.187.183.206:80... connected.
HTTP request sent, awaiting response... 302 Found

对于原因有什么想法吗?

编辑:iptables 输出按要求

Chain INPUT (policy DROP 27 packets, 1100 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 105M   11G fail2ban-apache-overflows  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
 105M   11G fail2ban-apache-noscript  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
 105M   11G fail2ban-apache  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
    0     0 fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
1107M  884G ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
1107M  884G ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1109 49748 ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1109 49748 ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1109 49748 ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1109 49748 ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 108 packets, 4992 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 746M  274G ufw-before-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 746M  274G ufw-before-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  54M 3681M ufw-after-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  54M 3681M ufw-after-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  54M 3681M ufw-reject-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  54M 3681M ufw-track-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-apache (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 105M   11G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-apache-noscript (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 105M   11G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-apache-overflows (1 references)
pkts bytes target     prot opt in     out     source               destination         
 105M   11G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-ssh (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138
    0     0 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:139
    0     0 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ufw-skip-to-policy-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  149  6980 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw-user-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-input (1 references)
pkts bytes target     prot opt in     out     source               destination         
  54M 7592M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
1042M  875G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
4052K  435M ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
4052K  435M DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
6880K  500M ufw-not-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            239.255.255.250      udp dpt:1900
6880K  500M ufw-user-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  54M 7592M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
 638M  263G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  54M 3681M ufw-user-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 3915  189K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID limit: avg 3/min burst 10
 3805  185K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
pkts bytes target     prot opt in     out     source               destination         
  54M 7592M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
1042M  875G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
4052K  435M ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
4052K  435M DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
6880K  500M ufw-not-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            239.255.255.250      udp dpt:1900
6880K  500M ufw-user-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  54M 7592M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
 638M  263G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  54M 3681M ufw-user-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 3915  189K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID limit: avg 3/min burst 10
 3805  185K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
 pkts bytes target     prot opt in     out     source               destination         
6880K  500M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-input (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  16M  979M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
  38M 2701M ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW

Chain ufw-user-forward (1 references)
Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            37.187.183.206      
    0     0 DROP       all  --  *      *       37.187.183.206       0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            198.41.249.59       
    0     0 DROP       all  --  *      *       198.41.249.59        0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            162.159.251.59      
    0     0 DROP       all  --  *      *       162.159.251.59       0.0.0.0/0           
   10   600 DROP       all  --  *      *       220.181.108.153      0.0.0.0/0           
    0     0 DROP       all  --  *      *       220.176.172.157      0.0.0.0/0           
    0     0 DROP       all  --  *      *       222.70.153.55        0.0.0.0/0           
    0     0 DROP       all  --  *      *       94.153.11.136        0.0.0.0/0           
    0     0 DROP       all  --  *      *       178.63.95.202        0.0.0.0/0           
  270 10920 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1433
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1433
   11   488 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:81
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:81
 3838  206K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2222
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:2222
   16   832 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:10000
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:10000
 1019 51256 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3096
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3096
    0     0 ACCEPT     tcp  --  *      *       27.131.130.17        0.0.0.0/0            tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       27.131.130.19        0.0.0.0/0            tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       61.7.147.82          0.0.0.0/0            tcp dpt:21
  844 42932 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:21
 1057 63508 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8010
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:8010
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8011
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:8011

答案1

简短的回答是:你制定的规则ufw位于 INPUT 链中,不会影响来自运行 ufw 的系统的网络流量。您需要 OUTPUT 链中的规则来管理该流量。

龙族回答: 首先要了解的是 netfilter 防火墙(内核包过滤防火墙的项目名称)规则按顺序检查并且数据包的命运(接受、丢弃、拒绝等)是根据首次匹配来确定的。

从你iptables -L -n -v可以看到,你有两种互补的技术来管理你的数据包过滤器,ufwfail2ban已经创建 ipchains 规则集。

首先处理由 fail2ban 管理的规则集,因为在 INPUT 链中,fail2ban 链被首先列出。这些适用于默认 Web 服务器端口 80 和 443 或 ssh 端口 22。

由于显然没有检测到滥用者,fail2ban 规则没有排除任何 ip 地址,它们尚未匹配任何内容,并使用 RETURN 进一步处理由 ufw 规则集完成的数据包。

您可以在那里看到所有自定义的 ufw 规则,ufw-user-input并且计数器确实显示了您已经从wget 37.187.183.206命令中推断出的内容:这些规则显然从未匹配。

Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 DROP       all  --  *      *       0.0.0.0/0            37.187.183.206 
    0     0 DROP       all  --  *      *       37.187.183.206       0.0.0.0/0 
    ...

原因在于,来自您的系统的数据包(例如从 wget 命令创建的数据包)应该在 OUTPUT 链中被过滤,并且永远不会在 INPUT 链中匹配。

来自 37.187.183.206 的所有流量都会被阻止,如果您的系统是服务器和 37.187.183.206 之间的路由器/防火墙,那么流量也会被阻止,但创建的数据包通过您的服务器是一种特殊情况,并没有被阻止。

ufw-user-output对于那个特殊用例,它们也应该在链中。

允许来自 37.187.183.206 的 ping 请求的原因是,在链中,ufw-before-input接受回显请求(ICMP 类型 8)的规则在引用包含自定义规则的链之前就被接受。

Chain ufw-before-input (1 references)
pkts bytes target     prot opt in     out     source      destination         
        <snip>
0     0 ACCEPT       icmp --  *      *       0.0.0.0/0      0.0.0.0/0   icmptype 8
        <snip>
6880K  500M ufw-user-input  all  --  *  *  0.0.0.0/0      0.0.0.0/0           

相关内容