iptables 阻止了 self-curl

iptables 阻止了 self-curl

我不知道缺少哪条规则会导致这种情况发生......

# iptables -Z ; curl -v -k --connect-timeout 2 http://www.myhost.com/ ; iptables -L -v
* Hostname was NOT found in DNS cache
*   Trying <correct IP>...
* Connection timed out after 2001 milliseconds
* Closing connection 0
curl: (28) Connection timed out after 2001 milliseconds
Chain INPUT (policy DROP 2 packets, 120 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     ip6-localhost        anywhere            
    0     0 DROP       all  -f  any    any     anywhere             anywhere            
    0     0 DROP       tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK
    0     0 DROP       tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN/FIN,SYN
    0     0 DROP       tcp  --  any    any     anywhere             anywhere             tcp flags:SYN,RST/SYN,RST
    0     0 DROP       all  --  any    any     200.200.200.200      anywhere            
    0     0 DROP       all  --  any    any     192.168.0.0/24       anywhere            
    0     0 DROP       all  --  eth+   any     127.0.0.0/8          anywhere            
    0     0 DROP       tcp  --  any    any     anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
    9   468 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 LOG        tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh recent: UPDATE seconds: 20 hit_count: 20 TTL-Match name: SSH side: source mask: 255.255.255.255 LOG level warning prefix "SSH brute force "
    0     0 DROP       tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh recent: CHECK seconds: 20 hit_count: 20 TTL-Match name: SSH side: source mask: 255.255.255.255
    0     0 icmp-chain  icmp --  any    any     anywhere             anywhere            
    0     0 services   all  --  eth0+  any     anywhere             anywhere             state NEW

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    lo      anywhere             ip6-localhost       
   10  1072 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    2   120 ACCEPT     all  --  any    any     anywhere             anywhere             state NEW,ESTABLISHED

Chain icmp-chain (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-reply state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request limit: avg 5/sec burst 5 state NEW
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp destination-unreachable state NEW
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp time-exceeded state NEW
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp timestamp-request state NEW
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp timestamp-reply state RELATED,ESTABLISHED
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain services (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:ssh state NEW recent: SET name: SSH side: source mask: 255.255.255.255
    0     0 ACCEPT     tcp  --  eth0+  any     anywhere             anywhere             tcp spts:1024:65535 dpt:http state NEW
    0     0 ACCEPT     tcp  --  eth0+  any     anywhere             anywhere             tcp spts:1024:65535 dpt:https state NEW
    0     0 ACCEPT     tcp  --  eth0+  any     anywhere             anywhere             tcp spts:1024:65535 dpt:smtp state NEW
    0     0 ACCEPT     tcp  --  eth0+  any     anywhere             anywhere             tcp spts:1024:65535 dpt:submission state NEW
    0     0 ACCEPT     tcp  --  eth0+  any     anywhere             anywhere             tcp spts:1024:65535 dpt:imaps state NEW
    0     0 ACCEPT     tcp  --  eth0+  any     anywhere             anywhere             tcp spts:1024:65535 dpt:pop3s state NEW
    0     0 ACCEPT     tcp  --  eth0+  any     anywhere             anywhere             tcp spts:1024:65535 dpt:imap2 state NEW
    0     0 ACCEPT     tcp  --  eth0+  any     anywhere             anywhere             tcp spts:1024:65535 dpt:pop3 state NEW
    0     0 ACCEPT     tcp  --  eth0+  any     anywhere             anywhere             tcp spts:1024:65535 dpt:ftp state NEW
    0     0 ACCEPT     tcp  --  eth0+  any     anywhere             anywhere             tcp spts:1024:65535 dpt:sieve state NEW
    0     0 DROP       all  --  any    any     anywhere             anywhere            

它适用于iptables -P INPUT ACCEPT

答案1

天哪。经过 2 小时的寻找问题,我发布了这个问题。当我阅读自己的帖子时,我看到了答案:

数据包进入 lo 时不涉及服务链 - 仅涉及 eth0+(并且也不会在服务链中捕获)

相关内容