我不知道缺少哪条规则会导致这种情况发生......
# iptables -Z ; curl -v -k --connect-timeout 2 http://www.myhost.com/ ; iptables -L -v
* Hostname was NOT found in DNS cache
* Trying <correct IP>...
* Connection timed out after 2001 milliseconds
* Closing connection 0
curl: (28) Connection timed out after 2001 milliseconds
Chain INPUT (policy DROP 2 packets, 120 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any ip6-localhost anywhere
0 0 DROP all -f any any anywhere anywhere
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
0 0 DROP tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN,RST
0 0 DROP all -- any any 200.200.200.200 anywhere
0 0 DROP all -- any any 192.168.0.0/24 anywhere
0 0 DROP all -- eth+ any 127.0.0.0/8 anywhere
0 0 DROP tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
9 468 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 LOG tcp -- any any anywhere anywhere tcp dpt:ssh recent: UPDATE seconds: 20 hit_count: 20 TTL-Match name: SSH side: source mask: 255.255.255.255 LOG level warning prefix "SSH brute force "
0 0 DROP tcp -- any any anywhere anywhere tcp dpt:ssh recent: CHECK seconds: 20 hit_count: 20 TTL-Match name: SSH side: source mask: 255.255.255.255
0 0 icmp-chain icmp -- any any anywhere anywhere
0 0 services all -- eth0+ any anywhere anywhere state NEW
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any lo anywhere ip6-localhost
10 1072 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
2 120 ACCEPT all -- any any anywhere anywhere state NEW,ESTABLISHED
Chain icmp-chain (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request limit: avg 5/sec burst 5 state NEW
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable state NEW
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded state NEW
0 0 ACCEPT icmp -- any any anywhere anywhere icmp timestamp-request state NEW
0 0 ACCEPT icmp -- any any anywhere anywhere icmp timestamp-reply state RELATED,ESTABLISHED
0 0 DROP all -- any any anywhere anywhere
Chain services (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh state NEW recent: SET name: SSH side: source mask: 255.255.255.255
0 0 ACCEPT tcp -- eth0+ any anywhere anywhere tcp spts:1024:65535 dpt:http state NEW
0 0 ACCEPT tcp -- eth0+ any anywhere anywhere tcp spts:1024:65535 dpt:https state NEW
0 0 ACCEPT tcp -- eth0+ any anywhere anywhere tcp spts:1024:65535 dpt:smtp state NEW
0 0 ACCEPT tcp -- eth0+ any anywhere anywhere tcp spts:1024:65535 dpt:submission state NEW
0 0 ACCEPT tcp -- eth0+ any anywhere anywhere tcp spts:1024:65535 dpt:imaps state NEW
0 0 ACCEPT tcp -- eth0+ any anywhere anywhere tcp spts:1024:65535 dpt:pop3s state NEW
0 0 ACCEPT tcp -- eth0+ any anywhere anywhere tcp spts:1024:65535 dpt:imap2 state NEW
0 0 ACCEPT tcp -- eth0+ any anywhere anywhere tcp spts:1024:65535 dpt:pop3 state NEW
0 0 ACCEPT tcp -- eth0+ any anywhere anywhere tcp spts:1024:65535 dpt:ftp state NEW
0 0 ACCEPT tcp -- eth0+ any anywhere anywhere tcp spts:1024:65535 dpt:sieve state NEW
0 0 DROP all -- any any anywhere anywhere
它适用于iptables -P INPUT ACCEPT
答案1
天哪。经过 2 小时的寻找问题,我发布了这个问题。当我阅读自己的帖子时,我看到了答案:
数据包进入 lo 时不涉及服务链 - 仅涉及 eth0+(并且也不会在服务链中捕获)