IPtables 损坏，网站需要很长时间才能加载

2024-5-31 • tag-icon

我对 iptables 进行了更改以使 fail2ban 正常工作，现在我的网站加载需要很长时间。请查看我的 iptables 并为我提供解决方案。

$ sudo iptables -S output

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N ICMP
-N TCP
-N UDP
-N fail2ban-HTTP
-N fail2ban-apache
-N fail2ban-apache-badbots
-N fail2ban-apache-nohome
-N fail2ban-apache-noscript
-N fail2ban-apache-overflows
-N fail2ban-php-url-fopen
-N fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-nohome
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-php-url-fopen
-A INPUT -p tcp -m tcp --dport 80 -j fail2ban-HTTP
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-badbots
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-overflows
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-noscript
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A fail2ban-HTTP -s 94.0.157.53/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-HTTP -s 191.96.249.80/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-HTTP -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache-badbots -j RETURN
-A fail2ban-apache-nohome -j RETURN
-A fail2ban-apache-noscript -j RETURN
-A fail2ban-apache-overflows -j RETURN
-A fail2ban-php-url-fopen -j RETURN
-A fail2ban-ssh -s 221.194.47.208/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -j RETURN

sudo iptables -L输出：

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-apache-nohome  tcp  --  anywhere             anywhere             multiport dports http,https
fail2ban-php-url-fopen  tcp  --  anywhere             anywhere             multiport dports http,https
fail2ban-HTTP  tcp  --  anywhere             anywhere             tcp dpt:http
fail2ban-apache-badbots  tcp  --  anywhere             anywhere             multiport dports http,https
fail2ban-apache  tcp  --  anywhere             anywhere             multiport dports http,https
fail2ban-apache-overflows  tcp  --  anywhere             anywhere             multiport dports http,https
fail2ban-apache-noscript  tcp  --  anywhere             anywhere             multiport dports http,https
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             ctstate INVALID
UDP        udp  --  anywhere             anywhere             ctstate NEW
TCP        tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ICMP       icmp --  anywhere             anywhere             ctstate NEW
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain ICMP (1 references)
target     prot opt source               destination

Chain TCP (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh

Chain UDP (1 references)
target     prot opt source               destination

Chain fail2ban-HTTP (1 references)
target     prot opt source               destination
REJECT     all  --  5e009d35.bb.sky.com  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  191.96.249.80        anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-badbots (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-nohome (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-noscript (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-overflows (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-php-url-fopen (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
REJECT     all  --  221.194.47.208       anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

答案1

您只打开了一个端口，即端口 22。

-A TCP -p tcp -m tcp --dport 22 -j ACCEPT

您的网站（最有可能）在端口 80 上运行。您还需要打开该端口。

答案1

相关内容