apt-get 无法与 iptables 配合使用

tag-icon tag-icon iptables linux-networking apt ubuntu-16.04
apt-get 无法与 iptables 配合使用

我安装了 iptables 并根据需要进行了配置。问题是 apt-get 不再工作了。以下是我的 Iptables ( iptables -L -n):

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
ACCEPT     tcp  --  192.168.178.0/24     0.0.0.0/0            multiport dports 20,21,22
ACCEPT     tcp  --  192.168.178.0/24     0.0.0.0/0            multiport dports 53,137,138,139,445
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 53,80,443 state NEW,ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 state NEW,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            192.168.178.0/24     multiport sports 20,21,22,53,137,138,139,445

例如sudo apt-get install git卡在这里:

admin@nibbler:~$ sudo apt-get install git
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  git-man liberror-perl
Suggested packages:
  git-daemon-run | git-daemon-sysvinit git-doc git-el git-email git-gui gitk gitweb git-arch git-cvs git-mediawiki git-svn
The following NEW packages will be installed:
  git git-man liberror-perl
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 3.760 kB of archives.
After this operation, 25,6 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Ign:1 http://de.archive.ubuntu.com/ubuntu xenial/main i386 liberror-perl all 0.17-1.2
0% [Connecting to de.archive.ubuntu.com]

我读了这里的几个帖子,但没有找到解决方案。有人能帮我吗?我没有看到我的错误。

我将输出链改为

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 53,80,443 state NEW,ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 state NEW,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            192.168.178.0/24     multiport sports 20,21,22,53,137,138,139,445

我将日志记录添加到 OUTPUT、INPUT 和 FORWARD 链中,它给出了以下信息:

Apr 11 10:40:01 nibbler kernel: [ 1052.948383] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=64463 DF PROTO=UDP SPT=54652 DPT=53 LEN=50 
Apr 11 10:40:01 nibbler kernel: [ 1052.948407] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=64464 DF PROTO=UDP SPT=54652 DPT=53 LEN=50 
Apr 11 10:40:06 nibbler kernel: [ 1057.953476] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=106 DF PROTO=UDP SPT=54652 DPT=53 LEN=50 
Apr 11 10:40:06 nibbler kernel: [ 1057.953499] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=107 DF PROTO=UDP SPT=54652 DPT=53 LEN=50 
Apr 11 10:40:08 nibbler kernel: [ 1060.196071] IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:ac:bc:32:b7:0b:8f:08:00 SRC=192.168.178.20 DST=255.255.255.255 LEN=261 TOS=0x00 PREC=0x00 TTL=64 ID=9332 PROTO=UDP SPT=17500 DPT=17500 LEN=241 
Apr 11 10:40:08 nibbler kernel: [ 1060.196655] IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:ac:bc:32:b7:0b:8f:08:00 SRC=192.168.178.20 DST=192.168.178.255 LEN=261 TOS=0x00 PREC=0x00 TTL=64 ID=16345 PROTO=UDP SPT=17500 DPT=17500 LEN=241 
Apr 11 10:40:08 nibbler kernel: [ 1060.239479] IN=enp2s0 OUT= MAC=01:00:5e:00:00:fb:ac:bc:32:c2:61:c1:08:00 SRC=192.168.178.22 DST=224.0.0.251 LEN=68 TOS=0x00 PREC=0x00 TTL=1 ID=14994 PROTO=UDP SPT=5353 DPT=5353 LEN=48 
Apr 11 10:40:08 nibbler kernel: [ 1060.240904] IN=enp2s0 OUT= MAC=01:00:5e:00:00:fb:ac:bc:32:c2:61:c1:08:00 SRC=192.168.178.22 DST=224.0.0.251 LEN=68 TOS=0x00 PREC=0x00 TTL=1 ID=14995 PROTO=UDP SPT=5353 DPT=5353 LEN=48 
Apr 11 10:40:09 nibbler kernel: [ 1061.243128] IN=enp2s0 OUT= MAC=01:00:5e:00:00:fb:ac:bc:32:c2:61:c1:08:00 SRC=192.168.178.22 DST=224.0.0.251 LEN=68 TOS=0x00 PREC=0x00 TTL=1 ID=14996 PROTO=UDP SPT=5353 DPT=5353 LEN=48 
Apr 11 10:40:11 nibbler kernel: [ 1062.958890] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=930 DF PROTO=UDP SPT=39987 DPT=53 LEN=40 
Apr 11 10:40:11 nibbler kernel: [ 1062.958913] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=931 DF PROTO=UDP SPT=39987 DPT=53 LEN=40 
Apr 11 10:40:11 nibbler kernel: [ 1063.242960] IN=enp2s0 OUT= MAC=01:00:5e:00:00:fb:ac:bc:32:c2:61:c1:08:00 SRC=192.168.178.22 DST=224.0.0.251 LEN=68 TOS=0x00 PREC=0x00 TTL=1 ID=14997 PROTO=UDP SPT=5353 DPT=5353 LEN=48 
Apr 11 10:40:12 nibbler kernel: [ 1063.947249] IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:ac:bc:32:b7:0b:8f:08:00 SRC=192.168.178.20 DST=192.168.178.255 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=57187 PROTO=UDP SPT=57621 DPT=57621 LEN=52 
Apr 11 10:40:13 nibbler kernel: [ 1065.017788] IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:40:f3:82:01:fe:08:00 SRC=192.168.178.26 DST=255.255.255.255 LEN=403 TOS=0x00 PREC=0x00 TTL=64 ID=747 PROTO=UDP SPT=17500 DPT=17500 LEN=383 
Apr 11 10:40:13 nibbler kernel: [ 1065.017886] IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:40:f3:82:01:fe:08:00 SRC=192.168.178.26 DST=192.168.178.255 LEN=403 TOS=0x00 PREC=0x00 TTL=64 ID=39400 PROTO=UDP SPT=17500 DPT=17500 LEN=383 
Apr 11 10:40:15 nibbler kernel: [ 1067.431341] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=1189 DF PROTO=UDP SPT=44968 DPT=53 LEN=58 
Apr 11 10:40:16 nibbler kernel: [ 1067.963986] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1221 DF PROTO=UDP SPT=39987 DPT=53 LEN=40 
Apr 11 10:40:16 nibbler kernel: [ 1067.964022] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1222 DF PROTO=UDP SPT=39987 DPT=53 LEN=40 
Apr 11 10:40:17 nibbler kernel: [ 1068.610989] IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:ac:bc:32:c2:83:61:08:00 SRC=192.168.178.25 DST=255.255.255.255 LEN=215 TOS=0x00 PREC=0x00 TTL=64 ID=49624 PROTO=UDP SPT=17500 DPT=17500 LEN=195 
Apr 11 10:40:17 nibbler kernel: [ 1068.611063] IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:ac:bc:32:c2:83:61:08:00 SRC=192.168.178.25 DST=192.168.178.255 LEN=215 TOS=0x00 PREC=0x00 TTL=64 ID=35073 PROTO=UDP SPT=17500 DPT=17500 LEN=195 
Apr 11 10:40:20 nibbler kernel: [ 1072.436408] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=1890 DF PROTO=UDP SPT=44968 DPT=53 LEN=58 
Apr 11 10:40:21 nibbler kernel: [ 1072.969138] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=1949 DF PROTO=UDP SPT=52381 DPT=53 LEN=50 
Apr 11 10:40:21 nibbler kernel: [ 1072.969160] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=1950 DF PROTO=UDP SPT=52381 DPT=53 LEN=50 
Apr 11 10:40:26 nibbler kernel: [ 1077.441470] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=2666 DF PROTO=UDP SPT=44968 DPT=53 LEN=58 
Apr 11 10:40:26 nibbler kernel: [ 1077.974220] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=2722 DF PROTO=UDP SPT=52381 DPT=53 LEN=50 
Apr 11 10:40:26 nibbler kernel: [ 1077.974242] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=2723 DF PROTO=UDP SPT=52381 DPT=53 LEN=50

不确定我应该从中读出什么。

答案1

您的日志表明您正在阻止 DNS 流量。

Apr 11 10:40:21 nibbler kernel: [ 1072.969160] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=1950 DF PROTO=UDP SPT=52381 DPT=53 LEN=50 
Apr 11 10:40:26 nibbler kernel: [ 1077.441470] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=2666 DF PROTO=UDP SPT=44968 DPT=53 LEN=58 
Apr 11 10:40:26 nibbler kernel: [ 1077.974220] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=2722 DF PROTO=UDP SPT=52381 DPT=53 LEN=50 
Apr 11 10:40:26 nibbler kernel: [ 1077.974242] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=2723 DF PROTO=UDP SPT=52381 DPT=53 LEN=50

也许你有一个您要将 DNS 查询定向到的 dnsmasq 或非绑定递归解析器

允许环回接口上的流量

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

SRC=127.0.0.1或者在您的 INPUT 链中,允许和之间的 DNS 通信DST=127.0.1.1

答案2

apt-get需要dnshttp- 都存在于您的 OUTPUT 链中。我认为您需要添加ESTABLISHED到连接状态类型,因为现在您只有NEW

答案3

检查内核中是否加载了 ip_conntrack 模块以启用 ESTABLISHED 匹配。

答案4

我建议在 iptables 上使用 RAW 表。这应该会为您提供(对于任何匹配的数据包)该数据包经过的每条规则的信息。

相关内容