我安装了 iptables 并根据需要进行了配置。问题是 apt-get 不再工作了。以下是我的 Iptables ( iptables -L -n
):
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
ACCEPT tcp -- 192.168.178.0/24 0.0.0.0/0 multiport dports 20,21,22
ACCEPT tcp -- 192.168.178.0/24 0.0.0.0/0 multiport dports 53,137,138,139,445
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 53,80,443 state NEW,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 192.168.178.0/24 multiport sports 20,21,22,53,137,138,139,445
例如sudo apt-get install git
卡在这里:
admin@nibbler:~$ sudo apt-get install git
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
git-man liberror-perl
Suggested packages:
git-daemon-run | git-daemon-sysvinit git-doc git-el git-email git-gui gitk gitweb git-arch git-cvs git-mediawiki git-svn
The following NEW packages will be installed:
git git-man liberror-perl
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 3.760 kB of archives.
After this operation, 25,6 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Ign:1 http://de.archive.ubuntu.com/ubuntu xenial/main i386 liberror-perl all 0.17-1.2
0% [Connecting to de.archive.ubuntu.com]
我读了这里的几个帖子,但没有找到解决方案。有人能帮我吗?我没有看到我的错误。
我将输出链改为
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 53,80,443 state NEW,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 192.168.178.0/24 multiport sports 20,21,22,53,137,138,139,445
我将日志记录添加到 OUTPUT、INPUT 和 FORWARD 链中,它给出了以下信息:
Apr 11 10:40:01 nibbler kernel: [ 1052.948383] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=64463 DF PROTO=UDP SPT=54652 DPT=53 LEN=50
Apr 11 10:40:01 nibbler kernel: [ 1052.948407] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=64464 DF PROTO=UDP SPT=54652 DPT=53 LEN=50
Apr 11 10:40:06 nibbler kernel: [ 1057.953476] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=106 DF PROTO=UDP SPT=54652 DPT=53 LEN=50
Apr 11 10:40:06 nibbler kernel: [ 1057.953499] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=107 DF PROTO=UDP SPT=54652 DPT=53 LEN=50
Apr 11 10:40:08 nibbler kernel: [ 1060.196071] IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:ac:bc:32:b7:0b:8f:08:00 SRC=192.168.178.20 DST=255.255.255.255 LEN=261 TOS=0x00 PREC=0x00 TTL=64 ID=9332 PROTO=UDP SPT=17500 DPT=17500 LEN=241
Apr 11 10:40:08 nibbler kernel: [ 1060.196655] IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:ac:bc:32:b7:0b:8f:08:00 SRC=192.168.178.20 DST=192.168.178.255 LEN=261 TOS=0x00 PREC=0x00 TTL=64 ID=16345 PROTO=UDP SPT=17500 DPT=17500 LEN=241
Apr 11 10:40:08 nibbler kernel: [ 1060.239479] IN=enp2s0 OUT= MAC=01:00:5e:00:00:fb:ac:bc:32:c2:61:c1:08:00 SRC=192.168.178.22 DST=224.0.0.251 LEN=68 TOS=0x00 PREC=0x00 TTL=1 ID=14994 PROTO=UDP SPT=5353 DPT=5353 LEN=48
Apr 11 10:40:08 nibbler kernel: [ 1060.240904] IN=enp2s0 OUT= MAC=01:00:5e:00:00:fb:ac:bc:32:c2:61:c1:08:00 SRC=192.168.178.22 DST=224.0.0.251 LEN=68 TOS=0x00 PREC=0x00 TTL=1 ID=14995 PROTO=UDP SPT=5353 DPT=5353 LEN=48
Apr 11 10:40:09 nibbler kernel: [ 1061.243128] IN=enp2s0 OUT= MAC=01:00:5e:00:00:fb:ac:bc:32:c2:61:c1:08:00 SRC=192.168.178.22 DST=224.0.0.251 LEN=68 TOS=0x00 PREC=0x00 TTL=1 ID=14996 PROTO=UDP SPT=5353 DPT=5353 LEN=48
Apr 11 10:40:11 nibbler kernel: [ 1062.958890] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=930 DF PROTO=UDP SPT=39987 DPT=53 LEN=40
Apr 11 10:40:11 nibbler kernel: [ 1062.958913] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=931 DF PROTO=UDP SPT=39987 DPT=53 LEN=40
Apr 11 10:40:11 nibbler kernel: [ 1063.242960] IN=enp2s0 OUT= MAC=01:00:5e:00:00:fb:ac:bc:32:c2:61:c1:08:00 SRC=192.168.178.22 DST=224.0.0.251 LEN=68 TOS=0x00 PREC=0x00 TTL=1 ID=14997 PROTO=UDP SPT=5353 DPT=5353 LEN=48
Apr 11 10:40:12 nibbler kernel: [ 1063.947249] IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:ac:bc:32:b7:0b:8f:08:00 SRC=192.168.178.20 DST=192.168.178.255 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=57187 PROTO=UDP SPT=57621 DPT=57621 LEN=52
Apr 11 10:40:13 nibbler kernel: [ 1065.017788] IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:40:f3:82:01:fe:08:00 SRC=192.168.178.26 DST=255.255.255.255 LEN=403 TOS=0x00 PREC=0x00 TTL=64 ID=747 PROTO=UDP SPT=17500 DPT=17500 LEN=383
Apr 11 10:40:13 nibbler kernel: [ 1065.017886] IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:40:f3:82:01:fe:08:00 SRC=192.168.178.26 DST=192.168.178.255 LEN=403 TOS=0x00 PREC=0x00 TTL=64 ID=39400 PROTO=UDP SPT=17500 DPT=17500 LEN=383
Apr 11 10:40:15 nibbler kernel: [ 1067.431341] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=1189 DF PROTO=UDP SPT=44968 DPT=53 LEN=58
Apr 11 10:40:16 nibbler kernel: [ 1067.963986] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1221 DF PROTO=UDP SPT=39987 DPT=53 LEN=40
Apr 11 10:40:16 nibbler kernel: [ 1067.964022] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1222 DF PROTO=UDP SPT=39987 DPT=53 LEN=40
Apr 11 10:40:17 nibbler kernel: [ 1068.610989] IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:ac:bc:32:c2:83:61:08:00 SRC=192.168.178.25 DST=255.255.255.255 LEN=215 TOS=0x00 PREC=0x00 TTL=64 ID=49624 PROTO=UDP SPT=17500 DPT=17500 LEN=195
Apr 11 10:40:17 nibbler kernel: [ 1068.611063] IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:ac:bc:32:c2:83:61:08:00 SRC=192.168.178.25 DST=192.168.178.255 LEN=215 TOS=0x00 PREC=0x00 TTL=64 ID=35073 PROTO=UDP SPT=17500 DPT=17500 LEN=195
Apr 11 10:40:20 nibbler kernel: [ 1072.436408] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=1890 DF PROTO=UDP SPT=44968 DPT=53 LEN=58
Apr 11 10:40:21 nibbler kernel: [ 1072.969138] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=1949 DF PROTO=UDP SPT=52381 DPT=53 LEN=50
Apr 11 10:40:21 nibbler kernel: [ 1072.969160] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=1950 DF PROTO=UDP SPT=52381 DPT=53 LEN=50
Apr 11 10:40:26 nibbler kernel: [ 1077.441470] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=2666 DF PROTO=UDP SPT=44968 DPT=53 LEN=58
Apr 11 10:40:26 nibbler kernel: [ 1077.974220] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=2722 DF PROTO=UDP SPT=52381 DPT=53 LEN=50
Apr 11 10:40:26 nibbler kernel: [ 1077.974242] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=2723 DF PROTO=UDP SPT=52381 DPT=53 LEN=50
不确定我应该从中读出什么。
答案1
您的日志表明您正在阻止 DNS 流量。
Apr 11 10:40:21 nibbler kernel: [ 1072.969160] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=1950 DF PROTO=UDP SPT=52381 DPT=53 LEN=50
Apr 11 10:40:26 nibbler kernel: [ 1077.441470] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=2666 DF PROTO=UDP SPT=44968 DPT=53 LEN=58
Apr 11 10:40:26 nibbler kernel: [ 1077.974220] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=2722 DF PROTO=UDP SPT=52381 DPT=53 LEN=50
Apr 11 10:40:26 nibbler kernel: [ 1077.974242] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=2723 DF PROTO=UDP SPT=52381 DPT=53 LEN=50
也许你有一个您要将 DNS 查询定向到的 dnsmasq 或非绑定递归解析器?
允许环回接口上的流量
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
SRC=127.0.0.1
或者在您的 INPUT 链中,允许和之间的 DNS 通信DST=127.0.1.1
答案2
apt-get
需要dns
和http
- 都存在于您的 OUTPUT 链中。我认为您需要添加ESTABLISHED
到连接状态类型,因为现在您只有NEW
。
答案3
检查内核中是否加载了 ip_conntrack 模块以启用 ESTABLISHED 匹配。
答案4
我建议在 iptables 上使用 RAW 表。这应该会为您提供(对于任何匹配的数据包)该数据包经过的每条规则的信息。