如何让 Apache 访问 Ubuntu 上的 ip-tables

我在一台新机器上运行了下面的脚本Ubuntu 14.04.5 x64。它工作正常，以至于 apache 按照预期阻止了我的 IP 地址，因为请求太多。但是，我的 IP 地址没有添加到iptables。我只得到一个标准的 403，但我希望数据包被丢弃而不出现错误。

我认为问题在于权限，apache无法运行ip-tables。但我无法弄清楚，因为我已授予用户apache在文件中www-data运行的权限。iptablessudoers

任何帮助都值得感激，我已经为此烦恼了一整天！

#!/bin/sh

apt-get update
apt-get -y install apache2

# Install mod evasive
apt-get -y install libapache2-mod-evasive

# Enable it
a2enmod evasive
a2enconf evasive

# Create log directory
mkdir /var/log/mod_evasive
chown -R www-data:www-data /var/log/mod_evasive

# Config for mod evasive
cat <<'EOF' > /etc/apache2/mods-available/evasive.conf
  <IfModule mod_evasive20.c>
      DOSHashTableSize     3097

      # Allow 5 requests for the same resource request per second. Per-IP
      DOSPageCount          5
      DOSPageInterval       1

      # Allow up to 50 requests across the domain per second. Per-IP
      DOSSiteCount          50
      DOSSiteInterval       1

      # Block user by IP for 60 minutes
      DOSBlockingPeriod     60

      DOSSystemCommand      "sudo /usr/local/bin/ban_ip.sh %s"

      DOSLogDir             /var/log/mod_evasive
      DOSWhitelist          188.88.90.71
      DOSWhitelist          188.88.90.72
      DOSWhitelist          188.88.90.73
  </IfModule>
EOF

# Config for banning users
cat <<'EOF' > /usr/local/bin/ban_ip.sh
#!/bin/sh

# Offending IP as detected by mod_evasive
IP=$1

# Path to iptables binary executed by user www-data through sudo
IPTABLES="/sbin/iptables"

# mod_evasive lock directory
MOD_EVASIVE_LOGDIR=/var/log/mod_evasive

# Add the following firewall rule (block IP)
sudo $IPTABLES -I INPUT -s $IP -j DROP

# Unblock offending IP after 2 hours through the 'at' command; see 'man at' for further details
echo "sudo $IPTABLES -D INPUT -s $IP -j DROP" | sudo at now + 1 minute

# Remove lock file for future checks
sudo rm -f "$MOD_EVASIVE_LOGDIR"/dos-"$IP"
EOF

echo 'www-data ALL=NOPASSWD: /sbin/iptables *, /usr/bin/at *' | EDITOR='tee -a' visudo