尽管有允许规则,IPTables 仍会阻止端口

尽管有允许规则,IPTables 仍会阻止端口

我有一个 IPtables.sh 文件,它允许我快速修改我的 IPtables 并使用变量。

一切都进行得很顺利,直到我注意到我家里的私人网络(混合了 Nix 和 Win 盒以及 Android 设备)有很多到我的 Ubuntu 服务器的连接。

在我的 IPtables 中我设置了以下变量。

THIS_HOST="192.168.1.116"
WORK="XX.XX.XX.XX"
HOME_NETWORK="192.168.1.0/24"

然后我有一个条目允许我的 Home_Network 连接到端口 1900

#Accept Some UPN Discovery Connections
$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 1900 -j ACCEPT

此条目不起作用,因为我的系统日志中出现以下内容:

4 月 4 日 15:54:39 zues 内核:[331454.549383] 防火墙数据包:IN=eth0 OUT=MAC=01:00:5e:7f:ff:fa:cc:52:af:41:64:68:08:00 SRC=192.168.1.248 DST=239.255.255.250 LEN=188 TOS=0x00 PREC=0x00 TTL=2 ID=22168 PROTO=UDP SPT=1823 DPT=1900 LEN=168

我知道变量起作用了,因为这个条目运行正常:

#accept some ssh connections
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $WORK -d $THIS_HOST --dport 22 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 22 -j ACCEPT

当我做

sudo iptables -L

我明白了:

ACCEPT     udp  --  192.168.1.0/24       Zeus*(THIS_HOST)*                 state NEW udp dpt:1900

根据要求,这里是完整的 iptables.sh 文件

#!/bin/bash

################################################################
#Insert modules- should be done automatically if needed
dmesg -n 1 #Kill copyright display on module load
#/sbin/modprobe ip_tables
#/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_ftp #for PASV ftp

IPTABLES="/sbin/iptables"
THIS_HOST="192.168.1.116"
LOCAL_HOST="127.0.0.1"
WORK="XX.XX.XXX.18"
HOME_NETWORK="192.168.1.0/24"
#EXTRA_IP_FOR_SSH="$Work"
#EXTRA_IP_FOR_SSH=""
#EXTRA_IP_FOR_MYSQL=""

$IPTABLES -F

#Kill ANY stupid packets, including
#-Packets that are too short to have a full ICMP/UDP/TCP header
#- TCP and UDP packets with zero (illegal) source and destination ports
#-Illegal combinations of TCP flags
#-Zero-length (illegal) or over-length TCP and IP options,
# or options after the END-OF-OPTIONS option
#-Fragments of illegal length or offset (e.g., Ping of Death).
#Above list ripped from
#http://www.linux-mag.com/2000-01/bestdefense_02.html
#$IPTABLES -A INPUT -m unclean -j DROP
#$IPTABLES -A FORWARD -m unclean -j DROP

#Allow Loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#Allow Outgoing DNS
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

#Kill invalid packets (illegal combinations of flags)
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP

#block enemies
$IPTABLES -A INPUT -s "91.65.221.109" -j DROP

#Block Port Hammers
$IPTABLES -A INPUT -s "58.218.201.189" -j DROP
$IPTABLES -A INPUT -s "185.222.211.44" -j DROP
#$IPTABLES -A INPUT -s "61.78.245.0/24" -j DROP
#$IPTABLES -A INPUT -s "218.146.209.182" -j DROP
#$IPTABLES -A INPUT -s "220.77.44.229" -j DROP
#$IPTABLES -A INPUT -s "61.75.224.41" -j DROP

#Accept Some UPN Discovery Connections
$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 1900 -j ACCEPT

#ICMP
#ping flood protection
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP
#Allow all other icmp
$IPTABLES -A INPUT -p icmp -j ACCEPT

#allow established and related connections to continue
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -d 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -d $THIS_HOST -j ACCEPT

#this is "bif"
#procmail sends a biff/comsat message via udp on port 512 every time it deliveres a message to a users mailbox
#$IPTABLES -A INPUT -p UDP -s 127.0.0.1 -d 127.0.0.1 --dport 512 -j REJECT

#allow spamassassin to talk to spamd
#$IPTABLES -A INPUT -p TCP -s 127.0.0.1 -d 127.0.0.1 --dport 783 -j ACCEPT
#$IPTABLES -A INPUT -p TCP -s 127.0.0.1 -d 127.0.0.1 --sport 783 -j ACCEPT

#accept some httpd connections
$IPTABLES -A INPUT -p TCP -d $THIS_HOST --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

#accept some httpsd connections
$IPTABLES -A INPUT -p TCP -d $THIS_HOST --dport 443 -j ACCEPT

#accept some ssh connections
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $WORK -d $THIS_HOST --dport 22 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 22 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME -d $THIS_HOST --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#if [ "$EXTRA_IP_FOR_SSH" != "" ]; then
#        $IPTABLES -A INPUT -m state --state NEW -p TCP -s $EXTRA_IP_FOR_SSH -d $THIS_HOST --dport 22 -j ACCEPT
#fi

#accept some ftp connections
#$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 21 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -p TCP -s $WORK -d $THIS_HOST --dport 21 -j ACCEPT

#Accept Some Vino/VNC Connections
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 5900 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 5900 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $WORK -d $THIS_HOST --dport 5900 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p UDP -s $WORK -d $THIS_HOST --dport 5900 -j ACCEPT

#Accept Some Samba Connections
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 139 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 445 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 137 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 138 -j ACCEPT

#Accept Some MYTHTV Connections
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 6543 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 6544 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 3306 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -p TCP -s $LOCAL_HOST -d $THIS_HOST --dport 6543 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -p TCP -s $LOCAL_HOST -d $THIS_HOST --dport 6544 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -p TCP -s $LOCAL_HOST -d $THIS_HOST --dport 3306 -j ACCEPT

#Accept Some UPN Discovery Connections
#$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 1900 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 1900 -j ACCEPT

#Accept Some Mosquitto Connections
$IPTABLES -A INPUT -p TCP -d $THIS_HOST --dport 1883 -j ACCEPT
$IPTABLES -A INPUT -p UDP -d $THIS_HOST --dport 1883 -j ACCEPT
$IPTABLES -A INPUT -p TCP -d $THIS_HOST --dport 8883 -j ACCEPT
$IPTABLES -A INPUT -p UDP -d $THIS_HOST --dport 8883 -j ACCEPT
$IPTABLES -A INPUT -p TCP -d $THIS_HOST --dport 8083 -j ACCEPT
$IPTABLES -A INPUT -p UDP -d $THIS_HOST --dport 8083 -j ACCEPT

#Accept Some Test Connections
$IPTABLES -A INPUT -p TCP -d $THIS_HOST --dport 56665 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 1823 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 1823 -j ACCEPT

#Accept Some Minecraft Connections


#Accept Some UT2K4 Connections




#accept some mysql connections
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $THIS_HOST -d $THIS_HOST --dport 3306 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 3306 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -p TCP -s $OFFICE2 -d $THIS_HOST --dport 3306 -j ACCEPT
#if [ "$EXTRA_IP_FOR_MYSQL" != "" ]; then
#        $IPTABLES -A INPUT -m state --state NEW -p TCP -s $EXTRA_IP_FOR_MYSQL -d $THIS_HOST --dport 3306 -j ACCEPT
#fi

#SMTP server
#accept connections from the world
#smtp  One per second limt -burst rate of ten
#$IPTABLES -A INPUT -p tcp --dport 25 --syn -m limit --limit 1/s --limit-burst 10 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 25 --syn -j DROP
#$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT

#pop server
#$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT
#$IPTABLES -A INPUT -p tcp -d 127.0.0.1 --dport 110 -j ACCEPT

#snmp
#$IPTABLES -A INPUT -p udp -s 205.189.48.232 --dport 161 -j ACCEPT


####################################################################3
# that's it for specific port opennings
# now we just log everythign and drop it
####################################################################3

#Drop all packets from Private IP Address space
## Class A Reserved
$IPTABLES -A OUTPUT -d 10.0.0.0/8 -j DROP

## Class B Reserved
$IPTABLES -A OUTPUT -d 172.16.0.0/12 -j DROP

## Class C Reserved
$IPTABLES -A OUTPUT -d 192.168.1.0/24 -j ACCEPT

## Class D Reserved
$IPTABLES -A OUTPUT -d 224.0.0.0/4 -j DROP

## Class E Reserved
$IPTABLES -A OUTPUT -d 240.0.0.0/5 -j DROP


##Some ports should be denied and logged.
$IPTABLES -A INPUT -p tcp --dport 515 -m limit -j LOG \
                                       --log-prefix "L1on attack"
$IPTABLES -A INPUT -p tcp --dport 515 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6670 -m limit -j LOG \
                                       --log-prefix "Deepthroat scan"
$IPTABLES -A INPUT -p tcp --dport 6670 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6711 -m limit -j LOG \
                                       --log-prefix "Subseven scan"
$IPTABLES -A INPUT -p tcp --dport 6711 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6712 -m limit -j LOG \
                                       --log-prefix "Subseven scan"
$IPTABLES -A INPUT -p tcp --dport 6712 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6713 -m limit -j LOG \
                                       --log-prefix "Subseven scan"
$IPTABLES -A INPUT -p tcp --dport 6713 -j DROP

$IPTABLES -A INPUT -p tcp --dport 12345 -m limit -j LOG \
                                       --log-prefix "Netbus scan"
$IPTABLES -A INPUT -p tcp --dport 12345 -j DROP
$IPTABLES -A INPUT -p tcp --dport 12346 -m limit -j LOG \
                                       --log-prefix "Netbus scan"
$IPTABLES -A INPUT -p tcp --dport 12346 -j DROP
$IPTABLES -A INPUT -p tcp --dport 20034 -m limit -j LOG \
                                       --log-prefix "Netbus scan"
$IPTABLES -A INPUT -p tcp --dport 20034 -j DROP
$IPTABLES -A INPUT -p tcp --dport 31337 -m limit -j LOG \
                                       --log-prefix "Back orifice scan"
$IPTABLES -A INPUT -p tcp --dport 31337 -j DROP

$IPTABLES -A INPUT -p tcp --dport 6000  -m limit -j LOG \
                                       --log-prefix "X-Windows Port"
$IPTABLES -A INPUT -p tcp --dport 6000  -j DROP


$IPTABLES -A INPUT -p tcp --dport 9704 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "rpc.statd(9704) Shell:"
$IPTABLES -A INPUT -p tcp --dport 9704 -j DROP

$IPTABLES -A INPUT -p tcp --sport 9704 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "rpc.statd(9704) Shell:"
$IPTABLES -A INPUT -p tcp --sport 9704 -j DROP
  ## NetBus and NetBus Pro

$IPTABLES -A INPUT -p tcp --dport 20034 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "NetBus Pro:"
$IPTABLES -A INPUT -p tcp --dport 20034 -j DROP
$IPTABLES -A INPUT -p tcp --dport 12345:12346 -j DROP
$IPTABLES -A INPUT -p tcp --dport 12345:12346 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "NetBus:"

  ## Trinoo
$IPTABLES -A INPUT -p tcp --sport 27665 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A INPUT -p tcp --dport 27665 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A INPUT -p tcp --sport 27665 -j DROP
$IPTABLES -A INPUT -p tcp --dport 27665 -j DROP

$IPTABLES -A INPUT -p udp --sport 27444 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A INPUT -p udp --dport 27444 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A INPUT -p udp --sport 27444 -j DROP
$IPTABLES -A INPUT -p udp --dport 27444 -j DROP

$IPTABLES -A INPUT -p udp --sport 31335 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A INPUT -p udp --dport 31335 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A INPUT -p udp --sport 31335 -j DROP
$IPTABLES -A INPUT -p udp --dport 31335 -j DROP



  ## Back Orifice
$IPTABLES -A INPUT -p tcp --dport 31337 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "BackOrifice-TCP:"
$IPTABLES -A INPUT -p udp --dport 31337 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "BackOrifice-UDP:"
$IPTABLES -A INPUT -p tcp --dport 31337 -j DROP
$IPTABLES -A INPUT -p udp --dport 31337 -j DROP

$IPTABLES -A INPUT -p tcp --sport 31337 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "BackOrifice-TCP:"
$IPTABLES -A INPUT -p udp --sport 31337 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "BackOrifice-UDP:"
$IPTABLES -A INPUT -p tcp --sport 31337 -j DROP
$IPTABLES -A INPUT -p udp --sport 31337 -j DROP

#Traceroutes depend on finding a rejected port.  DROP the ones it uses
$IPTABLES -A INPUT -p udp --dport 33434:33523 -j DROP

#Don't log ident because it gets hit all the time eg connecting to an irc server
$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT


#drop netbios lookups
#don't bother logging them, since they're innocent and frequent
$IPTABLES -A INPUT -p tcp --dport 137 -j DROP
$IPTABLES -A INPUT -p udp --dport 137 -j DROP


##i don't want these logged - there's just too many of them
$IPTABLES -A INPUT -p UDP --dport 67  -j DROP
$IPTABLES -A INPUT -p UDP --dport 138  -j DROP

##Catch all rules.
#iptables reverts to these if it hasn't matched any of the previous rules.
$IPTABLES -A INPUT -m limit --limit 5/minute -j LOG  \
        --log-prefix "Firewalled packet:"
$IPTABLES -A FORWARD -m limit --limit 5/minute -j LOG \
        --log-prefix "Firewalled packet:"
#Reject
$IPTABLES -A INPUT -p all -j DROP
$IPTABLES -A FORWARD -p all -j REJECT

#Accept it anyway if it's only output
$IPTABLES -A OUTPUT -j ACCEPT

答案1

这些规则看起来不错,过去我遇到过一些问题,可能这里就出现了问题。当您附加规则 (-A INPUT) 时,它们将被添加到链的末尾。检查您那里是否已经有了某些东西,会在数据包到达您的规则之前将其丢弃。相反,请尝试插入规则...

iptables -I INPUT ......

相关内容