平台:Linux {hostname} 3.13.0-145-generic #194-Ubuntu SMP 星期四 4 月 5 日 15:20:44 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
系统不允许使用 REJECT 作为 --jump 目标。
根据 iptables-extensions,这对 IPv4 有效。此外,根据上述内容,iptables-extensions 被标识为已纳入我安装的发行版的 iptables 中。
有谁知道为什么这不起作用?
是否有一个内核参数需要我设置才能被接受?或者... 是否有一个内核参数,如果设置,会导致 DROP 在所有情况下都采用 REJECT 立场?
我正在尝试使用该 REJECT 选项来弄清楚为什么我的防火墙脚本不允许传出的数据包返回,或者只是不识别/连接远程主机的 URL 目标。
我尝试为桌面建立的脚本如下:
#!/bin/sh
# v0.04 2018-04-25
#============================== Initialize Script ===========================
if [ "${1}" = "-x" ]
then
set -x
DENY_MODE="REJECT --reject-with icmp-host-unreachable"
else
DENY_MODE="DROP"
fi
#
# Use system-specified command for iptables
#
IPv4=`which iptables`
IPv6=`which ip6tables`
#============================== 100 series ==================================
#
# IPv6 is only allowed on passthru servers, routers or bastion hosts
# Rule # 100
${IPv6} --policy ${DENY_MODE}
${IPv6} --flush
${IPv6} --zero
#
# Initialize NAT table
# Rule # 130
#${IPv4} --table nat --policy ACCEPT
${IPv4} --table nat --flush
${IPv4} --table nat --zero
#
# Initialize MANGLE table
# Rule # 140
#${IPv4} --table mangle --policy ACCEPT
${IPv4} --table mangle --flush
${IPv4} --table mangle --zero
#
# FORWARD is only allowed on passthru servers, routers or bastion hosts - no logging of dropped FORWARD packets
# Rule # 150
${IPv4} --policy FORWARD ${DENY_MODE}
${IPv4} --flush FORWARD
${IPv4} --zero FORWARD
#
# Initialize INPUT chain
# Rule # 151
#${IPv4} --policy INPUT ACCEPT
${IPv4} --policy INPUT ${DENY_MODE}
${IPv4} --flush INPUT
${IPv4} --zero INPUT
#
# Initialize OUTPUT chain
# Rule # 152
${IPv4} --policy OUTPUT ${DENY_MODE}
${IPv4} --flush OUTPUT
${IPv4} --zero OUTPUT
#============================== 400 series ==================================
#
# All fragmented packets are either unusable or potentially toxic
# Rule # 400
#${IPv4} --append INPUT --fragment --jump ${DENY_MODE}
${IPv4} --table raw --append PREROUTING --fragment --jump ${DENY_MODE}
#
# Need DNS for desktop outgoing web requests
# Rule # 401
${IPv4} --append OUTPUT -o eth0 --protocol udp --dport 53 --jump ACCEPT
${IPv4} --append INPUT -i eth0 --protocol udp --sport 53 --jump ACCEPT
#
# FUTURES: incorporating WAN-based DHCP for dynamic IP assignment
# Rule # 402
#${IPv4} --append INPUT -p icmp -s ${DHCP_broker} --jump ACCEPT
#${IPv4} --append INPUT -i ${WAN_IP} -s ${DHCP_broker} --protocol tcp --sport 68 --dport 67 --jump ACCEPT
#${IPv4} --append INPUT -i ${WAN_IP} -s ${DHCP_broker} --protocol udp --sport 68 --dport 67 --jump ACCEPT
#============================== 700 series ==================================
#
# Allow outgoing internet connections and verify incoming packet state to only allow associated replies
# Rule 700 - TCP
${IPv4} --flush NOGO_700
${IPv4} --delete-chain NOGO_700
${IPv4} --new-chain NOGO_700
#
${IPv4} --append OUTPUT --protocol tcp --match conntrack --ctstate NEW,ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT --protocol tcp --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT --protocol tcp --match conntrack ! --ctstate ESTABLISHED,RELATED --jump NOGO_700
${IPv4} --append NOGO_700 --jump LOG --log-level 4 --log-prefix "DROP_ESTa: "
${IPv4} --append NOGO_700 --jump ${DENY_MODE}
#
# Allow outgoing internet connections and verify incoming packet state to only allow associated replies
# Rule 701 - UDP
${IPv4} --flush NOGO_701
${IPv4} --delete-chain NOGO_701
${IPv4} --new-chain NOGO_701
#
${IPv4} --append OUTPUT --protocol udp --match conntrack --ctstate NEW,ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT --protocol udp --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT --protocol udp --match conntrack ! --ctstate ESTABLISHED,RELATED --jump NOGO_701
${IPv4} --append NOGO_701 --jump LOG --log-level 4 --log-prefix "DROP_ESTb: "
${IPv4} --append NOGO_701 --jump ${DENY_MODE}
#
# Allow outgoing internet connections and verify incoming packet state to only allow associated replies
# Rule 702 - All others unrelated to protocols
# (Review reasons for not allowing RELATED and implement if warranted)
${IPv4} --flush NOGO_702
${IPv4} --delete-chain NOGO_702
${IPv4} --new-chain NOGO_702
#
${IPv4} --append OUTPUT --match conntrack --ctstate NEW,ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT --match conntrack ! --ctstate ESTABLISHED --jump NOGO_702
${IPv4} --append NOGO_702 --jump LOG --log-level 4 --log-prefix "DROP_ESTc: "
${IPv4} --append NOGO_702 --jump ${DENY_MODE}
#============================== 200 series ==================================
#
# Loopback is critical to host internal processes (FUTURES: mechanisms to ensure legit traffic only on loopback
# Rule 200
# (something wrong here, fallback to basic loopback passthru)
${IPv4} --flush NOGO_200
${IPv4} --delete-chain NOGO_200
${IPv4} --new-chain NOGO_200
${IPv4} --append INPUT -i eth0 -s 127.0.0.0/8 --jump NOGO_200
${IPv4} --append INPUT -i lo ! -s 127.0.0.0/8 --jump NOGO_200
${IPv4} --append INPUT -i lo -s 127.0.0.0/8 --jump ACCEPT
${IPv4} --append NOGO_200 --jump LOG --log-level 4 --log-prefix "DROP_LOOPBACK: "
${IPv4} --append NOGO_200 --jump ${DENY_MODE}
#============================== 300 series ==================================
#
# INVALID packets should be ignored
# Rule 300
${IPv4} --flush NOGO_300
${IPv4} --delete-chain NOGO_300
${IPv4} --new-chain NOGO_300
${IPv4} --append INPUT --match conntrack --ctstate INVALID --jump NOGO_300
${IPv4} --append NOGO_300 --jump LOG --log-level 4 --log-prefix "DROP_INVALID: "
${IPv4} --append NOGO_300 --jump ${DENY_MODE}
#
# BOGON packets should be ignored
# Rule 301
${IPv4} --flush NOGO_301
${IPv4} --delete-chain NOGO_301
${IPv4} --new-chain NOGO_301
#???# ${IPv4} --append INPUT -i eth0 -s 192.168.0.0/16 --jump NOGO_301 # (C) Own LAN IP/mask ????
${IPv4} --append INPUT -i eth0 -s 192.0.2.0/24 --jump NOGO_301 ### ???
#
${IPv4} --append INPUT -i eth0 -s 10.0.0.0/8 --jump NOGO_301 # (A)
${IPv4} --append INPUT -i eth0 -s 172.16.0.0/12 --jump NOGO_301 # (B)
${IPv4} --append INPUT -i eth0 -s 224.0.0.0/4 --jump NOGO_301 # (D MULTICAST)
${IPv4} --append INPUT -i eth0 -s 240.0.0.0/5 --jump NOGO_301 # (E)
#
${IPv4} --append INPUT -i eth0 -s 169.254.0.0/16 --jump NOGO_301 ### ???
${IPv4} --append NOGO_301 --jump LOG --log-level 4 --log-prefix "DROP_BOGON: "
${IPv4} --append NOGO_301 --jump ${DENY_MODE}
#============================== 900 series ==================================
#
# Drop everything that did not match above or log then drop tem
# Rule 999
# Track ignored INPUT
${IPv4} --append INPUT --jump LOG --log-level 4 --log-prefix "DROP_INPUT: "
${IPv4} --append INPUT --jump ${DENY_MODE}
# Track ignored OUTPUT
${IPv4} --append OUTPUT --jump LOG --log-level 4 --log-prefix "DROP_OUTPUT: "
${IPv4} --append OUTPUT --jump ${DENY_MODE}
#============================== Housekeeping ================================
#
# Save image of latest ruleset for restore at next reboot
# Rule 999+
#${IPv4}-save >/dev/null 2>&1
#${IPv6}-save >/dev/null 2>&1
#
# Display latest ruleset
# Rule 999+
#${IPv4} -n -L -v --line-numbers
#${IPv6} -n -L -v --line-numbers
#===================================================================================
# END OR PROGRAM
#===================================================================================
exit 0
提前感谢您的帮助。
答案1
您正在尝试将内置链的策略设置为REJECT --reject-with icmp-host-unreachable
。但这不起作用。
从iptables
手册页中:
-P, --policy chain target
Set the policy for the built-in (non-user-defined) chain to the
given target. The policy target must be either ACCEPT or DROP.
如果您想拒绝特定的 ICMP 消息,您可以创建一条拒绝规则作为该链中的最后一条规则。
(当然,您真的不应该再手动构建防火墙了。)