iptable — 拒绝目标 — 不被接受为有效目标

iptable — 拒绝目标 — 不被接受为有效目标

平台:Linux {hostname} 3.13.0-145-generic #194-Ubuntu SMP 星期四 4 月 5 日 15:20:44 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

系统不允许使用 REJECT 作为 --jump 目标。

根据 iptables-extensions,这对 IPv4 有效。此外,根据上述内容,iptables-extensions 被标识为已纳入我安装的发行版的 iptables 中。

有谁知道为什么这不起作用?

是否有一个内核参数需要我设置才能被接受?或者... 是否有一个内核参数,如果设置,会导致 DROP 在所有情况下都采用 REJECT 立场?

我正在尝试使用该 REJECT 选项来弄清楚为什么我的防火墙脚本不允许传出的数据包返回,或者只是不识别/连接远程主机的 URL 目标。

我尝试为桌面建立的脚本如下:

#!/bin/sh

# v0.04  2018-04-25

#============================== Initialize Script ===========================
if [ "${1}" = "-x" ]
then
    set -x
    DENY_MODE="REJECT --reject-with icmp-host-unreachable"
else
    DENY_MODE="DROP"
fi

#
#    Use system-specified command for iptables
#
IPv4=`which iptables`
IPv6=`which ip6tables`



#============================== 100 series ==================================
#
#    IPv6 is only allowed on passthru servers, routers or bastion hosts
#    Rule # 100
${IPv6} --policy ${DENY_MODE}
${IPv6} --flush
${IPv6} --zero



#
#    Initialize NAT table
#    Rule # 130
#${IPv4} --table nat --policy ACCEPT
${IPv4} --table nat --flush
${IPv4} --table nat --zero



#
#    Initialize MANGLE table
#    Rule # 140
#${IPv4} --table mangle --policy ACCEPT
${IPv4} --table mangle --flush
${IPv4} --table mangle --zero



#
#    FORWARD is only allowed on passthru servers, routers or bastion hosts  -  no logging of dropped FORWARD packets
#    Rule # 150
${IPv4} --policy FORWARD ${DENY_MODE}
${IPv4} --flush FORWARD
${IPv4} --zero FORWARD



#
#    Initialize INPUT chain
#    Rule # 151
#${IPv4} --policy INPUT ACCEPT
${IPv4} --policy INPUT ${DENY_MODE}
${IPv4} --flush INPUT
${IPv4} --zero INPUT



#
#    Initialize OUTPUT chain
#    Rule # 152
${IPv4} --policy OUTPUT ${DENY_MODE}
${IPv4} --flush OUTPUT
${IPv4} --zero OUTPUT



#============================== 400 series ==================================
#
#    All fragmented packets are either unusable or potentially toxic
#    Rule # 400
#${IPv4} --append INPUT --fragment --jump ${DENY_MODE}
${IPv4} --table raw --append PREROUTING --fragment --jump ${DENY_MODE}



#
#    Need DNS for desktop outgoing web requests
#    Rule # 401
${IPv4} --append OUTPUT -o eth0 --protocol udp --dport 53 --jump ACCEPT
${IPv4} --append INPUT  -i eth0 --protocol udp --sport 53 --jump ACCEPT



#
#    FUTURES:  incorporating WAN-based DHCP for dynamic IP assignment
#    Rule # 402
#${IPv4} --append INPUT -p icmp      -s ${DHCP_broker} --jump ACCEPT
#${IPv4} --append INPUT -i ${WAN_IP} -s ${DHCP_broker} --protocol tcp --sport 68 --dport 67 --jump ACCEPT
#${IPv4} --append INPUT -i ${WAN_IP} -s ${DHCP_broker} --protocol udp --sport 68 --dport 67 --jump ACCEPT



#============================== 700 series ==================================
#
#    Allow outgoing internet connections and verify incoming packet state to only allow associated replies
#    Rule 700 - TCP
${IPv4} --flush NOGO_700
${IPv4} --delete-chain NOGO_700
${IPv4} --new-chain NOGO_700
#
${IPv4} --append OUTPUT --protocol tcp --match conntrack   --ctstate NEW,ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT  --protocol tcp --match conntrack   --ctstate ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT  --protocol tcp --match conntrack ! --ctstate ESTABLISHED,RELATED --jump NOGO_700
${IPv4} --append NOGO_700 --jump LOG --log-level 4 --log-prefix "DROP_ESTa:  "
${IPv4} --append NOGO_700 --jump ${DENY_MODE}



#
#    Allow outgoing internet connections and verify incoming packet state to only allow associated replies
#    Rule 701 - UDP
${IPv4} --flush NOGO_701
${IPv4} --delete-chain NOGO_701
${IPv4} --new-chain NOGO_701
#
${IPv4} --append OUTPUT --protocol udp --match conntrack   --ctstate NEW,ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT  --protocol udp --match conntrack   --ctstate ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT  --protocol udp --match conntrack ! --ctstate ESTABLISHED,RELATED --jump NOGO_701
${IPv4} --append NOGO_701 --jump LOG --log-level 4 --log-prefix "DROP_ESTb:  "
${IPv4} --append NOGO_701 --jump ${DENY_MODE}



#
#    Allow outgoing internet connections and verify incoming packet state to only allow associated replies
#    Rule 702 - All others unrelated to protocols
# (Review reasons for not allowing RELATED and implement if warranted)
${IPv4} --flush NOGO_702
${IPv4} --delete-chain NOGO_702
${IPv4} --new-chain NOGO_702
#
${IPv4} --append OUTPUT --match conntrack   --ctstate NEW,ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT  --match conntrack   --ctstate ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT  --match conntrack ! --ctstate ESTABLISHED --jump NOGO_702
${IPv4} --append NOGO_702 --jump LOG --log-level 4 --log-prefix "DROP_ESTc:  "
${IPv4} --append NOGO_702 --jump ${DENY_MODE}






#============================== 200 series ==================================
#
#    Loopback is critical to host internal processes        (FUTURES:  mechanisms to ensure legit traffic only on loopback
#    Rule 200
#  (something wrong here, fallback to basic loopback passthru)
${IPv4} --flush NOGO_200
${IPv4} --delete-chain NOGO_200
${IPv4} --new-chain NOGO_200
${IPv4} --append INPUT -i eth0 -s 127.0.0.0/8  --jump NOGO_200
${IPv4} --append INPUT -i lo ! -s 127.0.0.0/8  --jump NOGO_200
${IPv4} --append INPUT -i lo -s 127.0.0.0/8 --jump ACCEPT
${IPv4} --append NOGO_200 --jump LOG --log-level 4 --log-prefix "DROP_LOOPBACK:  "
${IPv4} --append NOGO_200 --jump ${DENY_MODE}



#============================== 300 series ==================================
#
#    INVALID packets should be ignored
#    Rule 300
${IPv4} --flush NOGO_300
${IPv4} --delete-chain NOGO_300
${IPv4} --new-chain NOGO_300
${IPv4} --append INPUT --match conntrack --ctstate INVALID --jump NOGO_300
${IPv4} --append NOGO_300 --jump LOG --log-level 4 --log-prefix "DROP_INVALID:  "
${IPv4} --append NOGO_300 --jump ${DENY_MODE}



#
#    BOGON packets should be ignored
#    Rule 301
${IPv4} --flush NOGO_301
${IPv4} --delete-chain NOGO_301
${IPv4} --new-chain NOGO_301

#???#    ${IPv4} --append INPUT -i eth0 -s 192.168.0.0/16  --jump NOGO_301        # (C)  Own LAN IP/mask ????

${IPv4} --append INPUT -i eth0 -s 192.0.2.0/24  --jump NOGO_301                    ### ???
#
${IPv4} --append INPUT -i eth0 -s 10.0.0.0/8  --jump NOGO_301        # (A)
${IPv4} --append INPUT -i eth0 -s 172.16.0.0/12  --jump NOGO_301        # (B)
${IPv4} --append INPUT -i eth0 -s 224.0.0.0/4  --jump NOGO_301        # (D MULTICAST)
${IPv4} --append INPUT -i eth0 -s 240.0.0.0/5  --jump NOGO_301        # (E)
#
${IPv4} --append INPUT -i eth0 -s 169.254.0.0/16  --jump NOGO_301                ### ???
${IPv4} --append NOGO_301 --jump LOG --log-level 4 --log-prefix "DROP_BOGON:  "
${IPv4} --append NOGO_301 --jump ${DENY_MODE}








#============================== 900 series ==================================
#
#    Drop everything that did not match above or log then drop tem
#    Rule 999
#        Track ignored INPUT
${IPv4} --append INPUT --jump LOG --log-level 4 --log-prefix "DROP_INPUT:  "
${IPv4} --append INPUT --jump ${DENY_MODE}
#        Track ignored OUTPUT
${IPv4} --append OUTPUT --jump LOG --log-level 4 --log-prefix "DROP_OUTPUT:  "
${IPv4} --append OUTPUT --jump ${DENY_MODE}


#============================== Housekeeping ================================
#
#    Save image of latest ruleset for restore at next reboot
#    Rule 999+
#${IPv4}-save >/dev/null 2>&1
#${IPv6}-save >/dev/null 2>&1


#
#    Display latest ruleset
#    Rule 999+
#${IPv4}  -n -L -v --line-numbers
#${IPv6}  -n -L -v --line-numbers


#===================================================================================
#    END OR PROGRAM
#===================================================================================

exit 0

提前感谢您的帮助。

答案1

您正在尝试将内置链的策略设置为REJECT --reject-with icmp-host-unreachable。但这不起作用。

iptables手册页中:

       -P, --policy chain target
              Set  the policy for the built-in (non-user-defined) chain to the
              given target.  The policy target must be either ACCEPT or DROP.

如果您想拒绝特定的 ICMP 消息,您可以创建一条拒绝规则作为该链中的最后一条规则。

(当然,您真的不应该再手动构建防火墙了。)

相关内容