我托管了一个邮件服务器(PostFix、PostFix Admin、Dovecot)、一个 Minecraft 服务器和一个 Discord 机器人,我正在尝试创建一个带有 INPUT 和 OUTPUT 丢弃的防火墙,但是使用此配置,一切都停止工作,例如,在端口 143 打开的情况下,我的 roundcube 也无法连接到 imap 服务器,minecraft 服务器也是一样,我加载了 25565 端口但它停在那里,discord 机器人无法连接到 discord 服务器(应该是 http),而如果我放置 OUTPUT DROP,它就会停止所有连接,包括我的 ssh(自定义端口 2233)。有什么帮助吗?
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT udp -- anywhere anywhere udp dpt:1988
ACCEPT tcp -- anywhere anywhere tcp dpt:1988
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT udp -- anywhere anywhere udp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:8192
ACCEPT udp -- anywhere anywhere udp dpt:8192
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
bungee tcp -- anywhere anywhere tcp dpt:25562
bungee tcp -- anywhere anywhere tcp dpt:25579
bungee tcp -- anywhere anywhere tcp dpt:25569
bungee tcp -- anywhere anywhere tcp dpt:25563
bungee tcp -- anywhere anywhere tcp dpt:25567
bungee tcp -- anywhere anywhere tcp dpt:41310
bungee tcp -- anywhere anywhere tcp dpt:41311
bungee tcp -- anywhere anywhere tcp dpt:41312
bungee tcp -- anywhere anywhere tcp dpt:25999
bungee tcp -- anywhere anywhere tcp dpt:25564
bungee tcp -- anywhere anywhere tcp dpt:30801
bungee tcp -- anywhere anywhere tcp dpt:30802
bungee tcp -- anywhere anywhere tcp dpt:30803
bungee tcp -- anywhere anywhere tcp dpt:30810
bungee tcp -- anywhere anywhere tcp dpt:25342
ACCEPT udp -- anywhere anywhere udp dpt:8183
ACCEPT udp -- anywhere anywhere udp dpt:8182
ACCEPT udp -- anywhere anywhere udp dpt:8181
ACCEPT udp -- anywhere anywhere udp dpt:8191
ACCEPT udp -- anywhere anywhere udp dpt:587
ACCEPT udp -- anywhere anywhere udp dpt:465
ACCEPT udp -- anywhere anywhere udp dpt:2233
ACCEPT udp -- anywhere anywhere udp dpt:25
ACCEPT udp -- anywhere anywhere udp dpt:143
ACCEPT udp -- anywhere anywhere udp dpt:993
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:25565
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dpt:8191
ACCEPT tcp -- anywhere anywhere tcp dpt:8183
ACCEPT tcp -- anywhere anywhere tcp dpt:8182
ACCEPT tcp -- anywhere anywhere tcp dpt:8181
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:2233
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:8443
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:2233
ACCEPT udp -- anywhere anywhere udp dpt:2233
ACCEPT udp -- anywhere anywhere udp dpt:25
ACCEPT udp -- anywhere anywhere udp dpt:143
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:25565
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT udp -- anywhere anywhere udp dpt:993
ACCEPT udp -- anywhere anywhere udp dpt:25565
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT udp -- anywhere anywhere udp dpt:465
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:urd state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:submission state NEW,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:8183
ACCEPT udp -- anywhere anywhere udp dpt:8182
ACCEPT udp -- anywhere anywhere udp dpt:8181
ACCEPT udp -- anywhere anywhere udp dpt:8191
ACCEPT tcp -- anywhere anywhere tcp dpt:8191
ACCEPT tcp -- anywhere anywhere tcp dpt:8183
ACCEPT tcp -- anywhere anywhere tcp dpt:8182
ACCEPT tcp -- anywhere anywhere tcp dpt:8181
ACCEPT tcp -- anywhere anywhere tcp dpt:25565
ACCEPT udp -- anywhere anywhere udp dpt:25565
ACCEPT udp -- anywhere anywhere udp dpt:465
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT udp -- anywhere anywhere udp dpt:143
ACCEPT udp -- anywhere anywhere udp dpt:993
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:2233
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT udp -- anywhere anywhere udp dpt:25
ACCEPT udp -- anywhere anywhere udp dpt:443
ACCEPT udp -- anywhere anywhere udp dpt:http-alt
ACCEPT udp -- anywhere anywhere udp dpt:80
ACCEPT udp -- anywhere anywhere udp dpt:2233
ACCEPT tcp -- anywhere anywhere tcp spt:smtp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:imap2 state ESTABLISHED
Chain bungee (15 references)
target prot opt source destination
ACCEPT all -- vmi294204.contaboserver.net anywhere
ACCEPT all -- localhost anywhere
DROP all -- anywhere anywhere
Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
答案1
您缺少一些标准防火墙规则,这些规则几乎存在于每个规则集中:
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -I INPUT 2 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
您当然希望允许通过环回设备的所有通信(它来自服务器本身)并允许每个已建立的连接(您已经接受过一次)。出于性能原因,这些规则通常是第一个。
在您的OUTPUT链中,所有端口都处于错误的方向(--dport而不是--sport)。
这是非常设置DROP为OUTPUT的政策并不常见,它需要您充分了解您的服务和系统如何运作。
你已经注意到ACCEPT了远程控制[*] 你可能想添加类似的规则,OUTPUT就像我曾经给出的那样INPUT。然而你没有想到名称解析:
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
和 DHCP(如果您正在使用它)。此外,ICMP几乎必须的还有:
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
因为它不仅被使用ping,而且还提供重要的诊断信息,例如“没有到主机的路由”如果没有它们,每次发生网络错误时,您的服务都会等待直到超时。
附言:使用multiport和comment模块使您的规则更具可读性,例如:
iptables -A INPUT -m multiport --dports smtp,465,submission -m comment --comment postfix -j ACCEPT
总结:转换您的OUTPUT政策并不是DROP很有用,并且需要您充分了解您所使用的每项服务的运作方式。
[*] 重读你的问题后,你正在运行远程控制在另一个端口上,你考虑过允许 ssh 返回数据包,但你使用了--dport其他所有规则中类似的规则。我不明白的是,你为什么要运行失败2ban22如果没有任何内容在端口上监听,则对 ssh 进行监禁。