iptables 规则被丢弃但仍然通过

iptables 规则被丢弃但仍然通过

我使用这些规则来限制从确定 IP 地址访问服务器 ssh:

iptables -A INPUT -i $DMZ_IFACE -p tcp ! -s 192.168.6.69 --dport 6724 -m state --state NEW,ESTABLISHED -j DROP
iptables -A OUTPUT -o $LAN_IFACE -p tcp --sport 6724 -m state --state ESTABLISHED -j ACCEPT

6724但是我可以从任何 IP访问端口192.168.6.0/24

防火墙有 3 个不同的 ETH,分别用于输出、局域网和 dmz。

编辑: 这是 sshd 规则之前的 NETWORK 规则:

iptables -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

iptables -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT

iptables -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

iptables -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT

iptables -A INPUT -s 194.168.6.0/255.255.255.0 -j ACCEPT

iptables -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT

iptables -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT

iptables -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT

编辑: ETH 配置

GO OUTSIDE  
    INET_IP="192.168.0.45"
    INET_IFACE="ens33"

LAN, HOST   
    LAN_IP="192.168.6.1"
    LAN_IP_RANGE="192.168.6.0/24"
    LAN_BROADCAST_ADDRESS="192.168.255.255"
    LAN_IFACE="ens39"

DMZ, SERVER WEB  
    DMZ_HTTP_IP="192.168.5.2"
    DMZ_IP="192.168.5.1"
    DMZ_IFACE="ens38"

    LO_IFACE="lo"
    LO_IP="127.0.0.1"

编辑: iptables-保存-c

# Generated by iptables-save v1.6.1 on Tue Feb 11 12:06:50 2020
*nat
:PREROUTING ACCEPT [141:12048]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [4:305]
:POSTROUTING ACCEPT [2:159]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_dmz - [0:0]
:POST_dmz_allow - [0:0]
:POST_dmz_deny - [0:0]
:POST_dmz_log - [0:0]
:POST_internal - [0:0]
:POST_internal_allow - [0:0]
:POST_internal_deny - [0:0]
:POST_internal_log - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_dmz - [0:0]
:PRE_dmz_allow - [0:0]
:PRE_dmz_deny - [0:0]
:PRE_dmz_log - [0:0]
:PRE_internal - [0:0]
:PRE_internal_allow - [0:0]
:PRE_internal_deny - [0:0]
:PRE_internal_log - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
[0:0] -A PREROUTING -d 192.168.0.45/32 -i ens33 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.5.2:80
[2:146] -A POSTROUTING -o ens33 -j SNAT --to-source 192.168.0.45
COMMIT
# Completed on Tue Feb 11 12:06:50 2020
# Generated by iptables-save v1.6.1 on Tue Feb 11 12:06:50 2020
*mangle
:PREROUTING ACCEPT [5604:557366]
:INPUT ACCEPT [1940:209203]
:FORWARD ACCEPT [98:7077]
:OUTPUT ACCEPT [285:51551]
:POSTROUTING ACCEPT [378:58083]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_dmz - [0:0]
:PRE_dmz_allow - [0:0]
:PRE_dmz_deny - [0:0]
:PRE_dmz_log - [0:0]
:PRE_internal - [0:0]
:PRE_internal_allow - [0:0]
:PRE_internal_deny - [0:0]
:PRE_internal_log - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
[6547:678748] -A PREROUTING -j PREROUTING_direct
[6547:678748] -A PREROUTING -j PREROUTING_ZONES_SOURCE
[6547:678748] -A PREROUTING -j PREROUTING_ZONES
[2291:261147] -A INPUT -j INPUT_direct
[98:7077] -A FORWARD -j FORWARD_direct
[381:68958] -A OUTPUT -j OUTPUT_direct
[474:75490] -A POSTROUTING -j POSTROUTING_direct
[1829:173183] -A PREROUTING_ZONES -i ens38 -g PRE_dmz
[1879:176591] -A PREROUTING_ZONES -i ens39 -g PRE_internal
[2202:256044] -A PREROUTING_ZONES -i ens33 -g PRE_public
[34:3439] -A PREROUTING_ZONES -g PRE_public
[1829:173183] -A PRE_dmz -j PRE_dmz_log
[1829:173183] -A PRE_dmz -j PRE_dmz_deny
[1829:173183] -A PRE_dmz -j PRE_dmz_allow
[1879:176591] -A PRE_internal -j PRE_internal_log
[1879:176591] -A PRE_internal -j PRE_internal_deny
[1879:176591] -A PRE_internal -j PRE_internal_allow
[2836:328770] -A PRE_public -j PRE_public_log
[2836:328770] -A PRE_public -j PRE_public_deny
[2836:328770] -A PRE_public -j PRE_public_allow
COMMIT
# Completed on Tue Feb 11 12:06:50 2020
# Generated by iptables-save v1.6.1 on Tue Feb 11 12:06:50 2020
*raw
:PREROUTING ACCEPT [5604:557366]
:OUTPUT ACCEPT [285:51551]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_dmz - [0:0]
:PRE_dmz_allow - [0:0]
:PRE_dmz_deny - [0:0]
:PRE_dmz_log - [0:0]
:PRE_internal - [0:0]
:PRE_internal_allow - [0:0]
:PRE_internal_deny - [0:0]
:PRE_internal_log - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
[6547:678748] -A PREROUTING -j PREROUTING_direct
[6547:678748] -A PREROUTING -j PREROUTING_ZONES_SOURCE
[6547:678748] -A PREROUTING -j PREROUTING_ZONES
[381:68958] -A OUTPUT -j OUTPUT_direct
[1829:173183] -A PREROUTING_ZONES -i ens38 -g PRE_dmz
[1879:176591] -A PREROUTING_ZONES -i ens39 -g PRE_internal
[2202:256044] -A PREROUTING_ZONES -i ens33 -g PRE_public
[34:3439] -A PREROUTING_ZONES -g PRE_public
[1829:173183] -A PRE_dmz -j PRE_dmz_log
[1829:173183] -A PRE_dmz -j PRE_dmz_deny
[1829:173183] -A PRE_dmz -j PRE_dmz_allow
[1879:176591] -A PRE_internal -j PRE_internal_log
[1879:176591] -A PRE_internal -j PRE_internal_deny
[1879:176591] -A PRE_internal -j PRE_internal_allow
[602:46956] -A PRE_internal_allow -p udp -m udp --dport 137 -j CT --helper netbios-ns
[2836:328770] -A PRE_public -j PRE_public_log
[2836:328770] -A PRE_public -j PRE_public_deny
[2836:328770] -A PRE_public -j PRE_public_allow
COMMIT
# Completed on Tue Feb 11 12:06:50 2020
# Generated by iptables-save v1.6.1 on Tue Feb 11 12:06:50 2020
*security
:INPUT ACCEPT [700:101912]
:FORWARD ACCEPT [98:7077]
:OUTPUT ACCEPT [372:67626]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
[701:101980] -A INPUT -j INPUT_direct
[98:7077] -A FORWARD -j FORWARD_direct
[373:68194] -A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Tue Feb 11 12:06:50 2020
# Generated by iptables-save v1.6.1 on Tue Feb 11 12:06:50 2020
*filter
:INPUT DROP [50:4247]
:FORWARD DROP [0:0]
:OUTPUT DROP [8:764]
:allowed - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
[0:0] -A INPUT -p tcp -j bad_tcp_packets
[0:0] -A INPUT -i ens33 -p icmp -j icmp_packets
[0:0] -A INPUT -d 192.168.5.1/32 -i ens38 -j ACCEPT
[0:0] -A INPUT -d 192.168.6.1/32 -i ens39 -j ACCEPT
[8:636] -A INPUT -s 127.0.0.1/32 -i lo -j ACCEPT
[0:0] -A INPUT -s 192.168.6.1/32 -i lo -j ACCEPT
[0:0] -A INPUT -s 192.168.0.45/32 -i lo -j ACCEPT
[0:0] -A INPUT -i ens39 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
[2:239] -A INPUT -d 192.168.0.45/32 -m state --state RELATED,ESTABLISHED -j ACCEPT
[4:284] -A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT INPUT packet died: " --log-level 7
[0:0] -A INPUT -s 194.168.6.0/24 -j ACCEPT
[0:0] -A INPUT ! -s 192.168.6.69/32 -i ens38 -p tcp -m tcp --dport 6724 -m state --state NEW,ESTABLISHED -j DROP
[0:0] -A FORWARD -p tcp -j bad_tcp_packets
[0:0] -A FORWARD -i ens38 -o ens33 -j ACCEPT
[0:0] -A FORWARD -i ens33 -o ens38 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i ens39 -o ens38 -j ACCEPT
[0:0] -A FORWARD -i ens38 -o ens39 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -d 192.168.5.2/32 -o ens38 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A FORWARD -i ens39 -j ACCEPT
[0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT FORWARD packet died: " --log-level 7
[0:0] -A OUTPUT -o ens39 -p tcp -m tcp --sport 6724 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -p tcp -j bad_tcp_packets
[8:636] -A OUTPUT -s 127.0.0.1/32 -j ACCEPT
[0:0] -A OUTPUT -s 192.168.6.1/32 -j ACCEPT
[2:146] -A OUTPUT -s 192.168.0.45/32 -j ACCEPT
[3:322] -A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT OUTPUT packet died: " --log-level 7
[0:0] -A allowed -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
[0:0] -A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A allowed -p tcp -j DROP
[0:0] -A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
[0:0] -A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn:"
[0:0] -A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
[0:0] -A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0:0] -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
COMMIT
# Completed on Tue Feb 11 12:06:50 2020

编辑: 脚本

#!/bin/sh

###########################################################################
#
# 1. Configuration options.
#


INET_IP="192.168.0.45"
INET_IFACE="ens33"
#INET_BROADCAST="151.13.109.161"

LAN_IP="192.168.6.1"
LAN_IP_RANGE="192.168.6.0/24"
LAN_BROADCAST_ADDRESS="192.168.255.255"
LAN_IFACE="ens39"

#DMZ_HTTP_IP="192.168.1.2"
#DMZ_DNS_IP="192.168.1.3"
DMZ_HTTP_IP="192.168.5.2"
DMZ_IP="192.168.5.1"
DMZ_IFACE="ens38"

LO_IFACE="lo"
LO_IP="127.0.0.1"

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#
/sbin/depmod -a



#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

echo "1" > /proc/sys/net/ipv4/ip_forward

echo " Loading iptables rules..."

#####################################
# Pulisco la configurazione corrente
#####################################

# Cancellazione delle regole presenti nelle chains
echo " Cancellazione delle regole presenti nelle chains"
iptables -F
iptables -F -t nat

# Eliminazione delle chains non standard vuote
echo " Eliminazione delle chains non standard vuote "
iptables -X

# Inizializzazione dei contatori (utile per il 7ging)
echo " Inizializzazione dei contatori (utile per il 7ging) "
iptables -Z

###########################################################################
#
# 4. rules set up.
#

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -N bad_tcp_packets
iptables -N allowed
iptables -N icmp_packets


iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset

iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"

iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP

#
# ICMP rules
#

# Changed rules totally
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j DROP

#
# 4.1.4 INPUT chain
#
iptables -I INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp -j bad_tcp_packets

iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# Packets from LAN, DMZ or LOCALHOST
#

#
# From DMZ Interface to DMZ firewall IP
#

iptables -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

#
# From LAN Interface to LAN firewall IP
#

iptables -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT

#
# From Localhost interface to Localhost IP's
#

iptables -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#

iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

#
# All established and related packets incoming from the internet to the
# firewall
#

iptables -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
j ACCEPT

#
# Log weird packets that don't match the above.
#

iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level 7 --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

iptables -A FORWARD -p tcp -j bad_tcp_packets
iptables -A INPUT -s 194.168.6.0/255.255.255.0 -j ACCEPT


#
# DMZ section
#
# General rules
#

iptables -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
iptables -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT

echo "SERVER WEB"
iptables -A PREROUTING -t nat -p tcp -i $INET_IFACE -d $INET_IP --dport 80 -j DNAT --to-destination $DMZ_HTTP_IP:80
iptables -A FORWARD -p tcp -d $DMZ_HTTP_IP --dport 80 -o $DMZ_IFACE -j ACCEPT
#iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MASQUERADE
echo "SERVER WEB OK"

echo "SERVER SSH"
iptables -A INPUT -i $DMZ_IFACE -p tcp -m tcp ! -s 192.168.6.69 -d $DMZ_HTTP_IP --dport 6724 -m state --state NEW,ESTABLISHED -j DROP
iptables -A INPUT -i $INET_IFACE -p tcp -m tcp -s 192.168.0.2 -d $INET_IP --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dport 22,6724 -j DROP


#
# LAN section
#

iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level 7 --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

iptables -A OUTPUT -p tcp -j bad_tcp_packets

iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level 7 --log-prefix "IPT OUTPUT packet died: "


#
# Enable simple IP Forwarding and Network Address Translation
#

iptables -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

答案1

您至少需要检查以下内容:

  1. 这些是防火墙规则集中的唯一规则吗?您可能在此规则之前还有其他允许规则DROP
  2. 您确定流量是通过接口传来的DMZ_IFACE吗?

答案2

要解决此问题,只需检查输出中的规则计数器iptables-save -c。我认为您的限制规则的计数器为零。这意味着有些规则较早接受了数据包。

当您使用命令添加限制规则时iptables -A INPUT,该规则将被放置在链的末尾。

为了实现目标,您应该将 DROP 规则放在正确的位置。但最好的方法是创建单独的规则链。

此外,您的DROP规则只会阻止新连接,但如果您已经建立了连接,它就会保持活动状态。

相关内容