我现在正在服务器上设置防火墙,这让我很抓狂。我正在使用 nftables 并具有以下规则集:
table inet filter {
map whitelist {
type ipv4_addr . inet_service : verdict
elements = { 192.168.1.x . ssh : accept,
192.168.1.y . ssh : accept,
192.168.1.z . ssh : accept }
}
chain input {
type filter hook input priority 0; policy accept;
ct state established,related accept
iifname "lo" accept
tcp dport http ip saddr { 192.168.1.0/24 } accept comment "Accept HTTP traffic on PORT 80"
tcp dport netbios-ns ip saddr { 192.168.1.0/24 } accept comment "Accept NetBIOS Name Service (nmbd) on PORT 137"
tcp dport netbios-dgm ip saddr { 192.168.1.0/24 } accept comment "Accept NetBIOS Datagram Service (nmbd) on PORT 138"
tcp dport netbios-ssn ip saddr { 192.168.1.0/24 } accept comment "Accept NetBIOS Session Service (smbd) on PORT 139"
tcp dport https ip saddr { 192.168.1.0/24 } accept comment "Accept HTTPS traffic on PORT 443"
tcp dport microsoft-ds ip saddr { 192.168.1.0/24 } accept comment "Accept Microsoft Directory Services (smbd) on PORT 445"
tcp dport webmin ip saddr { 192.168.1.0/24 } accept comment "Accept traffic for WebMin Interface on PORT 10000"
udp dport netbios-ns ip saddr { 192.168.1.0/24 } accept comment "Accept NetBIOS Name Service (nmdb) on PORT 137"
udp dport netbios-dgm ip saddr { 192.168.1.0/24 } accept comment "Accept NetBIOS Datagram Service (nmbd) on PORT 138"
udp dport netbios-ssn ip saddr { 192.168.1.0/24 } accept comment "Accept NetBIOS Session Service (nmdb) on PORT 139"
udp dport microsoft-ds ip saddr { 192.168.1.0/24 } accept comment "Accept Microsoft Directory Service (smbd) on PORT 445"
meta nfproto ipv4 ip saddr . tcp dport vmap @whitelist
drop
}
chain output {
type filter hook output priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy drop;
}
}
我确保上面定义的网络范围在正确的范围内。该范围涵盖 254 个地址,我的机器应该没问题。我的主机和另一台机器都没有问题。这两台机器的 IP 分别为 192.168.1.42 和 192.168.1.181。但另一台机器让我抓狂。drop添加部件后,IP 为 192.168.1.115 的机器就无法再访问服务器了。我的问题是,由于我无法弄清楚为什么这台机器不想再访问服务器上的数据,有什么明显的原因导致这种访问无法进行吗?我遗漏了什么?
谢谢
真影