如何在 Linux 上使用 iptables 作为每个用户白名单 Web 过滤器？

Question 1

泰罗·基尔卡宁是正确的。这是一种脆弱的白名单方式，因为大多数（如果不是全部）主要网站都在使用 CDN。看看当我尝试解析并插入 REJECT 规则时会发生什么：

$ host www.amazon.com
www.amazon.com is an alias for tp.47cf2c8c9-frontier.amazon.com.
tp.47cf2c8c9-frontier.amazon.com is an alias for d3ag4hukkh62yn.cloudfront.net.
d3ag4hukkh62yn.cloudfront.net has address 13.227.254.68

$ sudo iptables -A OUTPUT -d www.amazon.com -j REJECT

$ sudo iptables -L OUTPUT -n
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            13.227.254.68        reject-with icmp-port-unreachable

大约 2 分钟后，我再次解析了域名，并且获得了不同的 IP 地址：

$ host www.amazon.com
www.amazon.com is an alias for tp.47cf2c8c9-frontier.amazon.com.
tp.47cf2c8c9-frontier.amazon.com is an alias for www.amazon.com.edgekey.net.
www.amazon.com.edgekey.net is an alias for e15316.e22.akamaiedge.net.
e15316.e22.akamaiedge.net has address 23.213.141.104

对于这种情况，我使用的最佳解决方案是使用DNS 解析器--ipset中的功能dnsmasq。首先创建 ipset，我们将其命名为amazon：

$ sudo ipset create amazon hash:ip

$ sudo ipset -L amazon
Name: amazon
Type: hash:ip
Revision: 2
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 128
References: 0
Members:

在您dnsmasq.conf定义域名时，当解析为 IP 地址时，将被添加到 ipset：

ipset=/amazon.com/amazon

amazon.com上面定义的规则也适用于所有子域，即*.amazon.com。重启服务后，在规则中dnsmasq使用setiptables 中的模块（参见）：man iptables-extensions

$ sudo iptables -A OUTPUT -m set --match-set amazon dst -j REJECT

现在尝试www.amazon.com再次解析并查看其 IP 地址是否添加到 ipset 中：

$ host www.amazon.com                                                                                                                                                                                                                          
www.amazon.com is an alias for tp.47cf2c8c9-frontier.amazon.com.                                                                                                                                                                               
tp.47cf2c8c9-frontier.amazon.com is an alias for www.amazon.com.edgekey.net.                                                                                                                                                                   
www.amazon.com.edgekey.net is an alias for e15316.e22.akamaiedge.net.                                                                                                                                                                          
e15316.e22.akamaiedge.net has address 23.208.241.77                                                                                                                                                                                            
                                                                                                                                                                                                                                               
$ sudo ipset -L amazon                                                                                                                                                                                                                         
Name: amazon                                                                                                                                                                                                                                   
Type: hash:ip                                                                                                                                                                                                                                  
Revision: 2                                                                                                                                                                                                                                    
Header: family inet hashsize 1024 maxelem 65536                                                                                                                                                                                                
Size in memory: 176                                                                                                                                                                                                                            
References: 0                                                                                                                                                                                                                                  
Members:                                                                                                                                                                                                                                       
23.208.241.77

再次，但使用amazon.com：

$ host amazon.com                                                                                                                                                                                                                              
amazon.com has address 205.251.242.103                                                                                                                                                                                                         
amazon.com has address 176.32.103.205                                                                                                                                                                                                          
amazon.com has address 54.239.28.85                                                                                                                                                                                                            
amazon.com mail is handled by 5 amazon-smtp.amazon.com.                                                                                                                                                                                        
                                                                                                                                                                                                                                               
$ sudo ipset -L amazon                                                                                                                                                                                                                         
Name: amazon                                                                                                                                                                                                                                   
Type: hash:ip                                                                                                                                                                                                                                  
Revision: 2                                                                                                                                                                                                                                    
Header: family inet hashsize 1024 maxelem 65536                                                                                                                                                                                                
Size in memory: 320                                                                                                                                                                                                                            
References: 0                                                                                                                                                                                                                                  
Members:                                                                                                                                                                                                                                       
205.251.242.103                                                                                                                                                                                                                                
176.32.103.205                                                                                                                                                                                                                                 
23.208.241.77                                                                                                                                                                                                                                  
54.239.28.85

通过运行几个请求来确认 iptables 规则是否正常工作curl：

$ curl https://www.amazon.com                                                                                                                                                                                                                  
curl: (7) Failed to connect to www.amazon.com port 443: Connection refused                                                                                                                                                                     
                                                                                                                                                                                                                                               
$ curl https://amazon.com                                                                                                                                                                                                                      
curl: (7) Failed to connect to amazon.com port 443: Connection refused                                                                                                                                                                         
                                                                                                                                                                                                                                               
$ curl https://aws.amazon.com                                                                                                                                                                                                                  
curl: (7) Failed to connect to aws.amazon.com port 443: Connection refused

Answer

泰罗·基尔卡宁是正确的。这是一种脆弱的白名单方式，因为大多数（如果不是全部）主要网站都在使用 CDN。看看当我尝试解析并插入 REJECT 规则时会发生什么：

$ host www.amazon.com
www.amazon.com is an alias for tp.47cf2c8c9-frontier.amazon.com.
tp.47cf2c8c9-frontier.amazon.com is an alias for d3ag4hukkh62yn.cloudfront.net.
d3ag4hukkh62yn.cloudfront.net has address 13.227.254.68

$ sudo iptables -A OUTPUT -d www.amazon.com -j REJECT

$ sudo iptables -L OUTPUT -n
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            13.227.254.68        reject-with icmp-port-unreachable

大约 2 分钟后，我再次解析了域名，并且获得了不同的 IP 地址：

$ host www.amazon.com
www.amazon.com is an alias for tp.47cf2c8c9-frontier.amazon.com.
tp.47cf2c8c9-frontier.amazon.com is an alias for www.amazon.com.edgekey.net.
www.amazon.com.edgekey.net is an alias for e15316.e22.akamaiedge.net.
e15316.e22.akamaiedge.net has address 23.213.141.104

对于这种情况，我使用的最佳解决方案是使用DNS 解析器--ipset中的功能dnsmasq。首先创建 ipset，我们将其命名为amazon：

$ sudo ipset create amazon hash:ip

$ sudo ipset -L amazon
Name: amazon
Type: hash:ip
Revision: 2
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 128
References: 0
Members:

在您dnsmasq.conf定义域名时，当解析为 IP 地址时，将被添加到 ipset：

ipset=/amazon.com/amazon

amazon.com上面定义的规则也适用于所有子域，即*.amazon.com。重启服务后，在规则中dnsmasq使用setiptables 中的模块（参见）：man iptables-extensions

$ sudo iptables -A OUTPUT -m set --match-set amazon dst -j REJECT

现在尝试www.amazon.com再次解析并查看其 IP 地址是否添加到 ipset 中：

$ host www.amazon.com                                                                                                                                                                                                                          
www.amazon.com is an alias for tp.47cf2c8c9-frontier.amazon.com.                                                                                                                                                                               
tp.47cf2c8c9-frontier.amazon.com is an alias for www.amazon.com.edgekey.net.                                                                                                                                                                   
www.amazon.com.edgekey.net is an alias for e15316.e22.akamaiedge.net.                                                                                                                                                                          
e15316.e22.akamaiedge.net has address 23.208.241.77                                                                                                                                                                                            
                                                                                                                                                                                                                                               
$ sudo ipset -L amazon                                                                                                                                                                                                                         
Name: amazon                                                                                                                                                                                                                                   
Type: hash:ip                                                                                                                                                                                                                                  
Revision: 2                                                                                                                                                                                                                                    
Header: family inet hashsize 1024 maxelem 65536                                                                                                                                                                                                
Size in memory: 176                                                                                                                                                                                                                            
References: 0                                                                                                                                                                                                                                  
Members:                                                                                                                                                                                                                                       
23.208.241.77

再次，但使用amazon.com：

$ host amazon.com                                                                                                                                                                                                                              
amazon.com has address 205.251.242.103                                                                                                                                                                                                         
amazon.com has address 176.32.103.205                                                                                                                                                                                                          
amazon.com has address 54.239.28.85                                                                                                                                                                                                            
amazon.com mail is handled by 5 amazon-smtp.amazon.com.                                                                                                                                                                                        
                                                                                                                                                                                                                                               
$ sudo ipset -L amazon                                                                                                                                                                                                                         
Name: amazon                                                                                                                                                                                                                                   
Type: hash:ip                                                                                                                                                                                                                                  
Revision: 2                                                                                                                                                                                                                                    
Header: family inet hashsize 1024 maxelem 65536                                                                                                                                                                                                
Size in memory: 320                                                                                                                                                                                                                            
References: 0                                                                                                                                                                                                                                  
Members:                                                                                                                                                                                                                                       
205.251.242.103                                                                                                                                                                                                                                
176.32.103.205                                                                                                                                                                                                                                 
23.208.241.77                                                                                                                                                                                                                                  
54.239.28.85

通过运行几个请求来确认 iptables 规则是否正常工作curl：

$ curl https://www.amazon.com                                                                                                                                                                                                                  
curl: (7) Failed to connect to www.amazon.com port 443: Connection refused                                                                                                                                                                     
                                                                                                                                                                                                                                               
$ curl https://amazon.com                                                                                                                                                                                                                      
curl: (7) Failed to connect to amazon.com port 443: Connection refused                                                                                                                                                                         
                                                                                                                                                                                                                                               
$ curl https://aws.amazon.com                                                                                                                                                                                                                  
curl: (7) Failed to connect to aws.amazon.com port 443: Connection refused

Question 2

好的，多亏了 @MichaelHampton 的问题，我才明白。白名单网站应按如下方式添加：

sudo iptables -A OUTPUT -d amazon.com -m owner --uid-owner <USERNAME> -j ACCEPT

您还必须打开 UDP 端口 53 以允许 DNS 主机解析：

sudo iptables -A OUTPUT -p udp --dport 53 -m owner --uid-owner <USERNAME> -j ACCEPT

最终规则应该是：

sudo iptables -A OUTPUT -m owner --uid-owner <USERNAME> -j REJECT

Answer