我遇到了一些问题,正在尝试使用 iptables 规则进行故障排除。
当我运行下面的命令并尝试通过 Curl 和 Git CLI 测试连接到 Git 时,连接挂起了。问题似乎仅限于 HTTPS,因为当我允许通过 HTTPSufw
连接时,连接没有问题。
据我所知,以下规则应该允许 HTTPS 在 443 上发出并允许 Git 工作所需的 9418。
我刚刚允许具有默认 DROP 策略的出站连接,并且以下操作允许 INBOUND 连接:
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
下面缺少什么才能使 HTTPS 正常工作?
# Flush tables
iptables -F
ip6tables -F
# Whitelist my address
iptables -I INPUT -p tcp --dport 22 -s $whitelisted -j ACCEPT
# Set a default policy of DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Accept any related or established connections
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow all traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow outbound DHCP request
iptables -A OUTPUT -o eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
# Allow inbound SSH
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
# Allow inbound HTTPS
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
# Allow GIT
iptables -A OUTPUT -o eth0 -p tcp --dport 9418 -m state --state NEW -j ACCEPT
# Allow inbound HTTP
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
# Outbound DNS lookups
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
# Outbound PING requests
iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT
# Outbound Network Time Protocol (NTP) requests
iptables -A OUTPUT -o eth0 -p udp --dport 123 --sport 123 -j ACCEPT
#### IPv6 Rules
# Drop all IPv6
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
# Must allow loopback interface
ip6tables -A INPUT -i lo -j ACCEPT
# Reject connection attempts not initiated from the host
ip6tables -A INPUT -p tcp --syn -j DROP
# Allow return connections initiated from the host
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
我的服务器是 Ubuntu 20.04
答案1
没有允许传出 HTTPS 流量的规则:
# Allow HTTPS
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW -j ACCEPT