输出 iptables drooping 443 即使规则允许

输出 iptables drooping 443 即使规则允许

输出 iptables drooping 443 即使规则允许

这是我现在的规则

INPUT DROP [2:406]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:LOGGING - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.1/32 -p udp -m udp --sport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.1/32 -p tcp -m tcp --sport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.129/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -i eno1 -p tcp -m tcp --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m udp --dport 443 -j ACCEPT
-A INPUT -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25565 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25566 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 68 -j DROP
-A INPUT -p udp -m udp --dport 68 -j DROP
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-16c910ec1d5a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-16c910ec1d5a -j DOCKER
-A FORWARD -i br-16c910ec1d5a ! -o br-16c910ec1d5a -j ACCEPT
-A FORWARD -i br-16c910ec1d5a -o br-16c910ec1d5a -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eno1 -p tcp -m tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -d 192.168.1.1/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 192.168.1.1/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 8443 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 443 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 25566 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 25565 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -j LOGGING
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-16c910ec1d5a ! -o br-16c910ec1d5a -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-16c910ec1d5a -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP

这是输出的日志

Aug  2 00:03:59 saitgaming systemd[1]: Started Session 101 of user root.
Aug  2 00:04:14 saitgaming kernel: [84380.438512] IPTables-Dropped: IN= OUT=eno1 SRC=192.168.1.116 DST=143.204.163.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37496 DF PROTO=TCP SPT=45294 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 
Aug  2 00:04:15 saitgaming kernel: [84381.439683] IPTables-Dropped: IN= OUT=eno1 SRC=192.168.1.116 DST=143.204.163.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37497 DF PROTO=TCP SPT=45294 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 
Aug  2 00:04:17 saitgaming kernel: [84383.455730] IPTables-Dropped: IN= OUT=eno1 SRC=192.168.1.116 DST=143.204.163.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37498 DF PROTO=TCP SPT=45294 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 
Aug  2 00:04:21 saitgaming kernel: [84387.487679] IPTables-Dropped: IN= OUT=eno1 SRC=192.168.1.116 DST=143.204.163.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37499 DF PROTO=TCP SPT=45294 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 

我很难理解,主要是因为我对 iptables 经验不足,所以任何帮助或建议都将非常感谢。

相关内容