Iptables 没有丢弃数据包?

tag-icon tag-icon iptables
Iptables 没有丢弃数据包?

我有非常简单的 iptables 规则:

iptables -t nat -F
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ens34 -j MASQUERADE

iptables -F INPUT
iptables -A INPUT -s 192.168.3.2/32 -d 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -s 192.168.3.2/32 -j DROP
iptables -A INPUT -j ACCEPT

这给了我:

root@ubuntu:/etc/init.d# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   36  4576 ACCEPT     all  --  *  *       192.168.3.2          192.168.0.0/16
    0     0 DROP       all  --  *  *       192.168.3.2          0.0.0.0/0
  183 16364 ACCEPT     all  --  *  *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

然而从 192.168.3.2 到 Internet 的流量却从该服务器传递出去:

root@ubuntu:/etc/init.d# tcpdump -i ens37 -n not port 22
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:43:37.852396 IP 192.168.3.2 > 8.8.8.8: ICMP echo request, id 17, seq 1, length 64
18:43:37.858730 IP 8.8.8.8 > 192.168.3.2: ICMP echo reply, id 17, seq 1, length 64
18:43:38.854008 IP 192.168.3.2 > 8.8.8.8: ICMP echo request, id 17, seq 2, length 64
18:43:38.860361 IP 8.8.8.8 > 192.168.3.2: ICMP echo reply, id 17, seq 2, length 64

IP地址:

root@ubuntu:/etc/init.d# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:00:a0:01 brd ff:ff:ff:ff:ff:ff permaddr 00:0c:29:fb:bf:33
    altname enp2s2
    inet 95.x.x.x/26 brd 95.x.x.x scope global ens34
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fe00:a001/64 scope link
       valid_lft forever preferred_lft forever
3: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:fb:bf:3d brd ff:ff:ff:ff:ff:ff
    altname enp2s5
    inet 192.168.2.2/24 brd 192.168.2.255 scope global ens37
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fefb:bf3d/64 scope link
       valid_lft forever preferred_lft forever

IP路由:

root@ubuntu:/etc/init.d# ip route show
default via 95.x.x.x dev ens34 proto static
95.x.x.x/26 dev ens34 proto kernel scope link src 95.x.x.x
192.168.2.0/24 dev ens37 proto kernel scope link src 192.168.2.2
192.168.3.0/24 via 192.168.2.1 dev ens37 proto static

快疯了.....怎么回事?为什么交通没有被阻断?

谢谢,

相关内容