TLDR:我正在尝试阻止SSH与服务器的连接;服务器本身连接到其上的ubuntu路由器,但与服务器的外部连接并没有被拒绝,所以不起作用。UFWSSHUFW
QEMU/KVM一些背景信息:我一直在尝试在 中设置 Linux 网络virt-manager。它上面有一个路由器UFW,它通过接口连接到来宾网络 (192.168.150.0/24)、隔离网络 (192.168.100.0/24) 和 Internet (192.168.144.0/24)。UFW路由器上的规则如下:
~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
192.168.100.102 22 DENY IN Anywhere
192.168.144.0/24 22 ALLOW IN Anywhere
192.168.150.0/24 ALLOW IN Anywhere
Anywhere ALLOW IN 192.168.150.0/24
192.168.150.0/24 ALLOW IN 192.168.100.0/24
192.168.100.0/24 ALLOW IN 192.168.150.0/24
在隔离网络中,有一台 IP 地址为 192.168.100.102 的服务器。我nmap从来宾网络(即 192.168.150.0/24)对其进行了扫描,以查找任何开放端口,并发现SSH已打开:
~$ nmap -p 0-65535 192.168.100.102
Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-22 13:35
Nmap scan report for 192.168.100.102
Host is up (0.00015s latency).
Not shown: 65535 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 1.37 seconds
我重新启动了,UFW但是iptables没有作用。
sudo ufw reload
sudo service iptables restart
我在设置网络时NAT在文件开头添加了一些规则;也许这就是问题所在?/etc/ufw/before.rules
# NAT table rules
*nat
:PREROUTING ACCEPT [150:14925]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [131:11640]
-A POSTROUTING -s 192.168.150.0/24 -j MASQUERADE
COMMIT