启动后 UFW 未启用我已经尝试了所有方法,最终将其放入 rc.local ufw enable 中,现在重启后它就启用了。
这是 uwf 状态的输出:
ufw status
Status: active
To Action From
-- ------ ----
80 ALLOW Anywhere
443 ALLOW Anywhere
587 ALLOW Anywhere
465 ALLOW Anywhere
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
587 (v6) ALLOW Anywhere (v6)
465 (v6) ALLOW Anywhere (v6)
这是 iptables -L -v
root@host:~# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1288 308K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
52 3436 ACCEPT all -- lo any anywhere anywhere
177 32280 INPUT_direct all -- any any anywhere anywhere
177 32280 INPUT_ZONES_SOURCE all -- any any anywhere anywhere
177 32280 INPUT_ZONES all -- any any anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 DROP all -- any any anywhere anywhere ctstate INVALID
163 31492 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
0 0 ufw-before-logging-input all -- any any anywhere anywhere
0 0 ufw-before-input all -- any any anywhere anywhere
0 0 ufw-after-input all -- any any anywhere anywhere
0 0 ufw-after-logging-input all -- any any anywhere anywhere
0 0 ufw-reject-input all -- any any anywhere anywhere
0 0 ufw-track-input all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 FORWARD_direct all -- any any anywhere anywhere
0 0 FORWARD_IN_ZONES_SOURCE all -- any any anywhere anywhere
0 0 FORWARD_IN_ZONES all -- any any anywhere anywhere
0 0 FORWARD_OUT_ZONES_SOURCE all -- any any anywhere anywhere
0 0 FORWARD_OUT_ZONES all -- any any anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 DROP all -- any any anywhere anywhere ctstate INVALID
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
0 0 ufw-before-logging-forward all -- any any anywhere anywhere
0 0 ufw-before-forward all -- any any anywhere anywhere
0 0 ufw-after-forward all -- any any anywhere anywhere
0 0 ufw-after-logging-forward all -- any any anywhere anywhere
0 0 ufw-reject-forward all -- any any anywhere anywhere
0 0 ufw-track-forward all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1546 168K OUTPUT_direct all -- any any anywhere anywhere
1482 164K ufw-before-logging-output all -- any any anywhere anywhere
1482 164K ufw-before-output all -- any any anywhere anywhere
372 26928 ufw-after-output all -- any any anywhere anywhere
372 26928 ufw-after-logging-output all -- any any anywhere anywhere
372 26928 ufw-reject-output all -- any any anywhere anywhere
372 26928 ufw-track-output all -- any any anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- + any anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- any + anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- any any anywhere anywhere
0 0 FWDI_public_deny all -- any any anywhere anywhere
0 0 FWDI_public_allow all -- any any anywhere anywhere
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- any any anywhere anywhere
0 0 FWDO_public_deny all -- any any anywhere anywhere
0 0 FWDO_public_allow all -- any any anywhere anywhere
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
177 32280 IN_public all -- + any anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- any any anywhere anywhere multiport dports ssh match-set fail2ban-sshd src reject-with icmp-port-unreachable
0 0 REJECT tcp -- any any anywhere anywhere multiport dports webmin match-set fail2ban-webmin-auth src reject-with icmp-port-unreachable
0 0 REJECT tcp -- any any anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data match-set fail2ban-proftpd src reject-with icmp-port-unreachable
0 0 REJECT tcp -- any any anywhere anywhere multiport dports smtp,urd,submission match-set fail2ban-postfix src reject-with icmp-port-unreachable
0 0 REJECT tcp -- any any anywhere anywhere multiport dports pop3,pop3s,imap2,imaps,submission,urd,sieve match-set fail2ban-dovecot src reject-with icmp-port-unreachable
0 0 REJECT tcp -- any any anywhere anywhere multiport dports smtp,urd,submission,imap3,imaps,pop3,pop3s match-set fail2ban-postfix-sasl src reject-with icmp-port-unreachable
0 0 REJECT tcp -- any any anywhere anywhere multiport dports ssh,sftp match-set fail2ban-ssh-ddos src reject-with icmp-port-unreachable
Chain IN_public (1 references)
pkts bytes target prot opt in out source destination
177 32280 IN_public_log all -- any any anywhere anywhere
177 32280 IN_public_deny all -- any any anywhere anywhere
177 32280 IN_public_allow all -- any any anywhere anywhere
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:submission ctstate NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:domain ctstate NEW
1 64 ACCEPT tcp -- any any anywhere anywhere tcp dpts:webmin:10010 ctstate NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp-data ctstate NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain ctstate NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:2222 ctstate NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:20000 ctstate NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:pop3s ctstate NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:pop3 ctstate NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:imap2 ctstate NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https ctstate NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http ctstate NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:imaps ctstate NEW
7 356 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp ctstate NEW
6 368 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh ctstate NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp ctstate NEW
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-ns
0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-dgm
0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:netbios-ssn
0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:microsoft-ds
0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootps
0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootpc
0 0 ufw-skip-to-policy-input all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 ufw-user-forward all -- any any anywhere anywhere
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ufw-logging-deny all -- any any anywhere anywhere ctstate INVALID
0 0 DROP all -- any any anywhere anywhere ctstate INVALID
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
0 0 ufw-not-local all -- any any anywhere anywhere
0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns
0 0 ACCEPT udp -- any any anywhere 239.255.255.250 udp dpt:1900
0 0 ufw-user-input all -- any any anywhere anywhere
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
368 44299 ACCEPT all -- any lo anywhere anywhere
742 92420 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
372 26928 ufw-user-output all -- any any anywhere anywhere
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- any any anywhere anywhere limit: avg 3/min burst 10
0 0 DROP all -- any any anywhere anywhere
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
83 4980 ACCEPT tcp -- any any anywhere anywhere ctstate NEW
289 21948 ACCEPT udp -- any any anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:https
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:submission
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:submission
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:urd
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:465
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
我的问题是,当我进行端口扫描或尝试 ssh 到端口 22 时,它可以工作......