16.04 服务器 ufw 已启用但端口开放

16.04 服务器 ufw 已启用但端口开放

启动后 UFW 未启用我已经尝试了所有方法,最终将其放入 rc.local ufw enable 中,现在重启后它就启用了。

这是 uwf 状态的输出:

ufw status
Status: active

To                         Action      From
--                         ------      ----
80                         ALLOW       Anywhere                  
443                        ALLOW       Anywhere                  
587                        ALLOW       Anywhere                  
465                        ALLOW       Anywhere                  
80 (v6)                    ALLOW       Anywhere (v6)             
443 (v6)                   ALLOW       Anywhere (v6)             
587 (v6)                   ALLOW       Anywhere (v6)             
465 (v6)                   ALLOW       Anywhere (v6)     

这是 iptables -L -v

root@host:~# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1288  308K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
   52  3436 ACCEPT     all  --  lo     any     anywhere             anywhere            
  177 32280 INPUT_direct  all  --  any    any     anywhere             anywhere            
  177 32280 INPUT_ZONES_SOURCE  all  --  any    any     anywhere             anywhere            
  177 32280 INPUT_ZONES  all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
  163 31492 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-host-prohibited
    0     0 ufw-before-logging-input  all  --  any    any     anywhere             anywhere            
    0     0 ufw-before-input  all  --  any    any     anywhere             anywhere            
    0     0 ufw-after-input  all  --  any    any     anywhere             anywhere            
    0     0 ufw-after-logging-input  all  --  any    any     anywhere             anywhere            
    0     0 ufw-reject-input  all  --  any    any     anywhere             anywhere            
    0     0 ufw-track-input  all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 FORWARD_direct  all  --  any    any     anywhere             anywhere            
    0     0 FORWARD_IN_ZONES_SOURCE  all  --  any    any     anywhere             anywhere            
    0     0 FORWARD_IN_ZONES  all  --  any    any     anywhere             anywhere            
    0     0 FORWARD_OUT_ZONES_SOURCE  all  --  any    any     anywhere             anywhere            
    0     0 FORWARD_OUT_ZONES  all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-host-prohibited
    0     0 ufw-before-logging-forward  all  --  any    any     anywhere             anywhere            
    0     0 ufw-before-forward  all  --  any    any     anywhere             anywhere            
    0     0 ufw-after-forward  all  --  any    any     anywhere             anywhere            
    0     0 ufw-after-logging-forward  all  --  any    any     anywhere             anywhere            
    0     0 ufw-reject-forward  all  --  any    any     anywhere             anywhere            
    0     0 ufw-track-forward  all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1546  168K OUTPUT_direct  all  --  any    any     anywhere             anywhere            
 1482  164K ufw-before-logging-output  all  --  any    any     anywhere             anywhere            
 1482  164K ufw-before-output  all  --  any    any     anywhere             anywhere            
  372 26928 ufw-after-output  all  --  any    any     anywhere             anywhere            
  372 26928 ufw-after-logging-output  all  --  any    any     anywhere             anywhere            
  372 26928 ufw-reject-output  all  --  any    any     anywhere             anywhere            
  372 26928 ufw-track-output  all  --  any    any     anywhere             anywhere            

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_public  all  --  +      any     anywhere             anywhere            [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_public  all  --  any    +       anywhere             anywhere            [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_public_log  all  --  any    any     anywhere             anywhere            
    0     0 FWDI_public_deny  all  --  any    any     anywhere             anywhere            
    0     0 FWDI_public_allow  all  --  any    any     anywhere             anywhere            

Chain FWDI_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_public_log  all  --  any    any     anywhere             anywhere            
    0     0 FWDO_public_deny  all  --  any    any     anywhere             anywhere            
    0     0 FWDO_public_allow  all  --  any    any     anywhere             anywhere            

Chain FWDO_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  177 32280 IN_public  all  --  +      any     anywhere             anywhere            [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere             multiport dports ssh match-set fail2ban-sshd src reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere             multiport dports webmin match-set fail2ban-webmin-auth src reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere             multiport dports ftp,ftp-data,ftps,ftps-data match-set fail2ban-proftpd src reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere             multiport dports smtp,urd,submission match-set fail2ban-postfix src reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere             multiport dports pop3,pop3s,imap2,imaps,submission,urd,sieve match-set fail2ban-dovecot src reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere             multiport dports smtp,urd,submission,imap3,imaps,pop3,pop3s match-set fail2ban-postfix-sasl src reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere             multiport dports ssh,sftp match-set fail2ban-ssh-ddos src reject-with icmp-port-unreachable

Chain IN_public (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  177 32280 IN_public_log  all  --  any    any     anywhere             anywhere            
  177 32280 IN_public_deny  all  --  any    any     anywhere             anywhere            
  177 32280 IN_public_allow  all  --  any    any     anywhere             anywhere            

Chain IN_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:submission ctstate NEW
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:domain ctstate NEW
    1    64 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpts:webmin:10010 ctstate NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ftp-data ctstate NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:domain ctstate NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:2222 ctstate NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:20000 ctstate NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:pop3s ctstate NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:pop3 ctstate NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:imap2 ctstate NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https ctstate NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http ctstate NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:imaps ctstate NEW
    7   356 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:smtp ctstate NEW
    6   368 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh ctstate NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ftp ctstate NEW

Chain IN_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:netbios-ns
    0     0 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:netbios-dgm
    0     0 ufw-skip-to-policy-input  tcp  --  any    any     anywhere             anywhere             tcp dpt:netbios-ssn
    0     0 ufw-skip-to-policy-input  tcp  --  any    any     anywhere             anywhere             tcp dpt:microsoft-ds
    0     0 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:bootps
    0     0 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:bootpc
    0     0 ufw-skip-to-policy-input  all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp source-quench
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp parameter-problem
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
    0     0 ufw-user-forward  all  --  any    any     anywhere             anywhere            

Chain ufw-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ufw-logging-deny  all  --  any    any     anywhere             anywhere             ctstate INVALID
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp source-quench
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp parameter-problem
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp spt:bootps dpt:bootpc
    0     0 ufw-not-local  all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     udp  --  any    any     anywhere             224.0.0.251          udp dpt:mdns
    0     0 ACCEPT     udp  --  any    any     anywhere             239.255.255.250      udp dpt:1900
    0     0 ufw-user-input  all  --  any    any     anywhere             anywhere            

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  368 44299 ACCEPT     all  --  any    lo      anywhere             anywhere            
  742 92420 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
  372 26928 ufw-user-output  all  --  any    any     anywhere             anywhere            

Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL
    0     0 RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
    0     0 RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
    0     0 ufw-logging-deny  all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain ufw-skip-to-policy-input (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain ufw-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            

Chain ufw-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   83  4980 ACCEPT     tcp  --  any    any     anywhere             anywhere             ctstate NEW
  289 21948 ACCEPT     udp  --  any    any     anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:http
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:https
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:submission
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:submission
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:urd
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:465

Chain ufw-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            

Chain ufw-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination 

我的问题是,当我进行端口扫描或尝试 ssh 到端口 22 时,它可以工作......

相关内容