当我禁止所有传入流量时,我没有互联网。为什么?这是终端的输出:
dev@dev-pc:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
dev@dev-pc:~$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=60 time=4.02 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=60 time=4.29 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=60 time=4.13 ms
^C
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 4.016/4.145/4.292/0.113 ms
dev@dev-pc:~$ sudo iptables -P INPUT DROP
dev@dev-pc:~$ sudo iptables -S
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
dev@dev-pc:~$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
^C
--- 1.1.1.1 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6146ms
dev@dev-pc:~$ sudo iptables -P INPUT ACCEPT
dev@dev-pc:~$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=60 time=4.05 ms
^C
--- 1.1.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.050/4.050/4.050/0.000 ms
dev@dev-pc:~$ sudo ifconfig -a
enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 109.108.244.148 netmask 255.255.255.0 broadcast 109.108.244.255
inet6 fe80::b40:30c2:cb8:9e22 prefixlen 64 scopeid 0x20<link>
ether 00:08:22:b8:b5:fd txqueuelen 1000 (Ethernet)
RX packets 124470 bytes 165771256 (165.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 66049 bytes 5942125 (5.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 132 bytes 11315 (11.3 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 132 bytes 11315 (11.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlp2s0: flags=4098<BROADCAST,MULTICAST> mtu 1500
ether ea:15:31:9c:86:67 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
如何修复它?
答案1
对于您的用例示例,ping 1.1.1.1每个涉及 2 个数据包ping。一个传出ICMP echo request数据包和一个传入 ICMP echo reply数据包,至少如果目的地确实回复的话。
对您的第一个问题的简洁回答:“当我禁止所有传入流量时,为什么我没有互联网?”是因为您拒绝了所有传入流量,所以没有人可以响应。
现在,对于您的第二个问题:“如何解决?”:
iptables 能够查看数据包并确定它是否是回复或以某种方式有关的到先前传出的、本地发起的数据包。因此,您可以制定一个 iptables 规则,以允许此类数据包通过 INPUT 链 DROP 默认数据包处理程序:
sudo iptables -A INPUT -i enp3s0 -d 109.108.244.148 -m state --state ESTABLISHED,RELATED -j ACCEPT
注意:您还应该允许本地网络连接,因为有时内部任务通过此接口进行通信:
sudo iptables -A INPUT -i lo -j ACCEPT
下面是这个答案的示例实现,使用您的示例 ping:
doug@s18:~$ ping -c 2 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=60 time=24.6 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=60 time=25.9 ms
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 24.597/25.260/25.923/0.663 ms
doug@s18:~$ sudo iptables -P INPUT DROP
doug@s18:~$ ping -c 2 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1061ms
doug@s18:~$ sudo iptables -A INPUT -i enp3s0 -d 192.168.111.122 -m state --state ESTABLISHED,RELATED -j ACCEPT
doug@s18:~$ ping -c 2 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=60 time=25.1 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=60 time=24.9 ms
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 24.911/25.012/25.113/0.101 ms