我想向 iptables 添加一些规则这关于通过 vpn(我的情况是 surfshark)传输来自 torrent 程序的流量的问题和答案。
至少有两个答案用于iptables -F在添加自定义规则之前刷新表格。
其中一个答案特别提到了无头服务器(就像我的一样)。所以我认为这应该可行。
但如果我使用,iptables -F我会立即被踢出与服务器的 ssh 会话。我无法在终端上输入任何新命令,必须重新启动服务器才能再次登录。
我在服务器上运行了一个防火墙,允许每个 IP 访问端口 22。
为了澄清起见,我将添加应用接受答案之前和之后的一些输出:
之前(通知policy DROP):
$ sudo iptables -xvnL
Chain INPUT (policy DROP 21 packets, 5628 bytes)
pkts bytes target prot opt in out source destination
387 31969 f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
27008 50413306 ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
27008 50413306 ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
153 26176 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
21 5628 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
21 5628 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
21 5628 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 7 packets, 324 bytes)
pkts bytes target prot opt in out source destination
7130 870596 ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
7130 870596 ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
997 113175 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
997 113175 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
997 113175 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
997 113175 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
后:
$ sudo iptables -L -v
Chain INPUT (policy ACCEPT 12648 packets, 12M bytes)
这是我设置之后到,然后刷新,然后添加其他答案的policy ACCEPT规则transmission-daemon这里,然后使用 使此设置在重启后保留sudo dpkg-reconfigure iptables-persistent,重启并登录ssh。我现在想这样做policy DROP,但这会再次将我踢出。
也许很有趣:我停用了ufw防火墙以确保万无一失。在我重新激活它之后,它也把我扔出去了(虽然policy ACCEPT)。当然我有一条allow 22规则。我必须重新启动,然后才能使用正常工作的防火墙再次登录。
我对此缺乏了解,并且一定会调查。我不知道如果主策略是并且防火墙打开了,iptables激活防火墙如何能将我拒之门外。ACCEPT22
$ sudo iptables -xvnL
[sudo] Passwort für ben:
Chain INPUT (policy ACCEPT 34981 packets, 9871660 bytes)
pkts bytes target prot opt in out source destination
121 15110 f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
134 12445 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 19730 packets, 3108705 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 192.168.100.0/25 tcp spt:9091 owner GID match 136
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 192.168.100.0/25 udp spt:9091 owner GID match 136
0 0 ACCEPT all -- * tun0 0.0.0.0/0 0.0.0.0/0 owner GID match 136
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 owner GID match 136
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 136 reject-with icmp-port-unreachable
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
121 15110 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-logging-deny (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-not-local (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (0 references)
pkts bytes target prot opt in out source destination
这里是防火墙规则:
$ sudo ufw status
Status: Aktiv
Zu Aktion Von
-- ------ ---
22 ALLOW 192.168.100.0/24
5900 ALLOW 192.168.100.0/24 # vnc
1900 ALLOW 192.168.100.0/24 # minidlna
8200 ALLOW 192.168.100.0/24 # minidlna
445 ALLOW 192.168.100.0/24 # cifs
5901 ALLOW 192.168.100.0/24 # vnc
5902 ALLOW 192.168.100.0/24 # vnc
还有一件事:我有eth0接口吗?我的 ZOTAC mini PC 有两个以太网连接我只是感到困惑,为什么eth0没有出现。设置规则的脚本使用IFACE_INTERNAL=eth0。这可能是个问题吗?
$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 00:01:2e:4d:52:96 brd ff:ff:ff:ff:ff:ff
3: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether 00:01:2e:4d:52:9b brd ff:ff:ff:ff:ff:ff
4: wlp2s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 0c:d2:92:57:c2:53 brd ff:ff:ff:ff:ff:ff
答案1
是的,这iptables -F chain将刷新该链的所有 iptables 规则,因此只会使用默认策略规则。
您的参考资料的默认策略似乎是ACCEPT,而您计算机上的默认策略是DROP。
通过 检查sudo iptables -xvnL。如果您想删除链中的所有规则,但保留 ssh 会话,请将默认策略更改为first。在设置好所需的规则并确认 ssh 数据包不再依赖默认策略通过后,ACCEPT您可以将其改回。DROP
sudo iptables -P INPUT ACCEPT
您可能也需要在 OUTPUT 链上使用它。