我是网络和系统安全方面的新手。我正在尝试创建openconnect服务器,教程位于这链接。我也看到过类似的问题,例如这个,但它们对我来说毫无意义。
从后一个链接,我尝试了以下命令:
ufw allow from any to any port 80 proto tcp
ufw allow from any to any port 443 proto tcp
并更新了规则。
每当我想从不同的客户端连接时,它都会连接并且没有任何错误,但执行命令openconnect后发现以下错误:journalctl -xe
Mar 23 23:49:09 vubuntup systemd-udevd[3086]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Mar 23 23:49:09 vubuntup kernel: [UFW BLOCK] IN=vpns0 OUT=eth0 MAC= SRC=10.12.0.110 DST=8.8.8.8 LEN=86 TOS=0x00 PREC=0x00 TTL=63 ID=23018 DF PROTO=UDP SPT=54561 DPT=53 LEN=66
Mar 23 23:49:09 vubuntup kernel: [UFW BLOCK] IN=vpns0 OUT=eth0 MAC= SRC=10.12.0.110 DST=8.8.8.8 LEN=86 TOS=0x00 PREC=0x00 TTL=63 ID=23019 DF PROTO=UDP SPT=45309 DPT=53 LEN=66
Mar 23 23:49:10 vubuntup kernel: [UFW BLOCK] IN=vpns0 OUT=eth0 MAC= SRC=10.12.0.110 DST=8.8.8.8 LEN=86 TOS=0x00 PREC=0x00 TTL=63 ID=23020 DF PROTO=UDP SPT=35143 DPT=53 LEN=66
Mar 23 23:49:10 vubuntup kernel: [UFW BLOCK] IN=vpns0 OUT=eth0 MAC= SRC=10.12.0.110 DST=8.8.8.8 LEN=73 TOS=0x00 PREC=0x00 TTL=63 ID=23022 DF PROTO=UDP SPT=53252 DPT=53 LEN=53
Mar 23 23:49:10 vubuntup kernel: [UFW BLOCK] IN=vpns0 OUT=eth0 MAC= SRC=10.12.0.110 DST=8.8.8.8 LEN=73 TOS=0x00 PREC=0x00 TTL=63 ID=23023 DF PROTO=UDP SPT=53252 DPT=53 LEN=53
Mar 23 23:49:10 vubuntup kernel: [UFW BLOCK] IN=vpns0 OUT=eth0 MAC= SRC=10.12.0.110 DST=8.8.8.8 LEN=86 TOS=0x00 PREC=0x00 TTL=63 ID=23242 DF PROTO=UDP SPT=49740 DPT=53 LEN=66
Mar 23 23:49:10 vubuntup kernel: [UFW BLOCK] IN=vpns0 OUT=eth0 MAC= SRC=10.12.0.110 DST=8.8.8.8 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=23247 DF PROTO=UDP SPT=52776 DPT=53 LEN=56
Mar 23 23:49:10 vubuntup kernel: [UFW BLOCK] IN=vpns0 OUT=eth0 MAC= SRC=10.12.0.110 DST=8.8.8.8 LEN=80 TOS=0x00 PREC=0x00 TTL=63 ID=23248 DF PROTO=UDP SPT=39666 DPT=53 LEN=60
Mar 23 23:49:10 vubuntup kernel: [UFW BLOCK] IN=vpns0 OUT=eth0 MAC= SRC=10.12.0.110 DST=8.8.8.8 LEN=82 TOS=0x00 PREC=0x00 TTL=63 ID=23249 DF PROTO=UDP SPT=54183 DPT=53 LEN=62
Mar 23 23:49:12 vubuntup kernel: [UFW BLOCK] IN=vpns0 OUT=eth0 MAC= SRC=10.12.0.110 DST=8.8.8.8 LEN=78 TOS=0x00 PREC=0x00 TTL=63 ID=23498 DF PROTO=UDP SPT=43564 DPT=53 LEN=58
Mar 23 23:49:13 vubuntup kernel: [UFW BLOCK] IN=eth0 OUT= MAC=96:00:00:a2:aa:12:d2:74:7f:6e:37:e3:08:00 SRC=79.124.62.82 DST=168.119.122.56 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=31435 PROTO=TCP SPT=46111 DPT=6451
每当我禁用防火墙(使用)时,问题就会解决sudo systemctl stop ufw,但我正在尝试寻找更安全的方法来解决这个问题。
sudo iptables -xvnL
Chain INPUT (policy DROP 1021 packets, 47864 bytes)
pkts bytes target prot opt in out source destination
39620 9742848 ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
39620 9742848 ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
20032 7222149 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
19700 7205009 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
19700 7205009 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
19700 7205009 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 374 packets, 26353 bytes)
pkts bytes target prot opt in out source destination
29636 19146411 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
29636 19146411 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
4 208 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 120 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
6 328 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-d8d1af57a27c 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-d8d1af57a27c 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-d8d1af57a27c !br-d8d1af57a27c 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-d8d1af57a27c br-d8d1af57a27c 0.0.0.0/0 0.0.0.0/0
29624 19145755 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
29624 19145755 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
28854 19005308 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
28854 19005308 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
28854 19005308 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
28854 19005308 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
32431 17634866 ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
32431 17634866 ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
13902 14762947 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
13902 14762947 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
13902 14762947 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
13902 14762947 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
6 328 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-d8d1af57a27c !br-d8d1af57a27c 0.0.0.0/0 0.0.0.0/0
29636 19146411 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-d8d1af57a27c 0.0.0.0/0 0.0.0.0/0
6 328 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
29636 19146411 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
2 156 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
1 40 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
311 16020 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
53 4058 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
799 34366 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
770 140447 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT all -- * * 10.10.10.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 10.10.10.0/24
1331 104563 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
13668 1801149 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
24 2325 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
24 2325 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
231 19032 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
3423 172829 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
3423 172829 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
14216 2388299 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
9 684 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
24 2325 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
3423 172829 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
314 16216 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
9 684 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 10.10.10.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* 'dapp_Bind9' */
53 4196 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* 'dapp_Bind9' */
67 3324 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
753 44844 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
1 167 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4443
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:28225
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:28225
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination