我运行一个高流量的 NTP 服务器,并且以下规则是绝对必要的,以防止我的 conntrack 表立即被溢出(无论它有多大):
iptables -t raw -A PREROUTING -p udp --dport 123 -j NOTRACK
iptables -t raw -A OUTPUT -p udp --sport 123 -j NOTRACK
ip6tables -t raw -A PREROUTING -p udp --dport 123 -j NOTRACK
ip6tables -t raw -A OUTPUT -p udp --sport 123 -j NOTRACK
我正在寻找在启动时自动应用这些规则的最佳方法。它们需要在 UFW 启动时立即应用,否则 conntrack 表将在几秒钟内填满。(请不要建议增加 conntrack 表的大小;我根本不想浪费资源跟踪这些连接,而且为了这样做,表必须非常大,可能超过服务器可以处理的大小。)
我首先尝试将它们添加到 /etc/ufw/before.rules 和 before6.rules 中,如下所示,在文件末尾:
# tail before.rules before6.rules
==> before.rules <==
(stuff that was already there)
-t raw -A PREROUTING -p udp --dport 123 -j NOTRACK
-t raw -A OUTPUT -p udp --sport 123 -j NOTRACK
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
==> before6.rules <==
(stuff that was already there)
-t raw -A PREROUTING -p udp --dport 123 -j NOTRACK
-t raw -A OUTPUT -p udp --sport 123 -j NOTRACK
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
然而,重新启动后系统没有网络连接,并且我发现以下错误:
ERROR: problem running ufw-init
iptables-restore v1.8.4 (legacy): The -t option (seen in line 75) cannot be used in iptables-restore.
Error occurred at line: 75
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
ip6tables-restore v1.8.4 (legacy): The -t option (seen in line 142) cannot be used in ip6tables-restore.
Error occurred at line: 142
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/before6.rules'
接下来我尝试删除“-t raw”:
# tail before.rules before6.rules
==> before.rules <==
(stuff that was already there)
-A PREROUTING -p udp --dport 123 -j NOTRACK
-A OUTPUT -p udp --sport 123 -j NOTRACK
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
==> before6.rules <==
(stuff that was already there)
-A PREROUTING -p udp --dport 123 -j NOTRACK
-A OUTPUT -p udp --sport 123 -j NOTRACK
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
这再次切断了网络连接并引发错误:
ERROR: problem running ufw-init
iptables-restore: line 75 failed
ip6tables-restore: line 142 failed
Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/before6.rules'
处理此问题的最佳方法是什么?
Ubuntu 20.04.2 LTS
编辑:在对“iptables-save”进行了一些尝试之后,我尝试将如下内容添加到文件:
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p udp -m udp --dport 123 -j NOTRACK
-A OUTPUT -p udp -m udp --sport 123 -j NOTRACK
但我总是遇到同样的错误:
# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ERROR: problem running ufw-init
Bad argument `*raw'
Error occurred at line: 75
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Problem running '/etc/ufw/before.rules'
并且我的服务器的网络连接被中断,直到我禁用 UFW 或从文件中删除添加的行并重新加载 UFW。
答案1
我的第一个错误是试图将“原始”规则添加到现有块中,该块被定义为“过滤器”块。我需要添加一个带有自己的 COMMIT 的全新“原始”块,如下所示:
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p udp -m udp --dport 123 -j NOTRACK
-A OUTPUT -p udp -m udp --sport 123 -j NOTRACK
COMMIT
我尝试将其添加到文件末尾(现有“COMMIT”之后),但由于某种原因,它仍然出错,但当我将其添加到文件开头时,它起作用了。不知道为什么。
因此 before.rules 和 before6.rules 的整体结构现在如下所示:
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
(my rules here)
COMMIT
*filter
:ufw6-before-input - [0:0]
:ufw6-before-output - [0:0]
:ufw6-before-forward - [0:0]
(existing rules here)
COMMIT