我的ufw已启用并且仅允许 ssh 和 wireguard:
# ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
51820/udp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
51820/udp (v6) ALLOW Anywhere (v6)
#
我还通过 BGP(端口 179)上的主机 169.254.169.254 进行通信。虽然我没有不是允许它。为什么??
是因为 169.254.169.254 是链路本地地址吗?(有趣的是,接口确实不是定义链接本地地址。通信通过默认网关进行。这是 Vultr 托管上的设置)。
我研究了 iptables,但我不知道如何接受这些数据包:链 ufw-not-local 引用了本地地址:
# iptables -v -L ufw-not-local
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
508 30944 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type MULTICAST
125 6739 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- any any anywhere anywhere limit: avg 3/min burst 10
0 0 DROP all -- any any anywhere anywhere
#
但是,这是 RETURN,而不是 ACCEPT!ufw-not-local 由 ufw-before-input 调用,后者将返回到 INPUT。而 INPUT 有策略 DROP。
编辑:完整iptables -xvnL输出:
Chain INPUT (policy DROP 8 packets, 885 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
750 227375 ACCEPT udp -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
362606 147280078 ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
362606 147280078 ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
333869 128555765 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
333212 128523819 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
333212 128523819 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
333212 128523819 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 216 packets, 10004 bytes)
pkts bytes target prot opt in out source destination
22278 14578660 ACCEPT all -- * lxcbr0 0.0.0.0/0 0.0.0.0/0
4853 256884 ACCEPT all -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0
1080537 59537850 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
1080537 59537850 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
1079360 59452755 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
1079360 59452755 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
1079360 59452755 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
1079360 59452755 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1 packets, 52 bytes)
pkts bytes target prot opt in out source destination
424797 45621305 ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
424797 45621305 ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
399178 42100854 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
399178 42100854 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
399178 42100854 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
399178 42100854 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
142 17992 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
16 1305 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
16 1305 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
150 18656 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1 52 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
11 1232 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
13 1092 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
214 9920 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
3 120 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
7 845 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
10 464 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
3 120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
12 1125 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
4 180 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
5 300 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0