我的常见问题是,一旦使用 knockd 关闭端口,我就会在 ssh 上与 Ubuntu 23.10 失去联系。我希望它能保持现有的连接。
我有一条自定义规则
> iptables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
添加后即可解决我的问题。当我尝试将规则添加到
> ufw/before.rules
作为第一条可能的规则,以便它在启动时以这种方式加载,
ufw 重新加载
该规则将按应有的方式出现在#2位置,并且knockd将按预期/要求执行。
但重新启动后,ufw 会将我的自定义规则置于第 4 个位置,然后 knockd 无法按预期工作,直到我发出
ufw 重新加载
命令。然后我的自定义规则将出现在 #2 位置和 #4 位置,而 knockd 的行为将符合其应有的行为。
yoda@email:~$ sudo iptables -L --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 f2b-sshd tcp -- anywhere anywhere multiport dports ssh
2 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
3 f2b-ufw tcp -- anywhere anywhere
4 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
5 ufw-before-logging-input all -- anywhere anywhere
6 ufw-before-input all -- anywhere anywhere
7 ufw-after-input all -- anywhere anywhere
8 ufw-after-logging-input all -- anywhere anywhere
9 ufw-reject-input all -- anywhere anywhere
10 ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
num target prot opt source destination
1 ufw-before-logging-forward all -- anywhere anywhere
2 ufw-before-forward all -- anywhere anywhere
3 ufw-after-forward all -- anywhere anywhere
4 ufw-after-logging-forward all -- anywhere anywhere
5 ufw-reject-forward all -- anywhere anywhere
6 ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ufw-before-logging-output all -- anywhere anywhere
2 ufw-before-output all -- anywhere anywhere
3 ufw-after-output all -- anywhere anywhere
4 ufw-after-logging-output all -- anywhere anywhere
5 ufw-reject-output all -- anywhere anywhere
6 ufw-track-output all -- anywhere anywhere
Chain f2b-sshd (1 references)
num target prot opt source destination
1 REJECT all -- agmk.uz anywhere reject-with icmp-port-unreachable
2 REJECT all -- 178.128.84.59 anywhere reject-with icmp-port-unreachable
3 REJECT all -- 124.156.200.144 anywhere reject-with icmp-port-unreachable
4 REJECT all -- 162.62.135.19 anywhere reject-with icmp-port-unreachable
5 REJECT all -- 167.172.103.180 anywhere reject-with icmp-port-unreachable
6 RETURN all -- anywhere anywhere
Chain f2b-ufw (1 references)
num target prot opt source destination
1 REJECT all -- scan-43n.shadowserver.org anywhere reject-with icmp-port-unreachable
2 REJECT all -- 45-79-145-84.ip.linodeusercontent.com anywhere reject-with icmp-port-unreachable
3 REJECT all -- 143-42-1-52.ip.linodeusercontent.com anywhere reject-with icmp-port-unreachable
4 REJECT all -- 104-237-156-209.ip.linodeusercontent.com anywhere reject-with icmp-port-unreachable
5 REJECT all -- 143-42-1-123.ip.linodeusercontent.com anywhere reject-with icmp-port-unreachable
6 REJECT all -- 173-255-221-22.ip.linodeusercontent.com anywhere reject-with icmp-port-unreachable
7 REJECT all -- 194.33.191.29 anywhere reject-with icmp-port-unreachable
8 REJECT all -- 45-79-92-218.ip.linodeusercontent.com anywhere reject-with icmp-port-unreachable
9 REJECT all -- 80.66.83.49 anywhere reject-with icmp-port-unreachable
10 REJECT all -- 79.110.62.153 anywhere reject-with icmp-port-unreachable
11 REJECT all -- 79.110.62.184 anywhere reject-with icmp-port-unreachable
12 REJECT all -- recyber.net anywhere reject-with icmp-port-unreachable
13 REJECT all -- apzg-0721m-038.stretchoid.com anywhere reject-with icmp-port-unreachable
14 REJECT all -- carthage.scan.bufferover.run anywhere reject-with icmp-port-unreachable
15 REJECT all -- 173-255-210-89.ip.linodeusercontent.com anywhere reject-with icmp-port-unreachable
16 REJECT all -- 131.150.216.162.bc.googleusercontent.com anywhere reject-with icmp-port-unreachable
17 REJECT all -- 115.146.127.123 anywhere reject-with icmp-port-unreachable
18 REJECT all -- 143-42-164-204.ip.linodeusercontent.com anywhere reject-with icmp-port-unreachable
19 REJECT all -- proxychecker.vultr.com anywhere reject-with icmp-port-unreachable
20 REJECT all -- apzg-0721-a-076.stretchoid.com anywhere reject-with icmp-port-unreachable
21 REJECT all -- 192-155-84-194.ip.linodeusercontent.com anywhere reject-with icmp-port-unreachable
22 REJECT all -- 79.110.62.78 anywhere reject-with icmp-port-unreachable
23 REJECT all -- ip-58-18.4vendeta.com anywhere reject-with icmp-port-unreachable
24 REJECT all -- 45-56-83-149.ip.linodeusercontent.com anywhere reject-with icmp-port-unreachable
Chain ufw-after-forward (1 references)
num target prot opt source destination
Chain ufw-after-input (1 references)
num target prot opt source destination
1 ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
2 ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
3 ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
4 ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
5 ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
6 ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
7 ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
num target prot opt source destination
1 LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
num target prot opt source destination
1 LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
num target prot opt source destination
Chain ufw-after-output (1 references)
num target prot opt source destination
Chain ufw-before-forward (1 references)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
2 ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
3 ACCEPT icmp -- anywhere anywhere icmp time-exceeded
4 ACCEPT icmp -- anywhere anywhere icmp parameter-problem
5 ACCEPT icmp -- anywhere anywhere icmp echo-request
6 ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
2 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
3 ufw-logging-deny all -- anywhere anywhere ctstate INVALID
4 DROP all -- anywhere anywhere ctstate INVALID
5 ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
6 ACCEPT icmp -- anywhere anywhere icmp time-exceeded
7 ACCEPT icmp -- anywhere anywhere icmp parameter-problem
8 ACCEPT icmp -- anywhere anywhere icmp echo-request
9 ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
10 ufw-not-local all -- anywhere anywhere
11 ACCEPT udp -- anywhere mdns.mcast.net udp dpt:mdns
12 ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
13 ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
num target prot opt source destination
Chain ufw-before-logging-input (1 references)
num target prot opt source destination
Chain ufw-before-logging-output (1 references)
num target prot opt source destination
Chain ufw-before-output (1 references)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
2 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
3 ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
num target prot opt source destination
1 LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
num target prot opt source destination
1 RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
2 LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
num target prot opt source destination
1 RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
2 RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
3 RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
4 ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
5 DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
num target prot opt source destination
Chain ufw-reject-input (1 references)
num target prot opt source destination
Chain ufw-reject-output (1 references)
num target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
num target prot opt source destination
1 DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
num target prot opt source destination
1 DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references)
num target prot opt source destination
Chain ufw-track-input (1 references)
num target prot opt source destination
Chain ufw-track-output (1 references)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere ctstate NEW
2 ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
num target prot opt source destination
Chain ufw-user-input (1 references)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
2 ACCEPT tcp -- anywhere anywhere tcp dpt:http
3 ACCEPT tcp -- anywhere anywhere tcp dpt:https
4 ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
5 ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
6 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
7 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
Chain ufw-user-limit (0 references)
num target prot opt source destination
1 LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warn prefix "[UFW LIMIT BLOCK] "
2 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
num target prot opt source destination
Chain ufw-user-logging-input (0 references)
num target prot opt source destination
Chain ufw-user-logging-output (0 references)
num target prot opt source destination
Chain ufw-user-output (1 references)
num target prot opt source destination
我怎样才能让 knockd 在启动时将我的规则加载到防火墙的正确位置?
答案1
所以,
cat /lib/systemd/system/ufw.service
显示 ufw 在网络启动之前启动(Before=network.target)。但是,
cat /lib/systemd/system/knockd.service
显示 knockd 直到网络在线后才启动(After=network-online.target)。
ufw reload您可以创建一个在 knockd 运行后运行的简单 systemd 服务。
运行以下命令来创建和编辑新的 systemd 服务文件(或使用您最喜欢的文本编辑器):
sudo nano /etc/systemd/system/ufwreload.service
将以下内容复制并粘贴到文件中:
[Unit]
Description=Reload ufw after knockd is started
After=knockd.service
[Service]
Type=oneshot
ExecStart=/usr/sbin/ufw reload
[Install]
WantedBy=multi-user.target
编辑完成后,按CTRL+o保存文件,然后按CTRL+x退出 nano。
然后,运行以下命令以使您的服务在重启后 knockd 运行时自动启动。
sudo systemctl daemon-reload
sudo systemctl enable ufwreload
我能想到的唯一复杂情况是,如果 knockd 启动时出现问题,服务可能无法启动,因此请在评论中发布任何错误或问题 — — 您也许可以更改After=knockd.service为其他After=NetworkManager-wait-online.service解决方法。
或者,您可以ufw reload在重启后一定分钟或秒内将其作为 cron 作业运行,以让 knockd 有机会启动。
例如,运行以下命令来创建和编辑新的 cronjob:
sudo crontab -e
nano接下来,从用户提示中选择您最喜欢的文本编辑器,如果您没有最喜欢的文本编辑器,请选择数字。
然后,将以下内容复制并粘贴到文件末尾:
@reboot sleep 180 && /usr/sbin/ufw reload
完成后保存文件,ufw reload命令应在下次重启后 3 分钟(180 秒)运行。
用于sudo crontab -e编辑你的 cronjob,以防你需要调整重启后的启动时间(从 180 秒到其他时间)。
您可能在这里遇到的问题是ufw reload,无论 knockd 是否正在运行或您的网络是否正常运行,它都会在设定的时间运行。因此,您可能偶尔需要ufw reload再次运行,但 cronjob 应该可以避免在大多数情况下手动重新加载 ufw,前提是您设定的时间不是在重启后太快(即,在 knockd 运行之前而不是在需要之后)。