iptables mac 地址过滤不起作用

tag-icon tag-icon 11.10 firewall iptables
iptables mac 地址过滤不起作用

我使用 ufw 默认封锁了所有端口

并添加如下 iptables 规则:

sudo iptables -A INPUT -p tcp --dport 1723 -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT

然后我列出 iptables INPUT 规则:

sudo iptables -L INPUT --line-numbers

Chain INPUT (policy DROP)
num  target                    prot opt source               destination
1    ACCEPT                    udp  --  anywhere             anywhere            udp dpt:domain
2    ACCEPT                    tcp  --  anywhere             anywhere            tcp dpt:domain
3    ACCEPT                    udp  --  anywhere             anywhere            udp dpt:bootps
4    ACCEPT                    tcp  --  anywhere             anywhere            tcp dpt:bootps
5    ufw-before-logging-input  all  --  anywhere             anywhere
6    ufw-before-input          all  --  anywhere             anywhere
7    ufw-after-input           all  --  anywhere             anywhere
8    ufw-after-logging-input   all  --  anywhere             anywhere
9    ufw-reject-input          all  --  anywhere             anywhere
10   ufw-track-input           all  --  anywhere             anywhere
11   ACCEPT                    tcp  --  anywhere             anywhere            tcp dpt:1723 MAC 00:11:22:33:44:55

但我无法访问我的服务器:1723

有什么不对吗?

我使用 Ubuntu 11.10

編輯01:

我添加了以下内容:

*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines

-A ufw-before-input -p tcp --dport 1723 -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT

然后我列出规则

sudo iptables -L  ufw-before-input  --line-numbers
Chain ufw-before-input (1 references)
num  target           prot opt source               destination
1    ACCEPT           tcp  --  anywhere             anywhere            tcp dpt:1723 MAC 00:11:22:33:44:55
2    ACCEPT           all  --  anywhere             anywhere
3    ACCEPT           all  --  anywhere             anywhere            state RELATED,ESTABLISHED
4    ufw-logging-deny all  --  anywhere             anywhere            state INVALID
5    DROP             all  --  anywhere             anywhere            state INVALID
6    ACCEPT           icmp --  anywhere             anywhere            icmp destination-unreachable
7    ACCEPT           icmp --  anywhere             anywhere            icmp source-quench
8    ACCEPT           icmp --  anywhere             anywhere            icmp time-exceeded
9    ACCEPT           icmp --  anywhere             anywhere            icmp parameter-problem
10   ACCEPT           icmp --  anywhere             anywhere            icmp echo-request
11   ACCEPT           udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc
12   ufw-not-local    all  --  anywhere             anywhere
13   ACCEPT           udp  --  anywhere             224.0.0.251         udp dpt:mdns
14   ACCEPT           udp  --  anywhere             239.255.255.250     udp dpt:1900
15   ufw-user-input   all  --  anywhere             anywhere

仍然无法工作...当然,在sudo service ufw restart我仍然连接 1723 上的服务器之后

答案1

链中的规则 9INPUT跳转到ufw-reject-input,进而拒绝该数据包。

如果您希望您的添加功能能够正常运作ufw,我建议您阅读所显示的文档man ufw-framework

您可以通过创建/etc/ufw/before.rules包含以下内容的文件来实现您想要的效果:

*filter
-A ufw-before-input -p tcp --dport 1723 -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT

答案2

两台机器是否位于同一个以太网子网中?mac 地址仅对子网本地有效。如果中间有一个路由器,服务器将看到数据包经过的最后一个路由器的 mac 地址。

此外,iptables -v -L它对于调试也很方便,因为您可以看到哪些规则被触发了。

相关内容