我很困惑。这是我的 iptables 配置:
$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match name: sshprobe side: source mask: 255.255.255.255
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: sshprobe side: source mask: 255.255.255.255
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:8181
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:8008
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
我很困惑 Chain INPUT 中有以下两行:
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
我实际上无法确定端口 25 或 587(运行 postfix 的地方)是从外部打开的,还是 MySQL 端口 3306。
问题是:为什么我看到 ACCEPT 规则?
这是我的 iptables 的设置方式:
#!/bin/bash
# ATTENTION: flush/delete all existing rules
iptables -F
################################################################
# set the default policy for each of the pre-defined chains
################################################################
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# allow establishment of connections initialised by my outgoing packets
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# accept anything on localhost
iptables -A INPUT -i lo -j ACCEPT
################################################################
#individual ports tcp
################################################################
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 8181 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 8008 -j ACCEPT
#uncomment next line to enable AdminGUI on port 4848:
#iptables -A INPUT -p tcp --dport 4848 -j ACCEPT
################################################################
#slow down the amount of ssh connections by the same ip address:
#wait 60 seconds if 3 times failed to connect
################################################################
iptables -I INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --set -j ACCEPT
iptables -I INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --update --seconds 60 --hitcount 3 --rttl -j DROP
#drop everything else
iptables -A INPUT -j DROP
################################################################
#Redirection Rules
################################################################
#1. redirection rules (allowing forwarding from localhost)
iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A OUTPUT -o lo -p tcp --dport 443 -j REDIRECT --to-port 8181
#2. redirection http
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
#3. redirection https
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8181
################################################################
#save the rules somewhere and make sure
#our rules get loaded if the ubuntu server is restarted
################################################################
iptables-save > /etc/my-iptables.rules
iptables-restore < /etc/my-iptables.rules
#List Rules to see what we have now
iptables -L
编辑:
根据@Michael Hampton 的评论,这是输出 iptables -v -L
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- eth0 any anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match name: sshprobe side: source mask: 255.255.255.255
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh state NEW recent: SET name: sshprobe side: source mask: 255.255.255.255
1580M 1033G ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
25M 1524M ACCEPT all -- lo any anywhere anywhere
824K 33M ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
186K 11M ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
2053K 115M ACCEPT tcp -- any any anywhere anywhere tcp dpt:http-alt
40M 2302M ACCEPT tcp -- any any anywhere anywhere tcp dpt:8181
5272K 226M ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
183K 11M ACCEPT tcp -- any any anywhere anywhere tcp dpt:8008
858K 106M DROP all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1845M packets, 1964G bytes)
pkts bytes target prot opt in out source destination
Mla*_*vic 11
@Michael Hampton 建议我应该跑步
iptables -v -L
在那里我发现这两条规则实际上是:
25M 1524M ACCEPT all -- lo any anywhere anywhere
858K 106M DROP all -- any any anywhere anywhere
这实际上意味着第一条规则接受本地主机上的任何内容,它由我的配置中的规则定义:
iptables -A INPUT -i lo -j ACCEPT
非常感谢你,迈克尔汉普顿!
| 归档时间: |
|
| 查看次数: |
18379 次 |
| 最近记录: |