为什么IP表拒绝规则中明确指定为OK的IP表？

我有最高的规则：

*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] ... other rules, non-involving tap777 ... -A INPUT -i tap777 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i tap777 -p udp -m udp --dport 53 -j ACCEPT 

我在日志中看到这个：

 Oct 25 04:09:43 ip-xxx-xx-xx-xxx 1 kernel: [ 1824.841222] iptables denied: IN=tap777 OUT= MAC=xx:xx:c6:93:91:bb:b8:ae:ed:7b:d1:83:08:xx SRC=10.20.1.141 DST=10.20.1.1 LEN=343 TOS=0x00 PREC=0x00 TTL=128 ID=4977 PROTO=UDP SPT=68 DPT=67 LEN=323 

对我来说，这种否认与规则显然是一致的。 相同的dport，相同的原型，界面相同。 所以我只想知道它是否与它不是正确的链条有关？

sudo iptables -L给出：

• AWS EC2 – OpenVPN – VPN确定但客户端没有Internet连接
• iptables SNAT＆masquerade为LXC容器分离公共IP
• 无法从防火墙访问LAN主机
• pipe理iptables和域名更改
• 无法通过Linux网关路由

 Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT icmp -- anywhere anywhere icmp echo-request LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: " ACCEPT udp -- anywhere anywhere udp dpt:11900 ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT udp -- anywhere anywhere udp dpt:domain REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere 

有人能给我一些洞察，为什么这可能是？ 还是要尝试一下？ 谢谢！