我很困惑。 这是我的iptablesconfiguration:
$ iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match name: sshprobe side: source mask: 255.255.255.255 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: sshprobe side: source mask: 255.255.255.255 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt ACCEPT tcp -- anywhere anywhere tcp dpt:8181 ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:8008 DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination 我很困惑,在链input中有以下两行:
ACCEPT all -- anywhere anywhere DROP all -- anywhere anywhere
我不能确定端口25或587(在哪里运行后缀)是从外部打开,或MySQL端口3306。
问题是:为什么我看到接受规则?
这是我的iptables如何设置:
#!/bin/bash # ATTENTION: flush/delete all existing rules iptables -F ################################################################ # set the default policy for each of the pre-defined chains ################################################################ iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # allow establishment of connections initialised by my outgoing packets iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # accept anything on localhost iptables -A INPUT -i lo -j ACCEPT ################################################################ #individual ports tcp ################################################################ iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 8080 -j ACCEPT iptables -A INPUT -p tcp --dport 8181 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 8008 -j ACCEPT #uncomment next line to enable AdminGUI on port 4848: #iptables -A INPUT -p tcp --dport 4848 -j ACCEPT ################################################################ #slow down the amount of ssh connections by the same ip address: #wait 60 seconds if 3 times failed to connect ################################################################ iptables -I INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --set -j ACCEPT iptables -I INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --update --seconds 60 --hitcount 3 --rttl -j DROP #drop everything else iptables -A INPUT -j DROP ################################################################ #Redirection Rules ################################################################ #1. redirection rules (allowing forwarding from localhost) iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -t nat -A OUTPUT -o lo -p tcp --dport 443 -j REDIRECT --to-port 8181 #2. redirection http iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 #3. redirection https iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8181 ################################################################ #save the rules somewhere and make sure #our rules get loaded if the ubuntu server is restarted ################################################################ iptables-save > /etc/my-iptables.rules iptables-restore < /etc/my-iptables.rules #List Rules to see what we have now iptables -L
编辑:
根据@Michael Hampton的评论,这是iptables -v -L的输出
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- eth0 any anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match name: sshprobe side: source mask: 255.255.255.255 0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh state NEW recent: SET name: sshprobe side: source mask: 255.255.255.255 1580M 1033G ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 25M 1524M ACCEPT all -- lo any anywhere anywhere 824K 33M ACCEPT tcp -- any any anywhere anywhere tcp dpt:http 186K 11M ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 2053K 115M ACCEPT tcp -- any any anywhere anywhere tcp dpt:http-alt 40M 2302M ACCEPT tcp -- any any anywhere anywhere tcp dpt:8181 5272K 226M ACCEPT tcp -- any any anywhere anywhere tcp dpt:https 183K 11M ACCEPT tcp -- any any anywhere anywhere tcp dpt:8008 858K 106M DROP all -- any any anywhere anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1845M packets, 1964G bytes) pkts bytes target prot opt in out source destination
迈克尔·汉普顿build议我跑步
iptables -v -L
在那里,我发现这两条规则实际上是:
25M 1524M ACCEPT all -- lo any anywhere anywhere 858K 106M DROP all -- any any anywhere anywhere
这实际上意味着第一个规则接受本地主机上的任何东西,它是由我的configuration规则定义:
iptables -A INPUT -i lo -j ACCEPT
非常感谢迈克尔汉普顿!