服务器 Gind.cn
  1. 服务器 Gind.cn
  3. iptables-restore正在创build一个危险的规则
Intereting Posts
openwrt:在NTP服务器上使用rdate? 如何定义“具有挑战性的RF环境”? IPFW拒绝ssl连接 在Tomcat中水平扩展Web应用程序(负载平衡/群集) 如何组织数以百万计的静态文件在网上进行有效的服务? LAMPnetworking服务器的RAID选项 Debian的max_sectors_kb恢复使用? 额外的301redirect与nginx和uwsgi Centos – PhpMyAdmin试图访问时显示空白屏幕 无法在Ubuntu(欧洲/莫斯科)同步时间 DKIM:我可以使用大于2048bit的RSA密钥,即4096吗? 连接到VPN时没有互联网访问 IIS 7.5图像不显示 – 404 多个VLAN和用户组混淆 防止电子邮件欺骗

iptables-restore正在创build一个危险的规则

我有这个定义文件: 

*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :Firewall-INPUT - [0:0] -A INPUT -j Firewall-INPUT -A FORWARD -j Firewall-INPUT -A Firewall-INPUT -i lo -j ACCEPT -A Firewall-INPUT -p icmp --icmp-type echo-reply -j ACCEPT -A Firewall-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT -A Firewall-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Ping -A Firewall-INPUT -p icmp --icmp-type echo-request -j ACCEPT # Accept any established connections -A Firewall-INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Enable the traffic between the nodes of the cluster -A Firewall-INPUT -s 10.0.1.1 -j ACCEPT # Allow connections from docker container -A Firewall-INPUT -i docker0 -j ACCEPT # Accept ssh, http, https and git -A Firewall-INPUT -m conntrack --ctstate NEW -m multiport -p tcp --dports 22,2222,80,443 -j ACCEPT # Log and drop everything else -A Firewall-INPUT -j LOG -A Firewall-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT

然后我用这些规则调用iptables-restore

/sbin/iptables-restore < /tmp/iptables-rules-save

之后,我运行iptables -L并得到这个: 

 Chain INPUT (policy DROP) target prot opt source destination Firewall-INPUT all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination Firewall-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain Firewall-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- 10.0.1.1 anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere ctstate NEW multiport dports ssh,EtherNet/IP-1,http,https LOG all -- anywhere anywhere LOG level warning REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

正如你所看到的,它增加了一个危险的规则,接受来自任何源的所有数据包到服务器上的任何接口。

什么是我的设置导致这个错误的东西? 如何解决它?

P / S:我在Digital Ocean CentOS 6.5液滴上运行这个

iptables -L的默认输出不会显示接口,所以它不会显示确切的规则。 尝试运行iptables -L -v以获取输出中包含的接口 – destination列是networking地址,而不是接口。 使用-v输出将显示您创build的确切规则。