服务器 Gind.cn
  1. 服务器 Gind.cn
  3. iptables似乎没有阻止我禁止的IP
Intereting Posts
解锁Windows 10导致旋转屏幕 OpenLDAP只允许从ldapi接口进行编辑? 通配符支持rsyslog中的InputFileName? 如何将此curl命令转换为PRTG传感器? 在Solaris 11中作为根“angular色”运行命令? Apache2无法启动 在Linux上将发送邮件捕获到一个邮箱或帐户 Nagios – check_ntp_time – 偏移量未知 在nginx上select.jscaching SANdevise:文件和块级访问? VMware分布式vSwitches(VDS) – devise,理论,*真实*用例和实例? 多个.dat文件 – 可能使用VMWare ThinApp? 虚拟DocumentRootconfiguration为WWW和非WWW – 没有redirect conntrack删除不会停止大文件的runnig副本 GNU屏幕显示+从腻子

iptables似乎没有阻止我禁止的IP

作为一个testing,我创build了一个TorBrowser,获得了它的IP,并通过这个命令禁止了它在我的VPS上: 

sudo iptables -A INPUT -s <IP address> -j DROP

我仍然可以通过TorBrowser浏览由我的服务器托pipe的页面。 我甚至双重检查HTTP access.log,以确保IP是我禁止的,这是。 我错过了什么?

我的iptables文件在启动时读入(通过iptables-restore

 # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 -j REJECT # IP bans -A INPUT -s 42.121.24.80 -j DROP -A INPUT -s 121.196.43.157 -j DROP -A INPUT -s 192.30.85.135 -j DROP -A INPUT -s 94.102.53.175 -j DROP # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT -A INPUT -p tcp --dport 8080 -j ACCEPT # Mail -A INPUT -p tcp --dport 993 -j ACCEPT -A INPUT -p tcp --dport 465 -j ACCEPT -A INPUT -p tcp --dport 587 -j ACCEPT -A INPUT -p tcp --dport 25 -j ACCEPT # Minecraft -A INPUT -p tcp --dport 25565 -j ACCEPT # Allow SSH connections # # The -dport number should be the same port number you set in sshd_config # -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping -A INPUT -p icmp -j ACCEPT # Log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Drop all other inbound - default deny unless explicitly allowed policy -A INPUT -j DROP -A FORWARD -j DROP COMMIT

iptables -L输出: 

 Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable DROP all -- out524-80.mail.aliyun.com anywhere DROP all -- ip196.hichina.com anywhere DROP all -- 192.30.85.135-IP-Static-VISPERAD.COM anywhere DROP all -- tor-exit-nl1.privacyfoundation.dk anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp ACCEPT tcp -- anywhere anywhere tcp dpt:submission ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:25565 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT icmp -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: " DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere

dmourati要求iptables -L INPUT是有原因的,也就是你现在的规则。
在testingtorbrowser之前,你有发布的规则(或类似)。
现在在它的中间: 

 -A INPUT -p tcp --dport 80 -j ACCEPT

之后你执行 

 iptables -A INPUT -s <IP address> -j DROP

所以你的规则结束后,你接受所有80端口的stream量,因此没有任何降落,因为已被接受。
你应该添加规则 

 iptables -I INPUT -s <IP address> -j DROP

如果要优先执行drop命令,则需要在允许端口80的append(-A)命令之前插入(-I)。

订单很重要,请尝试: 

 sudo iptables -I INPUT -s <IP address> -j DROP