服务器 Gind.cn
  1. 服务器 Gind.cn
  3. UFW制定了规则,并启用了stream量仍然允许
Intereting Posts
你能给我解释一下这个DNSconfiguration吗? WSUS尝试再次下载所有更新 如何使用Amazon的AWS CLI工具下载S3二进制文件? Windows:如何从命令行将程序添加到系统的path环境variables? 使用VirtualBox添加第二个虚拟服务器 Exchange 2010 550 5.1.1收件人拒绝错误 MySQL:将数据库加载到内存 苹果WiFiconfiguration文件 – 防止更改 在Centos 6.6 – KVM上优化SSD存储 PuTTY的psftp挂起 将多个vlan连接到vlan兼容设备 select要在Sysprep和Capture任务序列MDT 2013中安装哪个操作系统 PowerShell的“get-ClusterQuorum”输出不显示“QuorumType”列 从Windows 2008 Server上的C:驱动器删除MSP文件是否安全? SQL浏览器服务与静态端口号:我应该比另一个更喜欢吗?

UFW制定了规则,并启用了stream量仍然允许

我有UFWconfiguration尝试和阻止一些不需要的IP和相关的请求。 

#ufw status |less Status: active To Action From -- ------ ---- 37.187.183.206 DENY Anywhere Anywhere DENY 37.187.183.206 198.41.249.59 DENY Anywhere Anywhere DENY 198.41.249.59 162.159.251.59 DENY Anywhere Anywhere DENY 162.159.251.59

状态激活确认UFW已启用,并且我有3个IP在这里阻止入站和出站。 这些规则是插入“ufw插入1”,所以是处理的第一个规则。 然而ping和请求仍然通过 

 # ping 193.201.224.10 PING 193.201.224.10 (193.201.224.10) 56(84) bytes of data. 64 bytes from 193.201.224.10: icmp_req=1 ttl=52 time=354 ms 64 bytes from 193.201.224.10: icmp_req=2 ttl=52 time=356 ms

实际要求也是如此 

 #wget 37.187.183.206 --2015-02-13 06:37:23-- http://37.187.183.206/ Connecting to 37.187.183.206:80... connected. HTTP request sent, awaiting response... 302 Found

任何想法的原因?

编辑:按要求输出iptables 

 Chain INPUT (policy DROP 27 packets, 1100 bytes) pkts bytes target prot opt in out source destination 105M 11G fail2ban-apache-overflows tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 105M 11G fail2ban-apache-noscript tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 105M 11G fail2ban-apache tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 0 0 fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 1107M 884G ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0 1107M 884G ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0 1109 49748 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0 1109 49748 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0 1109 49748 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0 1109 49748 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 108 packets, 4992 bytes) pkts bytes target prot opt in out source destination 746M 274G ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0 746M 274G ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0 54M 3681M ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0 54M 3681M ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0 54M 3681M ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0 54M 3681M ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-apache (1 references) pkts bytes target prot opt in out source destination 105M 11G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-apache-noscript (1 references) pkts bytes target prot opt in out source destination 105M 11G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-apache-overflows (1 references) pkts bytes target prot opt in out source destination 105M 11G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-ssh (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-after-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-after-input (1 references) pkts bytes target prot opt in out source destination 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) pkts bytes target prot opt in out source destination 149 6980 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-after-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-forward (1 references) pkts bytes target prot opt in out source destination 0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-before-input (1 references) pkts bytes target prot opt in out source destination 54M 7592M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1042M 875G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 4052K 435M ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 4052K 435M DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 6880K 500M ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900 6880K 500M ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-before-logging-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-output (1 references) pkts bytes target prot opt in out source destination 54M 7592M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 638M 263G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 54M 3681M ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-logging-allow (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) pkts bytes target prot opt in out source destination 3915 189K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID limit: avg 3/min burst 10 3805 185K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " pkts bytes target prot opt in out source destination 54M 7592M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1042M 875G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 4052K 435M ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 4052K 435M DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 6880K 500M ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900 6880K 500M ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-before-logging-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-output (1 references) pkts bytes target prot opt in out source destination 54M 7592M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 638M 263G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 54M 3681M ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-logging-allow (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) pkts bytes target prot opt in out source destination 3915 189K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID limit: avg 3/min burst 10 3805 185K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) pkts bytes target prot opt in out source destination 6880K 500M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST 0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-reject-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-reject-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-reject-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-skip-to-policy-forward (0 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-skip-to-policy-input (7 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-skip-to-policy-output (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-track-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-track-output (1 references) pkts bytes target prot opt in out source destination 16M 979M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 38M 2701M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW Chain ufw-user-forward (1 references) Chain ufw-user-input (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 37.187.183.206 0 0 DROP all -- * * 37.187.183.206 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 198.41.249.59 0 0 DROP all -- * * 198.41.249.59 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 162.159.251.59 0 0 DROP all -- * * 162.159.251.59 0.0.0.0/0 10 600 DROP all -- * * 220.181.108.153 0.0.0.0/0 0 0 DROP all -- * * 220.176.172.157 0.0.0.0/0 0 0 DROP all -- * * 222.70.153.55 0.0.0.0/0 0 0 DROP all -- * * 94.153.11.136 0.0.0.0/0 0 0 DROP all -- * * 178.63.95.202 0.0.0.0/0 270 10920 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1433 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1433 11 488 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:81 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:81 3838 206K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2222 16 832 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:10000 1019 51256 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3096 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3096 0 0 ACCEPT tcp -- * * 27.131.130.17 0.0.0.0/0 tcp dpt:21 0 0 ACCEPT tcp -- * * 27.131.130.19 0.0.0.0/0 tcp dpt:21 0 0 ACCEPT tcp -- * * 61.7.147.82 0.0.0.0/0 tcp dpt:21 844 42932 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:21 1057 63508 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8010 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:8010 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8011 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:8011

简短的回答:您为ufw创build的规则在INPUT链中,不会影响源自系统运行ufw的networkingstream量。 您需要在OUTPUT链中的规则来pipe理该stream量。

最长的回答是:在netfilter防火墙(内核数据包过滤防火墙的项目名称) 规则中首先要了解的是依次检查数据包的命运(ACCEPT,DROP,REJECT等)是在首次匹配基础。

从你的iptables -L -n -v你可以看到你有两个互补的技术来pipe理你的包filter, ufwfail2ban都创build了ipchains规则集。

由fail2banpipe理的一组规则首先被处理,因为在INPUT链中首先列出了fail2ban链。 这些适用于默认的networking服务器端口80&443或ssh端口22。

由于显然没有检测到滥用者,所以fail2ban规则中没有排除ip地址,它们还没有匹配任何东西,并且使用RETURN来进一步处理由ufw规则集完成的数据包。

你可以在ufw-user-input看到所有你自定义的ufw规则,这些计数器显示出你已经从你的wget 37.187.183.206命令中推导出来的那些规则:这些规则显然是从来没有匹配的。 

 Chain ufw-user-input (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 37.187.183.206 0 0 DROP all -- * * 37.187.183.206 0.0.0.0/0 ...

原因在于,源自系统的数据包(例如从wget命令创build的数据包)应在OUTPUT链中过滤,并且绝不会在INPUT链中匹配。

所有来自37.187.183.206的stream量确实被阻塞,如果你的系统是你的服务器和37.187.183.206之间的路由器/防火墙,stream量也将被阻塞,但是你的服务器创build数据包是特殊情况,并且不会被阻塞。

对于这个特殊用例,它们也应该在ufw-user-output链中。

允许来自37.187.183.206的ping请求的原因是在ufw-before-input链中,接受回应请求(ICMPtypes8)的规则在引用自定义规则的链之前被接受。 

 Chain ufw-before-input (1 references) pkts bytes target prot opt in out source destination <snip> 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 <snip> 6880K 500M ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0