我一直在致力於一個接近完成的專案:只需按一下按鈕就能終止我孩子的網路連線。我基本上透過呼叫實現了部分解決方案:
ufw 拒絕 IP
殺死他們的互聯網的威脅在一半的情況下有效,而上述的方法在剩下的一半中有效。我遇到問題的地方是 YouTube 長影片。有時繼續現有連線很方便,但我也希望有一個按鈕可以終止所有進出該 IP 的現有流量。事實證明,這比預期要困難得多。
我嘗試過 cutt,它似乎甚至無法在 Ubuntu 14.04 上運行。我試過tcpkill。它似乎在運行,但似乎沒有做任何事情(我提供了兩個乙太網路介面)並且似乎想要繼續運行。雖然我的 ufw 是持久的,但我寧願立即無狀態地終止並刪除所有現有連線。
Conntrack 聽起來很有希望(http://conntrack-tools.netfilter.org/manual.html),並有以下內容:
刪除一個條目,如果出現以下情況,這可用於封鎖流量:
您有一個有狀態的規則集,可以封鎖處於無效狀態的流量。
您已將 /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose 或 /proc/sys/net/netfilter/nf_conntrack_tcp_loose(取決於您的核心版本)設為零。
命令
conntrack -D -s <IP>
似乎刪除並顯示了某些內容,但 YouTube 影片一直在嗡嗡作響,當我這樣做時,我看到連接正在重組
conntrack -L
我已經搞定了
echo 0 > nf_conntrack_tcp_loose
並對其進行cat'ed以確保它卡住,但它似乎並沒有刪除連接。
我不是 100% 確定「阻止無效狀態流量的有狀態規則集」是什麼意思,但我確實看到了以下規則
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
當執行“iptables -L -n”時,如果這就是它引用的內容。
我發現了以下內容:
iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP
它對我不起作用,但這可能是因為它按照允許內部網路上的所有流量的一般規則進行,並且透過重新排序它可能會起作用。我不想將 iptables 指令與 ufw 指令混合使用。鑑於 UFW 已經設定了 iptables 來拒絕任何新連接,在 iptables 中設定一個 drop 似乎是多餘的,如果可以的話,我真的不想將 UFW 與 iptable 命令混合在一起。
誰能告訴我如何使用「conntrack -D」來終止與主機之間的現有連接,或使用其他方式來實現網路或介面關閉然後再復原的目的?弄清楚如何做到這一點比想像的更加難以捉摸。
謝謝,
標記
我做了一些更多的測試,我想分享一下。
首先,開始僅使用 ssh 連線來檢查終止情況。這實際上相當簡單。 tcpkill方法和conntrack -D方法都有效。 (我還嘗試使用 nf_conntrack_tcp_loose=1 (我的系統的預設值)並確認您確實需要將其設為 0 才能使該conntrack -D方法正常工作)。
我不知道 YouTube 連結是如何運作的,但它們似乎很難被消滅。如果我只呼叫conntrack -D IP一次方法,它就不會死。但是如果我設定以下循環
while sleep 1 ; do conntrack -D -s 10.42.43.25 ; done
它最終會死亡。
日誌是:
conntrack v1.4.1 (conntrack-tools): 17 flow entries have been deleted.
udp 17 10 src=___.___.43.25 dst=___.___.43.1 sport=57859 dport=53 src=___.___.43.1 dst=___.___.43.25 sport=53 dport=57859 mark=0 use=1
tcp 6 431980 ESTABLISHED src=___.___.43.25 dst=___.___.163.19 sport=59023 dport=80 src=___.___.163.19 dst=___.___.221.222 sport=80 dport=59023 [ASSURED] mark=0 use=1
tcp 6 431980 ESTABLISHED src=___.___.43.25 dst=___.___.218.3 sport=59033 dport=443 src=___.___.218.3 dst=___.___.221.222 sport=443 dport=59033 [ASSURED] mark=0 use=1
tcp 6 102 TIME_WAIT src=___.___.43.25 dst=___.___.242.247 sport=59044 dport=443 src=___.___.242.247 dst=___.___.221.222 sport=443 dport=59044 [ASSURED] mark=0 use=1
tcp 6 431980 ESTABLISHED src=___.___.43.25 dst=___.___.247.248 sport=59024 dport=443 src=___.___.247.248 dst=___.___.221.222 sport=443 dport=59024 [ASSURED] mark=0 use=1
tcp 6 299 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59042 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59042 [ASSURED] mark=0 use=1
udp 17 0 src=___.___.43.25 dst=___.___.43.1 sport=60775 dport=53 src=___.___.43.1 dst=___.___.43.25 sport=53 dport=60775 mark=0 use=1
tcp 6 431980 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.78 sport=59035 dport=443 src=sss.sss.sss.78 dst=___.___.221.222 sport=443 dport=59035 [ASSURED] mark=0 use=1
tcp 6 97 TIME_WAIT src=___.___.43.25 dst=___.___.234.25 sport=59039 dport=443 src=___.___.234.25 dst=___.___.221.222 sport=443 dport=59039 [ASSURED] mark=0 use=1
udp 17 11 src=___.___.43.25 dst=___.___.43.1 sport=56527 dport=53 src=___.___.43.1 dst=___.___.43.25 sport=53 dport=56527 mark=0 use=1
tcp 6 431980 ESTABLISHED src=___.___.43.25 dst=___.___.218.110 sport=59020 dport=443 src=___.___.218.110 dst=___.___.221.222 sport=443 dport=59020 [ASSURED] mark=0 use=1
tcp 6 431999 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59043 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59043 [ASSURED] mark=0 use=1
tcp 6 431948 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.97 sport=59025 dport=443 src=sss.sss.sss.97 dst=___.___.221.222 sport=443 dport=59025 [ASSURED] mark=0 use=1
udp 17 6 src=___.___.43.25 dst=___.___.43.1 sport=53498 dport=53 src=___.___.43.1 dst=___.___.43.25 sport=53 dport=53498 mark=0 use=1
tcp 6 431988 ESTABLISHED src=___.___.43.25 dst=___.___.10.188 sport=58987 dport=5228 src=___.___.10.188 dst=___.___.221.222 sport=5228 dport=58987 [ASSURED] mark=0 use=1
tcp 6 431999 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.138 sport=59021 dport=443 src=sss.sss.sss.138 dst=___.___.221.222 sport=443 dport=59021 [ASSURED] mark=0 use=1
tcp 6 431979 ESTABLISHED src=___.___.43.25 dst=___.___.103.74 sport=59038 dport=443 src=___.___.103.74 dst=___.___.221.222 sport=443 dport=59038 [ASSURED] mark=0 use=1
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 2 flow entries have been deleted.
tcp 6 299 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59049 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59049 [ASSURED] mark=0 use=1
tcp 6 299 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59050 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59050 [ASSURED] mark=0 use=1
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 1 flow entries have been deleted.
tcp 6 299 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59052 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59052 [ASSURED] mark=0 use=1
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 1 flow entries have been deleted.
tcp 6 299 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59053 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59053 [ASSURED] mark=0 use=1
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 1 flow entries have been deleted.
tcp 6 431999 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59055 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59055 [ASSURED] mark=0 use=1
...
tcp 6 299 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59089 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59089 [ASSURED] mark=0 use=1
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 1 flow entries have been deleted.
tcp 6 300 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59090 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59090 [ASSURED] mark=0 use=1
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 1 flow entries have been deleted.
tcp 6 299 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59092 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59092 [ASSURED] mark=0 use=2
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 1 flow entries have been deleted.
tcp 6 300 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.138 sport=59094 dport=443 src=sss.sss.sss.138 dst=___.___.221.222 sport=443 dport=59094 [ASSURED] mark=0 use=1
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 1 flow entries have been deleted.
tcp 6 299 ESTABLISHED src=___.___.43.25 dst=sss.sss.sss.177 sport=59095 dport=443 src=sss.sss.sss.177 dst=___.___.221.222 sport=443 dport=59095 [ASSURED] mark=0 use=1
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
conntrack v1.4.1 (conntrack-tools): 0 flow entries have been deleted.
... (finally dead)
所以現在的問題是這裡發生了什麼事?在我最初刪除所有串流後,如何建立串流條目?我缺什麼?有沒有什麼關於這一切是如何運作的,我不能簡單地用一次性命令關閉它?
只是更多資訊。我確信本地緩衝不會影響我對正在發生的事情的感知。完成一次刪除後,我可以看到緩衝區中的資料量繼續增長。另外,我可以拍攝一段長視頻,並將 YouTube 幀時間大大拖到未來,遠遠超出緩衝區水印,並且視頻可以在更晚的日期工作。
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ssh (1 references)
target prot opt source destination
REJECT all -- 116.31.116.41 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138
ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68
ufw-skip-to-policy-input all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ufw-user-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
ufw-not-local all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900
ufw-user-input all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ufw-user-output all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT all -- 10.42.43.25 0.0.0.0/0
ACCEPT all -- 10.42.43.0/24 0.0.0.0/0
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
當我更改狀態以關閉特定計算機時,日誌更改將在以下差異中表示:
158c157
< ACCEPT all -- 10.42.43.25 0.0.0.0/0
---
> DROP all -- 10.42.43.25 0.0.0.0/0