在安裝了 Iptables 的主機上的終端機中輸入這些命令後,連接到可存取 Internet 的無線網路後不會載入任何網頁。
我知道這很簡單,但我不知道是什麼。
sudo iptables --policy INPUT DROP
sudo iptables --policy OUTPUT DROP
sudo iptables --policy FORWARD DROP
sudo iptables -A OUTPUT -j ACCEPT -p tcp --destination-port 53
sudo iptables -A OUTPUT -j ACCEPT -p tcp --destination-port 80
sudo iptables -A OUTPUT -j ACCEPT -p tcp --destination-port 443
sudo iptables -A OUTPUT -j ACCEPT -p udp --destination-port 53
sudo /sbin/iptables-save
先前命令後列出的配置:
user@debian:~$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:domain
user@debian:~$ sudo iptables -L -v
Chain INPUT (policy DROP 1095 packets, 131K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 33 packets, 2574 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain
8 480 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
1072 70910 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
在這個例子中,我只是尋找基本的 DNS、HTTP 和 HTTPS。怎麼了?
答案1
sudo iptables --policy INPUT DROP
預設情況下,這會丟棄所有傳入流量。您沒有對此策略進行例外的規則,即您只有允許傳出流量的 OUTPUT 規則。通常,至少有一條規則允許從內部建立的輸入匹配連接,例如:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT