
我正在託管一個郵件伺服器(PostFix、PostFix Admin、Dovecot)、一個 Minecraft 伺服器和一個 Discord 機器人,我正在嘗試創建一個具有 INPUT 和 OUTPUT drop 的防火牆,但是使用此配置,一切都停止工作,例如端口143 打開我的roundcube 無法連接到imap 伺服器,同樣適用於minecraft 伺服器,我加載25565 端口,但它停在那裡,discord 機器人無法連接到discord 伺服器(應該是http),而如果我將OUTPUT 刪除它只需停止所有連接以及我的ssh(自訂連接埠2233)。有什麼幫助嗎?
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT udp -- anywhere anywhere udp dpt:1988
ACCEPT tcp -- anywhere anywhere tcp dpt:1988
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT udp -- anywhere anywhere udp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:8192
ACCEPT udp -- anywhere anywhere udp dpt:8192
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
bungee tcp -- anywhere anywhere tcp dpt:25562
bungee tcp -- anywhere anywhere tcp dpt:25579
bungee tcp -- anywhere anywhere tcp dpt:25569
bungee tcp -- anywhere anywhere tcp dpt:25563
bungee tcp -- anywhere anywhere tcp dpt:25567
bungee tcp -- anywhere anywhere tcp dpt:41310
bungee tcp -- anywhere anywhere tcp dpt:41311
bungee tcp -- anywhere anywhere tcp dpt:41312
bungee tcp -- anywhere anywhere tcp dpt:25999
bungee tcp -- anywhere anywhere tcp dpt:25564
bungee tcp -- anywhere anywhere tcp dpt:30801
bungee tcp -- anywhere anywhere tcp dpt:30802
bungee tcp -- anywhere anywhere tcp dpt:30803
bungee tcp -- anywhere anywhere tcp dpt:30810
bungee tcp -- anywhere anywhere tcp dpt:25342
ACCEPT udp -- anywhere anywhere udp dpt:8183
ACCEPT udp -- anywhere anywhere udp dpt:8182
ACCEPT udp -- anywhere anywhere udp dpt:8181
ACCEPT udp -- anywhere anywhere udp dpt:8191
ACCEPT udp -- anywhere anywhere udp dpt:587
ACCEPT udp -- anywhere anywhere udp dpt:465
ACCEPT udp -- anywhere anywhere udp dpt:2233
ACCEPT udp -- anywhere anywhere udp dpt:25
ACCEPT udp -- anywhere anywhere udp dpt:143
ACCEPT udp -- anywhere anywhere udp dpt:993
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:25565
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dpt:8191
ACCEPT tcp -- anywhere anywhere tcp dpt:8183
ACCEPT tcp -- anywhere anywhere tcp dpt:8182
ACCEPT tcp -- anywhere anywhere tcp dpt:8181
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:2233
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:8443
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:2233
ACCEPT udp -- anywhere anywhere udp dpt:2233
ACCEPT udp -- anywhere anywhere udp dpt:25
ACCEPT udp -- anywhere anywhere udp dpt:143
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:25565
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT udp -- anywhere anywhere udp dpt:993
ACCEPT udp -- anywhere anywhere udp dpt:25565
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT udp -- anywhere anywhere udp dpt:465
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:urd state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:submission state NEW,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:8183
ACCEPT udp -- anywhere anywhere udp dpt:8182
ACCEPT udp -- anywhere anywhere udp dpt:8181
ACCEPT udp -- anywhere anywhere udp dpt:8191
ACCEPT tcp -- anywhere anywhere tcp dpt:8191
ACCEPT tcp -- anywhere anywhere tcp dpt:8183
ACCEPT tcp -- anywhere anywhere tcp dpt:8182
ACCEPT tcp -- anywhere anywhere tcp dpt:8181
ACCEPT tcp -- anywhere anywhere tcp dpt:25565
ACCEPT udp -- anywhere anywhere udp dpt:25565
ACCEPT udp -- anywhere anywhere udp dpt:465
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT udp -- anywhere anywhere udp dpt:143
ACCEPT udp -- anywhere anywhere udp dpt:993
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:2233
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT udp -- anywhere anywhere udp dpt:25
ACCEPT udp -- anywhere anywhere udp dpt:443
ACCEPT udp -- anywhere anywhere udp dpt:http-alt
ACCEPT udp -- anywhere anywhere udp dpt:80
ACCEPT udp -- anywhere anywhere udp dpt:2233
ACCEPT tcp -- anywhere anywhere tcp spt:smtp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:imap2 state ESTABLISHED
Chain bungee (15 references)
target prot opt source destination
ACCEPT all -- vmi294204.contaboserver.net anywhere
ACCEPT all -- localhost anywhere
DROP all -- anywhere anywhere
Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
答案1
您缺少一些標準防火牆規則,這些規則幾乎存在於每個規則集中:
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -I INPUT 2 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
您當然希望允許透過環回裝置的所有通訊(它來自伺服器本身)並允許每個已建立的連線(您已經接受過一次)。出於性能原因,這些規則通常是第一次。
在你的OUTPUT
鏈中,所有連接埠的方向都是錯誤的(--dport
而不是--sport
)。
這是非常設定DROP
asOUTPUT
的策略並不常見,它需要充分了解您的服務和系統的工作方式。
您已經注意到缺少的ACCEPT
規則SSH[*] 你可能想添加類似的規則,OUTPUT
就像我曾經為INPUT
.然而你沒有想過名稱解析:
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
和 DHCP(如果您正在使用它)。而且ICMP
幾乎是必須的:
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
因為它不僅被使用ping
,而且還提供重要的診斷訊息,例如“沒有到主機的路由”。如果沒有它們,每次發生網路錯誤時,您的服務都會等待直到逾時。
聚苯乙烯:使用multiport
和comment
模組使您的規則更具可讀性,例如:
iptables -A INPUT -m multiport --dports smtp,465,submission -m comment --comment postfix -j ACCEPT
長話短說:切換OUTPUT
策略並不是DROP
很有用,需要充分了解您使用的每項服務的工作原理。
[*] 重讀你的問題後,你正在執行SSH在另一個連接埠上,您考慮允許 ssh 傳回封包,但您--dport
像在所有其他規則中一樣使用。我不明白的是為什麼要運行失敗2禁止22
如果沒有任何監聽,則連接埠上的 ssh 會被監禁。