已解決 - IPTables 輸入下降和連接埠開放

已解決 - IPTables 輸入下降和連接埠開放

我正在託管一個郵件伺服器(PostFix、PostFix Admin、Dovecot)、一個 Minecraft 伺服器和一個 Discord 機器人,我正在嘗試創建一個具有 INPUT 和 OUTPUT drop 的防火牆,但是使用此配置,一切都停止工作,例如端口143 打開我的roundcube 無法連接到imap 伺服器,同樣適用於minecraft 伺服器,我加載25565 端口,但它停在那裡,discord 機器人無法連接到discord 伺服器(應該是http),而如果我將OUTPUT 刪除它只需停止所有連接以及我的ssh(自訂連接埠2233)。有什麼幫助嗎?

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1988
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:1988
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     udp  --  anywhere             anywhere             udp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8192
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8192
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh
bungee     tcp  --  anywhere             anywhere             tcp dpt:25562
bungee     tcp  --  anywhere             anywhere             tcp dpt:25579
bungee     tcp  --  anywhere             anywhere             tcp dpt:25569
bungee     tcp  --  anywhere             anywhere             tcp dpt:25563
bungee     tcp  --  anywhere             anywhere             tcp dpt:25567
bungee     tcp  --  anywhere             anywhere             tcp dpt:41310
bungee     tcp  --  anywhere             anywhere             tcp dpt:41311
bungee     tcp  --  anywhere             anywhere             tcp dpt:41312
bungee     tcp  --  anywhere             anywhere             tcp dpt:25999
bungee     tcp  --  anywhere             anywhere             tcp dpt:25564
bungee     tcp  --  anywhere             anywhere             tcp dpt:30801
bungee     tcp  --  anywhere             anywhere             tcp dpt:30802
bungee     tcp  --  anywhere             anywhere             tcp dpt:30803
bungee     tcp  --  anywhere             anywhere             tcp dpt:30810
bungee     tcp  --  anywhere             anywhere             tcp dpt:25342
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8183
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8182
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8181
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8191
ACCEPT     udp  --  anywhere             anywhere             udp dpt:587
ACCEPT     udp  --  anywhere             anywhere             udp dpt:465
ACCEPT     udp  --  anywhere             anywhere             udp dpt:2233
ACCEPT     udp  --  anywhere             anywhere             udp dpt:25
ACCEPT     udp  --  anywhere             anywhere             udp dpt:143
ACCEPT     udp  --  anywhere             anywhere             udp dpt:993
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:25565
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:urd
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8191
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8183
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8182
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8181
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2233
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2233
ACCEPT     udp  --  anywhere             anywhere             udp dpt:2233
ACCEPT     udp  --  anywhere             anywhere             udp dpt:25
ACCEPT     udp  --  anywhere             anywhere             udp dpt:143
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:25565
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:993
ACCEPT     udp  --  anywhere             anywhere             udp dpt:25565
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:urd
ACCEPT     udp  --  anywhere             anywhere             udp dpt:465
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2 state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:urd state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission state NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8183
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8182
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8181
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8191
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8191
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8183
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8182
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8181
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:25565
ACCEPT     udp  --  anywhere             anywhere             udp dpt:25565
ACCEPT     udp  --  anywhere             anywhere             udp dpt:465
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:urd
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
ACCEPT     udp  --  anywhere             anywhere             udp dpt:143
ACCEPT     udp  --  anywhere             anywhere             udp dpt:993
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2233
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:25
ACCEPT     udp  --  anywhere             anywhere             udp dpt:443
ACCEPT     udp  --  anywhere             anywhere             udp dpt:http-alt
ACCEPT     udp  --  anywhere             anywhere             udp dpt:80
ACCEPT     udp  --  anywhere             anywhere             udp dpt:2233
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:smtp state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:imap2 state ESTABLISHED

Chain bungee (15 references)
target     prot opt source               destination
ACCEPT     all  --  vmi294204.contaboserver.net  anywhere
ACCEPT     all  --  localhost            anywhere
DROP       all  --  anywhere             anywhere

Chain f2b-sshd (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

答案1

您缺少一些標準防火牆規則,這些規則幾乎存在於每個規則集中:

iptables -I INPUT 1 -i lo -j ACCEPT
iptables -I INPUT 2 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

您當然希望允許透過環回裝置的所有通訊(它來自伺服器本身)並允許每個已建立的連線(您已經接受過一次)。出於性能原因,這些規則通常是第一次。

在你的OUTPUT鏈中,所有連接埠的方向都是錯誤的(--dport而不是--sport)。

這是非常設定DROPasOUTPUT的策略並不常見,它需要充分了解您的服務和系統的工作方式。

您已經注意到缺少的ACCEPT規則SSH[*] 你可能想添加類似的規則,OUTPUT就像我曾經為INPUT.然而你沒有想過名稱解析

iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT

和 DHCP(如果您正在使用它)。而且ICMP幾乎是必須的:

iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

因為它不僅被使用ping,而且還提供重要的診斷訊息,例如“沒有到主機的路由”。如果沒有它們,每次發生網路錯誤時,您的服務都會等待直到逾時。

聚苯乙烯:使用multiportcomment模組使您的規則更具可讀性,例如:

iptables -A INPUT -m multiport --dports smtp,465,submission -m comment --comment postfix -j ACCEPT

長話短說:切換OUTPUT策略並不是DROP很有用,需要充分了解您使用的每項服務的工作原理。

[*] 重讀你的問題後,你正在執行SSH在另一個連接埠上,您考慮允許 ssh 傳回封包,但您--dport像在所有其他規則中一樣使用。我不明白的是為什麼要運行失敗2禁止22如果沒有任何監聽,則連接埠上的 ssh 會被監禁。

相關內容