我正在托管一个邮件服务器(PostFix、PostFix Admin、Dovecot)、一个 Minecraft 服务器和一个 Discord 机器人,我正在尝试创建一个带有 INPUT 和 OUTPUT 丢弃的防火墙,但是使用这种配置,一切都停止工作,例如端口 143 打开我的圆形立方体无法连接到 imap 服务器,对于我的世界服务器也是如此,我加载了 25565 端口但它停在那里并且不和谐机器人无法连接到不和谐服务器(应该是 http),而如果我放 OUTPUT DROP 它只需停止每个连接以及我的 ssh(自定义端口 2233)。有什么帮助吗?
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT udp -- anywhere anywhere udp dpt:1988
ACCEPT tcp -- anywhere anywhere tcp dpt:1988
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT udp -- anywhere anywhere udp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:8192
ACCEPT udp -- anywhere anywhere udp dpt:8192
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
bungee tcp -- anywhere anywhere tcp dpt:25562
bungee tcp -- anywhere anywhere tcp dpt:25579
bungee tcp -- anywhere anywhere tcp dpt:25569
bungee tcp -- anywhere anywhere tcp dpt:25563
bungee tcp -- anywhere anywhere tcp dpt:25567
bungee tcp -- anywhere anywhere tcp dpt:41310
bungee tcp -- anywhere anywhere tcp dpt:41311
bungee tcp -- anywhere anywhere tcp dpt:41312
bungee tcp -- anywhere anywhere tcp dpt:25999
bungee tcp -- anywhere anywhere tcp dpt:25564
bungee tcp -- anywhere anywhere tcp dpt:30801
bungee tcp -- anywhere anywhere tcp dpt:30802
bungee tcp -- anywhere anywhere tcp dpt:30803
bungee tcp -- anywhere anywhere tcp dpt:30810
bungee tcp -- anywhere anywhere tcp dpt:25342
ACCEPT udp -- anywhere anywhere udp dpt:8183
ACCEPT udp -- anywhere anywhere udp dpt:8182
ACCEPT udp -- anywhere anywhere udp dpt:8181
ACCEPT udp -- anywhere anywhere udp dpt:8191
ACCEPT udp -- anywhere anywhere udp dpt:587
ACCEPT udp -- anywhere anywhere udp dpt:465
ACCEPT udp -- anywhere anywhere udp dpt:2233
ACCEPT udp -- anywhere anywhere udp dpt:25
ACCEPT udp -- anywhere anywhere udp dpt:143
ACCEPT udp -- anywhere anywhere udp dpt:993
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:25565
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dpt:8191
ACCEPT tcp -- anywhere anywhere tcp dpt:8183
ACCEPT tcp -- anywhere anywhere tcp dpt:8182
ACCEPT tcp -- anywhere anywhere tcp dpt:8181
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:2233
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:8443
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:2233
ACCEPT udp -- anywhere anywhere udp dpt:2233
ACCEPT udp -- anywhere anywhere udp dpt:25
ACCEPT udp -- anywhere anywhere udp dpt:143
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:25565
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT udp -- anywhere anywhere udp dpt:993
ACCEPT udp -- anywhere anywhere udp dpt:25565
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT udp -- anywhere anywhere udp dpt:465
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:urd state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:submission state NEW,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:8183
ACCEPT udp -- anywhere anywhere udp dpt:8182
ACCEPT udp -- anywhere anywhere udp dpt:8181
ACCEPT udp -- anywhere anywhere udp dpt:8191
ACCEPT tcp -- anywhere anywhere tcp dpt:8191
ACCEPT tcp -- anywhere anywhere tcp dpt:8183
ACCEPT tcp -- anywhere anywhere tcp dpt:8182
ACCEPT tcp -- anywhere anywhere tcp dpt:8181
ACCEPT tcp -- anywhere anywhere tcp dpt:25565
ACCEPT udp -- anywhere anywhere udp dpt:25565
ACCEPT udp -- anywhere anywhere udp dpt:465
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT udp -- anywhere anywhere udp dpt:143
ACCEPT udp -- anywhere anywhere udp dpt:993
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:2233
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT udp -- anywhere anywhere udp dpt:25
ACCEPT udp -- anywhere anywhere udp dpt:443
ACCEPT udp -- anywhere anywhere udp dpt:http-alt
ACCEPT udp -- anywhere anywhere udp dpt:80
ACCEPT udp -- anywhere anywhere udp dpt:2233
ACCEPT tcp -- anywhere anywhere tcp spt:smtp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:imap2 state ESTABLISHED
Chain bungee (15 references)
target prot opt source destination
ACCEPT all -- vmi294204.contaboserver.net anywhere
ACCEPT all -- localhost anywhere
DROP all -- anywhere anywhere
Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
您缺少一些标准的防火墙规则,它们几乎在每个规则集中:
您当然希望允许通过回送设备进行所有通信(它来自服务器本身)并允许每个已建立的连接(您已经接受过一次)。出于性能原因,这些规则通常是第一次。
在您的
OUTPUT链中,您的所有端口都朝错误的方向(--dport而不是--sport)。设置为的策略是非常不寻常的,它需要很好地了解您的服务和系统的工作方式。
DROPOUTPUT您已经注意到ssh
ACCEPT[*] 的缺失规则,并且您可能想要添加与我曾经为. 但是您没有考虑名称解析:OUTPUTINPUT和 DHCP(如果您正在使用它)。此外
ICMP,几乎是必须的:因为它不仅被 使用
ping,而且还提供重要的诊断信息,例如"No route to host"。没有它们,每次发生网络错误时,您的服务都会等到超时。PS:使用
multiportandcomment模块使您的规则更具可读性,例如:TL;DR:将您的
OUTPUT政策切换到DROP不是很有用,并且需要很好地了解您使用的每项服务的工作原理。[*] 重新阅读您的问题后,您正在另一个端口上运行ssh,并且您考虑过允许 ssh 返回数据包,但您
--dport在所有其他规则中都使用了。我不明白的是,如果那里没有任何监听,为什么要在端口上为 ssh运行fail2ban监狱。22