作为测试,我启动了一个 TorBrowser,获取了它的 IP,并在我的 VPS 上通过以下命令禁止了它:
sudo iptables -A INPUT -s <IP address> -j DROP
我仍然可以从 TorBrowser 浏览由我的服务器托管的页面。我什至仔细检查了 HTTP access.log 以确保 IP 是我禁止的 IP,确实如此。我错过了什么?
我的 iptables 文件在启动时被读入(通过iptables-restore
)
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
# IP bans
-A INPUT -s 42.121.24.80 -j DROP
-A INPUT -s 121.196.43.157 -j DROP
-A INPUT -s 192.30.85.135 -j DROP
-A INPUT -s 94.102.53.175 -j DROP
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 8080 -j ACCEPT
# Mail
-A INPUT -p tcp --dport 993 -j ACCEPT
-A INPUT -p tcp --dport 465 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
# Minecraft
-A INPUT -p tcp --dport 25565 -j ACCEPT
# Allow SSH connections
#
# The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
并iptables -L
输出:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
DROP all -- out524-80.mail.aliyun.com anywhere
DROP all -- ip196.hichina.com anywhere
DROP all -- 192.30.85.135-IP-Static-VISPERAD.COM anywhere
DROP all -- tor-exit-nl1.privacyfoundation.dk anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:25565
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
dmourati 问了
iptables -L INPUT
一个原因,也就是你目前的规则。在测试 torbrowser 之前,您已经发布了规则(或类似规则)。
现在在它的中间:
之后你执行了
所以你的规则在你接受所有端口 80 流量之后结束,因此没有什么可以丢弃,因为已经被接受了。
您应该添加规则
如果要优先使用 drop 命令,则需要在允许端口 80 的追加 (-A) 命令之前插入 (-I) 它。
订购事项,请尝试: