我想从这个问题中向 iptables 添加一些规则,并回答通过 vpn(在我的情况下为 surfshark)传输来自 torrent 程序传输的路由流量。
在添加自定义规则之前,至少有两个答案用于iptables -F刷新表。
其中一个答案专门引用了无头服务器(如我的)。所以我怀疑这应该可行。
但是,如果我使用iptables -F,我会立即被踢出与服务器的 ssh 会话。我无法在终端上键入任何新命令,必须重新启动服务器才能再次登录。
我在服务器上运行了一个防火墙,允许端口 22 访问每个 IP。
为了澄清起见,我将在应用接受的答案之前和之后添加一些输出:
之前(注意policy DROP):
$ sudo iptables -xvnL
Chain INPUT (policy DROP 21 packets, 5628 bytes)
pkts bytes target prot opt in out source destination
387 31969 f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
27008 50413306 ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
27008 50413306 ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
153 26176 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
21 5628 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
21 5628 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
21 5628 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 7 packets, 324 bytes)
pkts bytes target prot opt in out source destination
7130 870596 ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
7130 870596 ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
997 113175 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
997 113175 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
997 113175 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
997 113175 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
后:
$ sudo iptables -L -v
Chain INPUT (policy ACCEPT 12648 packets, 12M bytes)
这是在我设置为之后policy ACCEPT,然后刷新,然后在此处transmission-daemon添加来自其他答案的规则,然后在重新启动后使此设置保持不变,重新启动并登录。我现在想,但这会再次把我踢出去。sudo dpkg-reconfigure iptables-persistentsshpolicy DROP
ufw也许很有趣:我只是为了确保安全而停用了防火墙。在我重新激活它之后,它也把我扔了出去(while policy ACCEPT)。当然,我有一个allow 22规则。我必须重新启动,然后才能使用正常工作的防火墙再次登录。
我缺乏了解,iptables并且一定会调查它。我不知道如果主要策略是ACCEPT并且防火墙有一个开放的22.
$ sudo iptables -xvnL
[sudo] Passwort für ben:
Chain INPUT (policy ACCEPT 34981 packets, 9871660 bytes)
pkts bytes target prot opt in out source destination
121 15110 f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
134 12445 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 19730 packets, 3108705 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 192.168.100.0/25 tcp spt:9091 owner GID match 136
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 192.168.100.0/25 udp spt:9091 owner GID match 136
0 0 ACCEPT all -- * tun0 0.0.0.0/0 0.0.0.0/0 owner GID match 136
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 owner GID match 136
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 136 reject-with icmp-port-unreachable
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
121 15110 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-logging-deny (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-not-local (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (0 references)
pkts bytes target prot opt in out source destination
这里的防火墙规则:
$ sudo ufw status
Status: Aktiv
Zu Aktion Von
-- ------ ---
22 ALLOW 192.168.100.0/24
5900 ALLOW 192.168.100.0/24 # vnc
1900 ALLOW 192.168.100.0/24 # minidlna
8200 ALLOW 192.168.100.0/24 # minidlna
445 ALLOW 192.168.100.0/24 # cifs
5901 ALLOW 192.168.100.0/24 # vnc
5902 ALLOW 192.168.100.0/24 # vnc
另外一件事:我有eth0界面吗?我的 ZOTAC mini PC 有两个以太网连接,我只是很困惑,eth0没有出现。用于设置规则的脚本使用IFACE_INTERNAL=eth0. 这可能是个问题吗?
$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 00:01:2e:4d:52:96 brd ff:ff:ff:ff:ff:ff
3: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether 00:01:2e:4d:52:9b brd ff:ff:ff:ff:ff:ff
4: wlp2s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 0c:d2:92:57:c2:53 brd ff:ff:ff:ff:ff:ff
是的,
iptables -F chain将刷新该链的所有 iptables 规则,因此将仅使用默认策略规则。您的参考文献的默认策略似乎是
ACCEPT,而您计算机上的默认策略是DROP。通过检查
sudo iptables -xvnL。如果要删除链中的所有规则,但要保留 ssh 会话,请将默认策略更改为ACCEPTfirst。DROP您可以在拥有所需规则并确认您的 ssh 数据包不再依赖默认策略通过后将其更改回。您可能还需要在 OUTPUT 链上使用它。