它在文档中描述为nftables:
continue
Continue ruleset evaluation with the next rule.
This is the default behaviour in case a rule issues no verdict.
但我很好奇可能的用例是什么continue
我安装了 vsftpd 并使用 ufw 作为我的防火墙。我可以连接到 ftp 服务器、登录并更改目录,但任何使用 LIST 命令的尝试都会从外部和本地主机超时。通过阅读其他答案,我相信这是由于我的被动端口未正确打开造成的。然而,据我所知,ufw 中的端口是开放的。另外,当我运行ufw disable并重试时,问题仍然出现。事实上,这种情况发生在与服务器相同的主机上,这让我相信我的系统上还有其他问题。
vsftpd 日志 (/var/log/vsftpd)
Tue Jan 2 21:22:03 2024 [pid 2] CONNECT: Client "127.0.0.1"
Tue Jan 2 21:22:03 2024 [pid 2] FTP response: Client "127.0.0.1", "220 (vsFTPd 3.0.3)"
Tue Jan 2 21:22:03 2024 [pid 2] FTP command: Client "127.0.0.1", "FEAT"
Tue Jan 2 21:22:03 2024 [pid 2] FTP response: Client "127.0.0.1", "211-Features:"
Tue Jan 2 21:22:03 2024 [pid 2] FTP response: Client "127.0.0.1", " EPRT??"
Tue Jan 2 21:22:03 2024 [pid 2] FTP response: Client "127.0.0.1", " EPSV??"
Tue Jan 2 21:22:03 2024 [pid 2] FTP response: Client "127.0.0.1", " MDTM??"
Tue Jan 2 21:22:03 2024 [pid 2] FTP response: Client "127.0.0.1", " PASV??"
Tue Jan 2 21:22:03 2024 [pid 2] FTP response: Client "127.0.0.1", " REST STREAM??"
Tue Jan 2 21:22:03 2024 [pid 2] FTP response: Client "127.0.0.1", " SIZE??"
Tue Jan 2 21:22:03 2024 [pid 2] FTP response: Client "127.0.0.1", " TVFS??"
Tue Jan 2 21:22:03 2024 [pid 2] FTP response: Client "127.0.0.1", " UTF8??"
Tue Jan 2 21:22:03 2024 [pid 2] FTP response: Client "127.0.0.1", "211 End"
Tue Jan 2 21:22:03 2024 [pid 2] FTP command: Client "127.0.0.1", "OPTS UTF8 ON"
Tue Jan 2 21:22:03 2024 [pid 2] FTP response: Client "127.0.0.1", "200 Always in UTF8 mode."
Tue Jan 2 21:22:03 2024 [pid 2] FTP command: Client "127.0.0.1", "USER anonymous"
Tue Jan 2 21:22:03 2024 [pid 2] [anonymous] FTP response: Client "127.0.0.1", "331 Please specify the password."
Tue Jan 2 21:22:03 2024 [pid 2] [anonymous] FTP command: Client "127.0.0.1", "PASS <password>"
Tue Jan 2 21:22:03 2024 [pid 1] [ftp] OK LOGIN: Client "127.0.0.1", anon password "lftp@"
Tue Jan 2 21:22:03 2024 [pid 3] [ftp] FTP response: Client "127.0.0.1", "230 Login successful."
Tue Jan 2 21:22:03 2024 [pid 3] [ftp] FTP command: Client "127.0.0.1", "PWD"
Tue Jan 2 21:22:03 2024 [pid 3] [ftp] FTP response: Client "127.0.0.1", "257 "/" is the current directory"
Tue Jan 2 21:22:08 2024 [pid 3] [ftp] FTP command: Client "127.0.0.1", "CWD /tv"
Tue Jan 2 21:22:08 2024 [pid 3] [ftp] FTP response: Client "127.0.0.1", "250 Directory successfully changed."
Tue Jan 2 21:22:16 2024 [pid 3] [ftp] FTP command: Client "127.0.0.1", "CWD /nonefolder"
Tue Jan 2 21:22:16 2024 [pid 3] [ftp] FTP response: Client "127.0.0.1", "550 Failed to change directory."
Tue Jan 2 21:22:19 2024 [pid 3] [ftp] FTP command: Client "127.0.0.1", "CWD /"
Tue Jan 2 21:22:19 2024 [pid 3] [ftp] FTP response: Client "127.0.0.1", "250 Directory successfully changed."
Tue Jan 2 21:22:19 2024 [pid 3] [ftp] FTP command: Client "127.0.0.1", "PASV"
Tue Jan 2 21:22:19 2024 [pid 3] [ftp] FTP response: Client "127.0.0.1", "227 Entering Passive Mode (127,0,0,1,39,111)."
Tue Jan 2 21:22:19 2024 [pid 3] [ftp] FTP command: Client "127.0.0.1", "LIST"
Tue Jan 2 21:22:27 2024 [pid 2] CONNECT: Client "127.0.0.1"
Tue Jan 2 21:22:27 2024 [pid 2] FTP response: Client "127.0.0.1", "220 (vsFTPd 3.0.3)"
Tue Jan 2 21:22:27 2024 [pid 2] FTP command: Client "127.0.0.1", "FEAT"
Tue Jan 2 21:22:27 2024 [pid 2] FTP response: Client "127.0.0.1", "211-Features:"
Tue Jan 2 21:22:27 2024 [pid 2] FTP response: Client "127.0.0.1", " EPRT??"
Tue Jan 2 21:22:27 2024 [pid 2] FTP response: Client "127.0.0.1", " EPSV??"
Tue Jan 2 21:22:27 2024 [pid 2] FTP response: Client "127.0.0.1", " MDTM??"
Tue Jan 2 21:22:27 2024 [pid 2] FTP response: Client "127.0.0.1", " PASV??"
Tue Jan 2 21:22:27 2024 [pid 2] FTP response: Client "127.0.0.1", " REST STREAM??"
Tue Jan 2 21:22:27 2024 [pid 2] FTP response: Client "127.0.0.1", " SIZE??"
Tue Jan 2 21:22:27 2024 [pid 2] FTP response: Client "127.0.0.1", " TVFS??"
Tue Jan 2 21:22:27 2024 [pid 2] FTP response: Client "127.0.0.1", " UTF8??"
Tue Jan 2 21:22:27 2024 [pid 2] FTP response: Client "127.0.0.1", "211 End"
Tue Jan 2 21:22:27 2024 [pid 2] FTP command: Client "127.0.0.1", "OPTS UTF8 ON"
Tue Jan 2 21:22:27 2024 [pid 2] FTP response: Client "127.0.0.1", "200 Always in UTF8 mode."
Tue Jan 2 21:22:27 2024 [pid 2] FTP command: Client "127.0.0.1", "USER anonymous"
Tue Jan 2 21:22:27 2024 [pid 2] [anonymous] FTP response: Client "127.0.0.1", "331 Please specify the password."
Tue Jan 2 21:22:27 2024 [pid 2] [anonymous] FTP command: Client "127.0.0.1", "PASS <password>"
Tue Jan 2 21:22:27 2024 [pid 1] [ftp] OK LOGIN: Client "127.0.0.1", anon password "lftp@"
Tue Jan 2 21:22:27 2024 [pid 3] [ftp] FTP response: Client "127.0.0.1", "230 Login successful."
Tue Jan 2 21:22:27 2024 [pid 3] [ftp] FTP command: Client "127.0.0.1", "CWD /tv"
Tue Jan 2 21:22:27 2024 [pid 3] [ftp] FTP response: Client "127.0.0.1", "250 Directory successfully changed."
Tue Jan 2 21:22:27 2024 [pid 3] [ftp] FTP command: Client "127.0.0.1", "PASV"
Tue Jan 2 21:22:27 2024 [pid 3] [ftp] FTP response: Client "127.0.0.1", "227 Entering Passive Mode (127,0,0,1,39,112)."
Tue Jan 2 21:22:27 2024 [pid 3] [ftp] FTP command: Client "127.0.0.1", "LIST"
Tue Jan 2 21:22:42 2024 [pid 2] CONNECT: Client "127.0.0.1"
Tue Jan 2 21:22:42 2024 [pid 2] FTP response: Client "127.0.0.1", "220 (vsFTPd 3.0.3)"
Tue Jan 2 21:22:42 2024 [pid 2] FTP command: Client "127.0.0.1", "FEAT"
Tue Jan 2 21:22:42 2024 [pid 2] FTP response: Client "127.0.0.1", "211-Features:"
Tue Jan 2 21:22:42 2024 [pid 2] FTP response: Client "127.0.0.1", " EPRT??"
Tue Jan 2 21:22:42 2024 [pid 2] FTP response: Client "127.0.0.1", " EPSV??"
Tue Jan 2 21:22:42 2024 [pid 2] FTP response: Client "127.0.0.1", " MDTM??"
Tue Jan 2 21:22:42 2024 [pid 2] FTP response: Client "127.0.0.1", " PASV??"
Tue Jan 2 21:22:42 2024 [pid 2] FTP response: Client "127.0.0.1", " REST STREAM??"
Tue Jan 2 21:22:42 2024 [pid 2] FTP response: Client "127.0.0.1", " SIZE??"
Tue Jan 2 21:22:42 2024 [pid 2] FTP response: Client "127.0.0.1", " TVFS??"
Tue Jan 2 21:22:42 2024 [pid 2] FTP response: Client "127.0.0.1", " UTF8??"
Tue Jan 2 21:22:42 2024 [pid 2] FTP response: Client "127.0.0.1", "211 End"
Tue Jan 2 21:22:42 2024 [pid 2] FTP command: Client "127.0.0.1", "OPTS UTF8 ON"
Tue Jan 2 21:22:42 2024 [pid 2] FTP response: Client "127.0.0.1", "200 Always in UTF8 mode."
Tue Jan 2 21:22:42 2024 [pid 2] FTP command: Client "127.0.0.1", "USER anonymous"
Tue Jan 2 21:22:42 2024 [pid 2] [anonymous] FTP response: Client "127.0.0.1", "331 Please specify the password."
Tue Jan 2 21:22:42 2024 [pid 2] [anonymous] FTP command: Client "127.0.0.1", "PASS <password>"
Tue Jan 2 21:22:42 2024 [pid 1] [ftp] OK LOGIN: Client "127.0.0.1", anon password "lftp@"
Tue Jan 2 21:22:42 2024 [pid 3] [ftp] FTP response: Client "127.0.0.1", "230 Login successful."
Tue Jan 2 21:22:42 2024 [pid 3] [ftp] FTP command: Client "127.0.0.1", "CWD /tv"
Tue Jan 2 21:22:42 2024 [pid 3] [ftp] FTP response: Client "127.0.0.1", "250 Directory successfully changed."
Tue Jan 2 21:22:42 2024 [pid 3] [ftp] FTP command: Client "127.0.0.1", "PASV"
Tue Jan 2 21:22:42 2024 [pid 3] [ftp] FTP response: Client "127.0.0.1", "227 Entering Passive Mode (127,0,0,1,39,106)."
Tue Jan 2 21:22:42 2024 [pid 3] [ftp] FTP command: Client "127.0.0.1", "LIST"
ftp日志
[root@ladybug ~]# lftp
lftp :~> open 127.0.0.1
lftp 127.0.0.1:~> cd
cd ok, cwd=/
lftp 127.0.0.1:/> cd tv
cd ok, cwd=/tv
lftp 127.0.0.1:/tv> cd ..
lftp 127.0.0.1:/> cd nonefolder
cd: Access failed: 550 Failed to change directory. (/nonefolder)
lftp 127.0.0.1:/> ls
ls: Fatal error: 500 OOPS:
lftp 127.0.0.1:/> cd tv
lftp 127.0.0.1:/tv> ls
ls: Fatal error: 500 OOPS:
lftp 127.0.0.1:/tv>
Filezilla 日志(与上面两个不同的运行)
Status: Connecting to 192.168.1.12:21...
Status: Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is the current directory
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (192,168,1,12,39,110).
Command: LIST
Error: Could not read from transfer socket: ECONNRESET - Connection reset by peer
Error: Connection closed by server
Error: Failed to retrieve directory listing
Status: Disconnected from server
Status: Connecting to 192.168.1.12:21...
Status: Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is the current directory
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (192,168,1,12,39,114).
Command: LIST
Error: Connection closed by server
Error: Failed to retrieve directory listing
/etc/vsftpd.conf
log_ftp_protocol=YES
xferlog_enable=YES
pasv_enable=YES
pasv_max_port=10100
pasv_min_port=10090
local_umask=022
anon_umask=022
anonymous_enable=YES
anon_upload_enable=YES
anon_root=/mnt/hdd-8tb/home/ftpd/
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
chown_uploads=YES
chown_username=ftpd
listen=YES
pam_service_name=vsftpd
ufw 规则(激活时)
To Action From
-- ------ ----
20/tcp ALLOW Anywhere
21/tcp ALLOW Anywhere
10090:10100/tcp ALLOW Anywhere
20/tcp (v6) ALLOW Anywhere (v6)
21/tcp (v6) ALLOW Anywhere (v6)
10090:10100/tcp (v6) ALLOW Anywhere (v6)
ftp root权限
ftpd@ladybug:/mnt/hdd-8tb/home/ftpd$ ls -la
total 52
dr-xr-xr-x 9 ftpd ftpd 4096 Jan 1 18:47 .
drwxr-xr-x 14 root root 4096 Jan 1 18:39 ..
-rw-rw-r-- 1 ftpd ftpd 3339 Jan 2 21:20 .bash_history
-rw-rw-r-- 1 ftpd ftpd 220 Jan 28 2023 .bash_logout
-rw-rw-r-- 1 ftpd ftpd 3771 Jan 28 2023 .bashrc
drwxr-xr-x 9 ftpd ftpd 4096 Jul 29 21:46 books
drwxr-xr-x 5 ftpd ftpd 4096 Apr 13 2023 comics
drwxr-xr-x 10 ftpd ftpd 4096 Dec 31 18:44 games
drwxr-xr-x 7 ftpd ftpd 4096 Aug 25 21:20 movies
drwxr-xr-x 16 ftpd ftpd 4096 Apr 13 2023 music
-rw-rw-r-- 1 ftpd ftpd 807 Jan 28 2023 .profile
drwxr-xr-x 16 ftpd ftpd 4096 Nov 12 20:49 tv
drwxr-xr-x 2 ftpd ftpd 4096 Jan 1 18:47 util
我不知道还能尝试什么。看起来 vsftpd 就是不接受这些端口上的连接,即使我指定了它们。此刻什么都愿意尝试。
我已经做了一些挖掘,但无法找到解释我在 dmesg 中找到的以下消息的内容?很明显 UFW 防火墙正在阻止某些内容,但我没有成功地追踪到导致它的原因。
[1170462.231472] [UFW BLOCK] IN=ens3 OUT= MAC=01:00:5e:00:00:01:d8:d5:b9:00:68:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
任何有关在哪里查看的指示将不胜感激。
我正在使用 Windows 桌面上的 RDP 在同一个 wifi 网络中访问我的 Ubuntu 机器(也就是说,我只在本地使用 RDP,而不是通过互联网)。我想禁用所有互联网流量,但仍允许 WLAN 流量,因为我需要它通过 RDP 控制机器。
RDP 中是否有一个简单的选项/规则来实现这一点?如果可能的话,我想创建一个脚本或有一些简单的选项来快速阻止所有互联网/再次允许所有互联网。
我想这样做的原因是我经常让机器开机并且不参加它,更新它等。安全配置也不是最好的,因为它更像是一台测试机器。我认为在这些情况下禁用互联网只是为了避免任何攻击是个好主意。
相关问题:阻止互联网访问并保持局域网访问 - 防火墙(它直接使用 iptables,但我不够精明,无法处理它们,我更喜欢使用 UFW)
我在 Ubuntu 20.04 上运行 Apache2,我的服务器可以从连接到我的 WIFI 路由器的所有设备(包括手机和笔记本电脑)访问。这是访问我的服务器时呈现的内容。 现在我想从 Internet 访问我的服务器。
这是 route -n 的输出
frozenmafia@frozenmafia-H81M-S:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 600 0 0 wlxd03745b828ea
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlxd03745b828ea
192.168.1.0 0.0.0.0 255.255.255.0 U 600 0 0 wlxd03745b828ea
这是 ifconfig 的输出
frozenmafia@frozenmafia-H81M-S:~$ ifconfig
enp3s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 40:8d:5c:a5:eb:f9 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 5856 bytes 572976 (572.9 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5856 bytes 572976 (572.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlxd03745b828ea: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.39 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::2970:d411:fb39:7ff6 prefixlen 64 scopeid 0x20<link>
ether d0:37:45:b8:28:ea txqueuelen 1000 (Ethernet)
RX packets 388866 bytes 507534243 (507.5 MB)
RX errors 0 dropped 2905 overruns 0 frame 0
TX packets 263147 bytes 67686494 (67.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
这是ufw状态的输出
frozenmafia@frozenmafia-H81M-S:~$ sudo ufw status
Status: active
To Action From
-- ------ ----
Apache Full ALLOW Anywhere
8080 ALLOW Anywhere
80/tcp ALLOW Anywhere
Apache Full (v6) ALLOW Anywhere (v6)
8080 (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
这是 sudo netstat -tlpn 的输出
frozenmafia@frozenmafia-H81M-S:~$ sudo netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 706/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 975/sshd: /usr/sbin
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 938/cupsd
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 2201/smbd
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 2201/smbd
tcp6 0 0 :::80 :::* LISTEN 1045/apache2
tcp6 0 0 :::22 :::* LISTEN 975/sshd: /usr/sbin
tcp6 0 0 ::1:631 :::* LISTEN 938/cupsd
tcp6 0 0 :::445 :::* LISTEN 2201/smbd
tcp6 0 0 :::139 :::* LISTEN 2201/smbd
为了使我的机器公开,我需要进行端口转发。为此,我将配置我的 WIFI 路由器。 我是这样做的。
我相信这应该足以让我的机器公开。我在这里测试过。这表明我的端口已关闭。
现在,我想到了使用 iptables 来做端口转发。我按照本教程 输入了以下命令。
frozenmafia@frozenmafia-H81M-S:~$ cat /proc/sys/net/ipv4/conf/wlxd03745b828ea/forwarding
1
frozenmafia@frozenmafia-H81M-S:~$ sudo iptables -t nat -A PREROUTING -p tcp -i wlxd03745b828ea --dport 80 -j DNAT --to-destination 192.168.1.39:80
frozenmafia@frozenmafia-H81M-S:~$ sudo iptables -A FORWARD -p tcp -d 192.168.1.39 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
frozenmafia@frozenmafia-H81M-S:~$ ip route
default via 192.168.1.1 dev wlxd03745b828ea proto dhcp metric 600
169.254.0.0/16 dev wlxd03745b828ea scope link metric 1000
192.168.1.0/24 dev wlxd03745b828ea proto kernel scope link src 192.168.1.39 metric 600
现在,我相信我已经尽一切努力让我的服务器公开。我在这里再次测试了我的机器可访问性,这表明我的失败。
我已联系我的 ISP 并确认所有端口都已打开。我希望我已经解释并证实了我所做的一切。如果有人纠正我并为我的问题提供解决方案,那就太好了。感谢您
在 before.rules 的顶部添加了以下 UFW 配置(除了所有相应的先决条件,例如在平台本身上启用 IP 路由、将默认转发策略从 DROP 更改为 ACCEPT 以及在 UFW 配置中启用 IP 转发):
*nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
COMMIT
子网 10.100.0.0/24 是否必须直接连接到运行该 UFW 的 Ubuntu VM 的任何接口?如果是这样,我如何将 UFW 配置为 NAT 一个非直接连接到 Internet 的?例如:
UserA--10.100.0.x/24---10.100.0.1/24--(Router1)--1.1.1.1/24-----1.1.1.2/24--(UFW)--Internet
提前谢谢了!
update-alternatives --set iptables /usr/sbin/iptables-nft通过运行并重新启动服务器,我已将我的 Ubuntu Focal 服务器防火墙后端从旧版 iptables 迁移到 netfilter 。现在显示的所有表格iptables-legacy -S都是空的,但是当我运行iptables -S最后一行时总是说:
# Warning: iptables-legacy tables present, use iptables-legacy to see them
此后,我iptables-legacy使用以下命令从替代方案中删除:
update-alternatives --remove iptables /usr/sbin/iptables-legacy
现在只显示 netfilter 版本
root@iBug-Server:~# update-alternatives --display iptables
iptables - auto mode
link best version is /usr/sbin/iptables-nft
link currently points to /usr/sbin/iptables-nft
link iptables is /usr/sbin/iptables
slave iptables-restore is /usr/sbin/iptables-restore
slave iptables-save is /usr/sbin/iptables-save
/usr/sbin/iptables-nft - priority 20
slave iptables-restore: /usr/sbin/iptables-nft-restore
slave iptables-save: /usr/sbin/iptables-nft-save
我怎样才能摆脱这个警告?
我在 ubuntu 20.04 上安装了我的 Oracle Cloud 实例,并设置了 apache2 服务器。它可以工作,curl localhost但不能从我的实例公共 IP 工作。我的ufw状态:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
Apache ALLOW Anywhere
80/tcp ALLOW Anywhere
OpenSSH ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
Apache (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
如果我愿意sudo ufw disable它仍然无法连接。
只有当我这样做时它才会连接:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
但我显然不想那样做。
如果我向 iptables 添加一些规则:
sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
sudo netfilter-persistent save
它不会改变任何东西
编辑
sudo iptables -S OUTPUT:
-P OUTPUT ACCEPT
-A OUTPUT -d 169.254.0.0/16 -j InstanceServices
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A OUTPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
我想从这个问题中向 iptables 添加一些规则,并回答通过 vpn(在我的情况下为 surfshark)传输来自 torrent 程序传输的路由流量。
在添加自定义规则之前,至少有两个答案用于iptables -F刷新表。
其中一个答案专门引用了无头服务器(如我的)。所以我怀疑这应该可行。
但是,如果我使用iptables -F,我会立即被踢出与服务器的 ssh 会话。我无法在终端上键入任何新命令,必须重新启动服务器才能再次登录。
我在服务器上运行了一个防火墙,允许端口 22 访问每个 IP。
为了澄清起见,我将在应用接受的答案之前和之后添加一些输出:
之前(注意policy DROP):
$ sudo iptables -xvnL
Chain INPUT (policy DROP 21 packets, 5628 bytes)
pkts bytes target prot opt in out source destination
387 31969 f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
27008 50413306 ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
27008 50413306 ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
153 26176 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
21 5628 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
21 5628 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
21 5628 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 7 packets, 324 bytes)
pkts bytes target prot opt in out source destination
7130 870596 ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
7130 870596 ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
997 113175 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
997 113175 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
997 113175 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
997 113175 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
后:
$ sudo iptables -L -v
Chain INPUT (policy ACCEPT 12648 packets, 12M bytes)
这是在我设置为之后policy ACCEPT,然后刷新,然后在此处transmission-daemon添加来自其他答案的规则,然后在重新启动后使此设置保持不变,重新启动并登录。我现在想,但这会再次把我踢出去。sudo dpkg-reconfigure iptables-persistentsshpolicy DROP
ufw也许很有趣:我只是为了确保安全而停用了防火墙。在我重新激活它之后,它也把我扔了出去(while policy ACCEPT)。当然,我有一个allow 22规则。我必须重新启动,然后才能使用正常工作的防火墙再次登录。
我缺乏了解,iptables并且一定会调查它。我不知道如果主要策略是ACCEPT并且防火墙有一个开放的22.
$ sudo iptables -xvnL
[sudo] Passwort für ben:
Chain INPUT (policy ACCEPT 34981 packets, 9871660 bytes)
pkts bytes target prot opt in out source destination
121 15110 f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
134 12445 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 19730 packets, 3108705 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 192.168.100.0/25 tcp spt:9091 owner GID match 136
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 192.168.100.0/25 udp spt:9091 owner GID match 136
0 0 ACCEPT all -- * tun0 0.0.0.0/0 0.0.0.0/0 owner GID match 136
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 owner GID match 136
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 136 reject-with icmp-port-unreachable
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
121 15110 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-logging-deny (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-not-local (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (0 references)
pkts bytes target prot opt in out source destination
这里的防火墙规则:
$ sudo ufw status
Status: Aktiv
Zu Aktion Von
-- ------ ---
22 ALLOW 192.168.100.0/24
5900 ALLOW 192.168.100.0/24 # vnc
1900 ALLOW 192.168.100.0/24 # minidlna
8200 ALLOW 192.168.100.0/24 # minidlna
445 ALLOW 192.168.100.0/24 # cifs
5901 ALLOW 192.168.100.0/24 # vnc
5902 ALLOW 192.168.100.0/24 # vnc
另外一件事:我有eth0界面吗?我的 ZOTAC mini PC 有两个以太网连接,我只是很困惑,eth0没有出现。用于设置规则的脚本使用IFACE_INTERNAL=eth0. 这可能是个问题吗?
$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 00:01:2e:4d:52:96 brd ff:ff:ff:ff:ff:ff
3: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether 00:01:2e:4d:52:9b brd ff:ff:ff:ff:ff:ff
4: wlp2s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 0c:d2:92:57:c2:53 brd ff:ff:ff:ff:ff:ff
我已经使用这些说明成功地设置了 nginx ,但是其中一部分对我来说从来没有用过,即使它似乎没有引起问题,这也让我感到困扰。
root@devtest:/home/dev-admin# ufw app list
Available applications:
Nginx Full
Nginx HTTP
Nginx HTTPS
OpenSSH
root@devtest:/home/dev-admin# sudo ufw delete allow 'Nginx HTTP'
Could not delete non-existent rule
Could not delete non-existent rule (v6)
root@devtest:/home/dev-admin# ufw app list
Available applications:
Nginx Full
Nginx HTTP
Nginx HTTPS
OpenSSH
我在这里想念什么?这不是删除规则的正确语法吗?这是在 Ubuntu 20.04 上,但我在 18.04 上得到了相同的结果。