但是,如果我执行以下任何 *** 作,似乎所有传出连接都被切断:
删除此规则:input -m state –state ESTABliSHED,RELATED -j ACCEPT
添加这些:
iptables -t raw -I OUTPUT -j NOTRACKiptables -t raw -I PREROUTING -j NOTRACK
在进行任何更改之后立即使其“Ping Google.com”返回关于无法找到“Google.com”的错误(即DNS停止解析).
以下是启动时加载的规则,但fail2ban会添加其他规则:
*filter-A input -i lo -j ACCEPT-A input ! -i lo -d 127.0.0.0/8 -j REJECT-A input -m state --state ESTABliSHED,RELATED -j ACCEPT-A OUTPUT -j ACCEPT-A input -p icmp -j ACCEPT-A input -p tcp --dport ssh -j ACCEPT-A input -p tcp --dport http -j ACCEPT-A input -p tcp --dport https -j ACCEPT-A input -p tcp --dport smtp -j ACCEPT-A input -p tcp --dport ssmtp -j ACCEPT-A input -j REJECT-A FORWARD -j REJECTCOMMIT
这是iptables –List的输出:
Chain input (policy ACCEPT)target prot opt source destination fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh fail2ban-ssh-ddos tcp -- anywhere anywhere multiport dports ssh fail2ban-pam-generic tcp -- anywhere anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere state RELATED,ESTABliSHED ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT)target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT)target prot opt source destination ACCEPT all -- anywhere anywhere Chain fail2ban-pam-generic (1 references)target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-ssh (1 references)target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-ssh-ddos (1 references)target prot opt source destination RETURN all -- anywhere anywhere解决方法 您有一个阻止所有传入流量的规则:
-A input -j REJECT
并且您停止连接跟踪,因此接受已建立连接的数据包的规则不再起作用:
-A input -m state --state ESTABliSHED,RELATED -j ACCEPT
因此,您的DNS数据包会消失,不会被跟踪,然后被第一条规则拒绝.
您需要启用第二个规则的跟踪才能工作,或者添加规则以允许来自“好”源的传入流量.
总结以上是内存溢出为你收集整理的linux – 试图使iptables无状态导致无法预料的过滤全部内容,希望文章能够帮你解决linux – 试图使iptables无状态导致无法预料的过滤所遇到的程序开发问题。
如果觉得内存溢出网站内容还不错,欢迎将内存溢出网站推荐给程序员好友。
欢迎分享,转载请注明来源:内存溢出
评论列表(0条)