Debian
IPTables 策略 INPUT DROP 但接受連接
我使用以下規則配置了 iptables:
iptables -I INPUT -p tcp --dport 22 -j ACCEPT iptables -P INPUT DROP iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -I INPUT -i lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED, RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT
但 nmap 指責除了
80, 22 and 53
root @ ns1: / # iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all - anywhere anywhere ACCEPT tcp - anywhere anywhere tcp dpt: ssh ACCEPT tcp - anywhere anywhere tcp dpt: http ACCEPT tcp - anywhere anywhere tcp dpt: https ACCEPT all - anywhere anywhere ctstate RELATED, ESTABLISHED ACCEPT tcp - anywhere anywhere tcp dpt: domain ACCEPT udp - anywhere anywhere udp dpt: domain Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination root @ ns1: / # nmap -vv 10.0.0.2 ... PORT STATE SERVICE 22 / tcp open ssh 53 / tcp open domain 80 / tcp open http 111 / tcp open rpcbind 139 / tcp open netbios-ssn 445 / tcp open microsoft-ds ...
可能會發生什麼?我相信這些埠
111 139 445
不會出現
兩點:
刪除從任何地方接受任何內容的第一條規則:
#iptables -D INPUT 1
然後考慮到任何打開的連接仍然能夠通過 iptables,因為它在創建規則之前已經建立,所以也許服務重啟會修復它