Debian

IPTables 策略 INPUT DROP 但接受連接

  • June 9, 2016

我使用以下規則配置了 iptables:

iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED, RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT

但 nmap 指責除了80, 22 and 53

root @ ns1: / # iptables -L
Chain INPUT (policy DROP)
target prot opt ​​source destination
ACCEPT all - anywhere anywhere
ACCEPT tcp - anywhere anywhere tcp dpt: ssh
ACCEPT tcp - anywhere anywhere tcp dpt: http
ACCEPT tcp - anywhere anywhere tcp dpt: https
ACCEPT all - anywhere anywhere ctstate RELATED, ESTABLISHED
ACCEPT tcp - anywhere anywhere tcp dpt: domain
ACCEPT udp - anywhere anywhere udp dpt: domain

Chain FORWARD (policy ACCEPT)
target prot opt ​​source destination

Chain OUTPUT (policy ACCEPT)
target prot opt ​​source destination
root @ ns1: / # nmap -vv 10.0.0.2
...
PORT STATE SERVICE
22 / tcp open ssh
53 / tcp open domain
80 / tcp open http
111 / tcp open rpcbind
139 / tcp open netbios-ssn
445 / tcp open microsoft-ds
...

可能會發生什麼?我相信這些埠111 139 445不會出現

兩點:

刪除從任何地方接受任何內容的第一條規則:

#iptables -D INPUT 1

然後考慮到任何打開的連接仍然能夠通過 iptables,因為它在創建規則之前已經建立,所以也許服務重啟會修復它

引用自:https://serverfault.com/questions/782977