Iptables
iptables 上的 ipset 規則不匹配
我想阻止除特定國家/地區以外的所有 IP 地址。所以我安裝了 ipset 並從 ipdeny.com 下載了 ip 範圍列表並這樣做了:
ipset create allow-list hash:net for i in $( cat /home/pi/firewall/country-aggregated.zone ); do sudo ipset -A allow-list $i; done如果我執行“sudo ipset list”:
Name: allow-list Type: hash:net Revision: 6 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 5408 References: 0 Number of entries: 97 Members: 89.183.60.0/22 etc...然後我必須向 DOCKER-USER 和 INPUT 添加一條規則以阻止所有服務。為了測試它,我封鎖了國家並測試了我是否可以訪問這些服務,但我仍然可以。所以我的配置有問題。
sudo iptables -I DOCKER-USER -m set --match-set allow-list src -j DROP sudo iptables -A INPUT -m set --match-set allow-list src -j DROP我的帶有 DOCKER-USER 鍊和 INPUT 鏈的 iptable 過濾表(iptables -L -v -n)如下所示:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 310 19940 ACCEPT all -- * * 192.168.1.102 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set allow-list src Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 3564K 2076M DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0 3564K 2076M DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 5350 2397K ACCEPT all -- * br-c80792c5d0cc 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 6261 414K DOCKER all -- * br-c80792c5d0cc 0.0.0.0/0 0.0.0.0/0 11135 1009K ACCEPT all -- br-c80792c5d0cc !br-c80792c5d0cc 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-c80792c5d0cc br-c80792c5d0cc 0.0.0.0/0 0.0.0.0/0 3037K 1724M ACCEPT all -- * br-89ecb09e5185 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 29923 1796K DOCKER all -- * br-89ecb09e5185 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-89ecb09e5185 !br-89ecb09e5185 0.0.0.0/0 0.0.0.0/0 29923 1796K ACCEPT all -- br-89ecb09e5185 br-89ecb09e5185 0.0.0.0/0 0.0.0.0/0 69 10621 ACCEPT all -- * br-451331e576b8 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 10 1222 DOCKER all -- * br-451331e576b8 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-451331e576b8 !br-451331e576b8 0.0.0.0/0 0.0.0.0/0 10 1222 ACCEPT all -- br-451331e576b8 br-451331e576b8 0.0.0.0/0 0.0.0.0/0 349K 210M ACCEPT all -- * br-2db6a76ed3c5 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 31128 1866K DOCKER all -- * br-2db6a76ed3c5 0.0.0.0/0 0.0.0.0/0 94113 135M ACCEPT all -- br-2db6a76ed3c5 !br-2db6a76ed3c5 0.0.0.0/0 0.0.0.0/0 29958 1798K ACCEPT all -- br-2db6a76ed3c5 br-2db6a76ed3c5 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain DOCKER (5 references) pkts bytes target prot opt in out source destination 1170 68000 ACCEPT tcp -- !br-2db6a76ed3c5 br-2db6a76ed3c5 0.0.0.0/0 172.25.0.2 tcp dpt:8080 0 0 ACCEPT tcp -- !br-c80792c5d0cc br-c80792c5d0cc 0.0.0.0/0 172.28.0.2 tcp dpt:443 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:30009 0 0 ACCEPT tcp -- !br-451331e576b8 br-451331e576b8 0.0.0.0/0 172.20.0.3 tcp dpt:80 0 0 ACCEPT tcp -- !br-c80792c5d0cc br-c80792c5d0cc 0.0.0.0/0 172.28.0.2 tcp dpt:80 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:30008 0 0 ACCEPT udp -- !br-c80792c5d0cc br-c80792c5d0cc 0.0.0.0/0 172.28.0.2 udp dpt:67 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:30007 0 0 ACCEPT tcp -- !br-c80792c5d0cc br-c80792c5d0cc 0.0.0.0/0 172.28.0.2 tcp dpt:53 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:30006 6261 414K ACCEPT udp -- !br-c80792c5d0cc br-c80792c5d0cc 0.0.0.0/0 172.28.0.2 udp dpt:53 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:30005 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:30004 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:30003 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:3000Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination2 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:30001 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:30000 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:21 Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 11135 1009K DOCKER-ISOLATION-STAGE-2 all -- br-c80792c5d0cc !br-c80792c5d0cc 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER-ISOLATION-STAGE-2 all -- br-89ecb09e5185 !br-89ecb09e5185 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER-ISOLATION-STAGE-2 all -- br-451331e576b8 !br-451331e576b8 0.0.0.0/0 0.0.0.0/0 94113 135M DOCKER-ISOLATION-STAGE-2 all -- br-2db6a76ed3c5 !br-2db6a76ed3c5 0.0.0.0/0 0.0.0.0/0 3564K 2076M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (5 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * br-c80792c5d0cc 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * br-89ecb09e5185 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * br-451331e576b8 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * br-2db6a76ed3c5 0.0.0.0/0 0.0.0.0/0 105K 136M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set allow-list src 1831K 1083M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0nat 表 (iptables -t nat -nvL)
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 7467 484K DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0 3957 267K MASQUERADE all -- * !br-c80792c5d0cc 172.28.0.0/16 0.0.0.0/0 0 0 MASQUERADE all -- * !br-89ecb09e5185 172.24.0.0/16 0.0.0.0/0 0 0 MASQUERADE all -- * !br-451331e576b8 172.20.0.0/16 0.0.0.0/0 5 392 MASQUERADE all -- * !br-2db6a76ed3c5 172.25.0.0/16 0.0.0.0/0 0 0 MASQUERADE tcp -- * * 172.25.0.2 172.25.0.2 tcp dpt:8080 0 0 MASQUERADE tcp -- * * 172.28.0.2 172.28.0.2 tcp dpt:443 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:30009 0 0 MASQUERADE tcp -- * * 172.20.0.3 172.20.0.3 tcp dpt:80 0 0 MASQUERADE tcp -- * * 172.28.0.2 172.28.0.2 tcp dpt:80 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:30008 0 0 MASQUERADE udp -- * * 172.28.0.2 172.28.0.2 udp dpt:67 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:30007 0 0 MASQUERADE tcp -- * * 172.28.0.2 172.28.0.2 tcp dpt:53 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:30006 0 0 MASQUERADE udp -- * * 172.28.0.2 172.28.0.2 udp dpt:53 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:30005 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:30004 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:30003 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:30002 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:30001 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:30000 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:21 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 21 1407 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL Chain DOCKER (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- br-c80792c5d0cc * 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- br-89ecb09e5185 * 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- br-451331e576b8 * 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- br-2db6a76ed3c5 * 0.0.0.0/0 0.0.0.0/0 1195 69492 DNAT tcp -- !br-2db6a76ed3c5 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:172.25.0.2:8080 0 0 DNAT tcp -- !br-c80792c5d0cc * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:172.28.0.2:443 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30009 to:172.17.0.2:30009 0 0 DNAT tcp -- !br-451331e576b8 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6875 to:172.20.0.3:80 0 0 DNAT tcp -- !br-c80792c5d0cc * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.28.0.2:80 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30008 to:172.17.0.2:30008 0 0 DNAT udp -- !br-c80792c5d0cc * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 to:172.28.0.2:67 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30007 to:172.17.0.2:30007 0 0 DNAT tcp -- !br-c80792c5d0cc * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 to:172.28.0.2:53 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30006 to:172.17.0.2:30006 6253 413K DNAT udp -- !br-c80792c5d0cc * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 to:172.28.0.2:53 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30005 to:172.17.0.2:30005 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30004 to:172.17.0.2:30004 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30003 to:172.17.0.2:30003 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30002 to:172.17.0.2:30002 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30001 to:172.17.0.2:30001 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30000 to:172.17.0.2:30000 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:172.17.0.2:21mangle 表(iptables -t mangle -L -nv):
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination原始表:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination伺服器是樹莓派。
可能是什麼問題呢?
我與我的 isp 交談,這是他們的錯。他們有一個奇怪的網路。所以我總是只從每個到達的包裹中獲得一個內部 IP 地址。