iptables添加drop命令後不阻塞ip

我正在嘗試阻止一個 ip (144.76.68.14)。我添加了命令iptables -A INPUT -s 144.76.68.14 -j DROP但ip沒有被阻止！…這是 iptables -S 的內容：

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N INPUT_direct
-N INPUT_ZONES_SOURCE
-N INPUT_ZONES
-N FORWARD_direct
-N FORWARD_IN_ZONES_SOURCE
-N FORWARD_IN_ZONES
-N FORWARD_OUT_ZONES_SOURCE
-N FORWARD_OUT_ZONES
-N OUTPUT_direct
-N IN_public
-N IN_public_log
-N IN_public_deny
-N IN_public_allow
-N FWDI_public
-N FWDI_public_log
-N FWDI_public_deny
-N FWDI_public_allow
-N FWDO_public
-N FWDO_public_log
-N FWDO_public_deny
-N FWDO_public_allow
-A INPUT -s 141.98.80.58/32 -j DROP
-A INPUT -s 83.155.61.155/32 -j ACCEPT
-A INPUT -s 41.202.219.71/32 -j DROP
-A INPUT -s 54.36.150.172/32 -j DROP
-A INPUT -s 151.80.39.210/32 -j DROP
-A INPUT -s 5.196.87.130/32 -j DROP
-A INPUT -s 83.155.61.155/32 -j DROP
-A INPUT -s 65.154.226.100/32 -j ACCEPT
-A INPUT -s 65.154.226.100/32 -j DROP
-A INPUT -s 159.69.117.167/32 -j DROP
-A INPUT -s 213.217.0.183/32 -j DROP
-A INPUT -s 141.98.81.196/32 -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 141.98.81.196/32 -j DROP
-A INPUT -s 141.98.80.58/32 -j DROP
-A INPUT -s 23.100.232.233/32 -j DROP
-A INPUT -s 5.9.6.51/32 -j DROP
-A INPUT -s 185.191.171.0/24 -j DROP
-A INPUT -s 45.93.201.119/32 -j DROP
-A INPUT -s 125.64.94.213/32 -j DROP
-A INPUT -s 52.183.60.91/32 -j DROP
-A INPUT -s 144.76.68.14/32 -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A INPUT_direct -p tcp -m multiport --dports 110,995,143,993,587,465,4190 -m set --match-set f2b-dovecot src -j REJECT --reject-with icmp-port-unreachable
-A INPUT_direct -p tcp -m multiport --dports 22 -m set --match-set f2b-sshd src -j REJECT --reject-with icmp-port-unreachable
-A INPUT_direct -p tcp -m multiport --dports 25,465,587 -m set --match-set f2b-postfix src -j REJECT --reject-with icmp-port-unreachable
-A INPUT_direct -p tcp -m multiport --dports 10000 -m set --match-set f2b-webmin-auth src -j REJECT --reject-with icmp-port-unreachable
-A INPUT_ZONES -g IN_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 465 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 110 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 995 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 143 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 993 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 587 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 2222 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 10000:10100 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 20000 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 1025:65535 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p udp -m udp --dport 53 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
# Warning: iptables-legacy tables present, use iptables-legacy to see them

您應該考慮在阻止 IP 時使用iptables -I而不是。iptables -A將在鏈iptables -I的開頭插入規則。INPUT請注意，iptables 規則會根據它們的順序一一檢查，考慮到使用-jor匹配規則時的跳轉-g。

似乎 IP 被允許在定義的鏈之一中，如INPUT_ZONES, IN_public, IN_public_allow。我無法確認 100%，因為您沒有完全指定您嘗試阻止的 IP 使用的協議/埠號。

引用自：https://serverfault.com/questions/1058282