Ubuntu
在 Ubuntu 伺服器上調試 UFW 和 Samba
我有兩台 Ubuntu 伺服器,它們具有相同的 Samba 配置和相同的 Samba 埠 UFW 規則,但不同之處在於,一台 14.04 執行良好,另一台 12.04 拒絕從任何地方訪問。
在 12.04 伺服器上禁用 UFW 時,再次允許 Samba 連接。但是,當 UFW 啟用時,UFW 的日誌中沒有來自塊的日誌條目。
我該如何調試這個問題?
**編輯:**我發現這些
iptables
用於smb
和dhcp
埠的規則::ufw-skip-to-policy-input - [0:0] -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input -A ufw-skip-to-policy-input -j DROP
但是,將它們從中刪除
/etc/ufw/after.rules
無濟於事。這是目前的
iptables-save
輸出:*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :fail2ban-apache - [0:0] :fail2ban-apache-noscript - [0:0] :fail2ban-apache-overflows - [0:0] :fail2ban-dovecot - [0:0] :fail2ban-postfix - [0:0] :fail2ban-ssh - [0:0] :fail2ban-ssh-ddos - [0:0] :fail2ban-wuftpd - [0:0] :ufw-after-forward - [0:0] :ufw-after-input - [0:0] :ufw-after-logging-forward - [0:0] :ufw-after-logging-input - [0:0] :ufw-after-logging-output - [0:0] :ufw-after-output - [0:0] :ufw-before-forward - [0:0] :ufw-before-input - [0:0] :ufw-before-logging-forward - [0:0] :ufw-before-logging-input - [0:0] :ufw-before-logging-output - [0:0] :ufw-before-output - [0:0] :ufw-logging-allow - [0:0] :ufw-logging-deny - [0:0] :ufw-not-local - [0:0] :ufw-reject-forward - [0:0] :ufw-reject-input - [0:0] :ufw-reject-output - [0:0] :ufw-skip-to-policy-forward - [0:0] :ufw-skip-to-policy-input - [0:0] :ufw-skip-to-policy-output - [0:0] :ufw-track-input - [0:0] :ufw-track-output - [0:0] :ufw-user-forward - [0:0] :ufw-user-input - [0:0] :ufw-user-limit - [0:0] :ufw-user-limit-accept - [0:0] :ufw-user-logging-forward - [0:0] :ufw-user-logging-input - [0:0] :ufw-user-logging-output - [0:0] :ufw-user-output - [0:0] -A INPUT -p tcp -m multiport --dports 25,465,143,220,993,110,995 -j fail2ban-dovecot -A INPUT -p tcp -m multiport --dports 25,465 -j fail2ban-postfix -A INPUT -p tcp -m multiport --dports 21,20,990,989 -j fail2ban-wuftpd -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-overflows -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-noscript -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A INPUT -j ufw-before-logging-input -A INPUT -j ufw-before-input -A INPUT -j ufw-after-input -A INPUT -j ufw-after-logging-input -A INPUT -j ufw-reject-input -A INPUT -j ufw-track-input -A FORWARD -j ufw-before-logging-forward -A FORWARD -j ufw-before-forward -A FORWARD -j ufw-after-forward -A FORWARD -j ufw-after-logging-forward -A FORWARD -j ufw-reject-forward -A OUTPUT -j ufw-before-logging-output -A OUTPUT -j ufw-before-output -A OUTPUT -j ufw-after-output -A OUTPUT -j ufw-after-logging-output -A OUTPUT -j ufw-reject-output -A OUTPUT -j ufw-track-output -A fail2ban-apache -j RETURN -A fail2ban-apache-noscript -j RETURN -A fail2ban-apache-overflows -j RETURN -A fail2ban-dovecot -j RETURN -A fail2ban-postfix -j RETURN -A fail2ban-ssh -j RETURN -A fail2ban-ssh-ddos -j RETURN -A fail2ban-wuftpd -j RETURN -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " -A ufw-before-forward -j ufw-user-forward -A ufw-before-input -i lo -j ACCEPT -A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT -A ufw-before-input -m state --state INVALID -j ufw-logging-deny -A ufw-before-input -m state --state INVALID -j DROP -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT -A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT -A ufw-before-input -j ufw-not-local -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT -A ufw-before-input -j ufw-user-input -A ufw-before-output -o lo -j ACCEPT -A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT -A ufw-before-output -j ufw-user-output -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " -A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny -A ufw-not-local -j DROP -A ufw-skip-to-policy-forward -j DROP -A ufw-skip-to-policy-input -j DROP -A ufw-skip-to-policy-output -j ACCEPT -A ufw-track-output -p tcp -m state --state NEW -j ACCEPT -A ufw-track-output -p udp -m state --state NEW -j ACCEPT -A ufw-user-input -p tcp -m multiport --dports 80,443 -m comment --comment "\'dapp_Apache%20Full\'" -j ACCEPT -A ufw-user-input -p tcp -m tcp --dport 53 -m comment --comment "\'dapp_Bind9\'" -j ACCEPT -A ufw-user-input -p udp -m udp --dport 53 -m comment --comment "\'dapp_Bind9\'" -j ACCEPT -A ufw-user-input -p tcp -m tcp --dport 143 -m comment --comment "\'dapp_Dovecot%20IMAP\'" -j ACCEPT -A ufw-user-input -p tcp -m tcp --dport 110 -m comment --comment "\'dapp_Dovecot%20POP3\'" -j ACCEPT -A ufw-user-input -p tcp -m tcp --dport 22 -m comment --comment "\'dapp_OpenSSH\'" -j ACCEPT -A ufw-user-input -p tcp -m tcp --dport 25 -m comment --comment "\'dapp_Postfix\'" -j ACCEPT -A ufw-user-input -p tcp -m tcp --dport 465 -m comment --comment "\'dapp_Postfix%20SMTPS\'" -j ACCEPT -A ufw-user-input -p tcp -m tcp --dport 587 -m comment --comment "\'dapp_Postfix%20Submission\'" -j ACCEPT -A ufw-user-input -p udp -m multiport --dports 137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT -A ufw-user-input -p tcp -m multiport --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] " -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable -A ufw-user-limit-accept -j ACCEPT COMMIT
在幕後,UFW 只是在指導 iptables/netfilter,所以通常的規則適用。
數據包匹配的第一個規則獲勝。
和 Samba 埠的相同 UFW 規則
您的 SMB 相關數據包可能與阻止訪問的早期規則匹配。
我該如何調試這個問題?
您必須審核您的防火牆規則,了解它們,然後進行適當的更改。