linux - 使用 iptables 不接受 REJECT 目标作为有效目标
问题描述
平台:
Linux {hostname} 3.13.0-145-generic #194-Ubuntu SMP Thu Apr 5 15:20:44 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
系统不允许使用REJECTas --jump target。
根据iptables-extensions,这对 IPv4 有效。此外,根据上述内容,iptables-extensions被标识为包含在iptables我安装的发行版中。
有谁知道为什么这不起作用?
是否有我必须设置的内核参数才能被接受?
或者...是否有一个内核参数,如果设置,会导致在所有情况下都DROP采用这种REJECT立场?
我正在尝试使用该REJECT选项来弄清楚为什么我的防火墙脚本不允许从传出返回的数据包,或者根本不识别/连接远程主机以获取 URL 目标。
我试图为桌面建立的脚本如下:
#!/bin/sh
# v0.04 2018-04-25
#============================== Initialize Script ===========================
if [ "${1}" = "-x" ]
then
set -x
DENY_MODE="REJECT --reject-with icmp-host-unreachable"
else
DENY_MODE="DROP"
fi
#
# Use system-specified command for iptables
#
IPv4=`which iptables`
IPv6=`which ip6tables`
#============================== 100 series ==================================
#
# IPv6 is only allowed on passthru servers, routers or bastion hosts
# Rule # 100
${IPv6} --policy ${DENY_MODE}
${IPv6} --flush
${IPv6} --zero
#
# Initialize NAT table
# Rule # 130
#${IPv4} --table nat --policy ACCEPT
${IPv4} --table nat --flush
${IPv4} --table nat --zero
#
# Initialize MANGLE table
# Rule # 140
#${IPv4} --table mangle --policy ACCEPT
${IPv4} --table mangle --flush
${IPv4} --table mangle --zero
#
# FORWARD is only allowed on passthru servers, routers or bastion hosts - no logging of dropped FORWARD packets
# Rule # 150
${IPv4} --policy FORWARD ${DENY_MODE}
${IPv4} --flush FORWARD
${IPv4} --zero FORWARD
#
# Initialize INPUT chain
# Rule # 151
#${IPv4} --policy INPUT ACCEPT
${IPv4} --policy INPUT ${DENY_MODE}
${IPv4} --flush INPUT
${IPv4} --zero INPUT
#
# Initialize OUTPUT chain
# Rule # 152
${IPv4} --policy OUTPUT ${DENY_MODE}
${IPv4} --flush OUTPUT
${IPv4} --zero OUTPUT
#============================== 400 series ==================================
#
# All fragmented packets are either unusable or potentially toxic
# Rule # 400
#${IPv4} --append INPUT --fragment --jump ${DENY_MODE}
${IPv4} --table raw --append PREROUTING --fragment --jump ${DENY_MODE}
#
# Need DNS for desktop outgoing web requests
# Rule # 401
${IPv4} --append OUTPUT -o eth0 --protocol udp --dport 53 --jump ACCEPT
${IPv4} --append INPUT -i eth0 --protocol udp --sport 53 --jump ACCEPT
#
# FUTURES: incorporating WAN-based DHCP for dynamic IP assignment
# Rule # 402
#${IPv4} --append INPUT -p icmp -s ${DHCP_broker} --jump ACCEPT
#${IPv4} --append INPUT -i ${WAN_IP} -s ${DHCP_broker} --protocol tcp --sport 68 --dport 67 --jump ACCEPT
#${IPv4} --append INPUT -i ${WAN_IP} -s ${DHCP_broker} --protocol udp --sport 68 --dport 67 --jump ACCEPT
#============================== 700 series ==================================
#
# Allow outgoing internet connections and verify incoming packet state to only allow associated replies
# Rule 700 - TCP
${IPv4} --flush NOGO_700
${IPv4} --delete-chain NOGO_700
${IPv4} --new-chain NOGO_700
#
${IPv4} --append OUTPUT --protocol tcp --match conntrack --ctstate NEW,ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT --protocol tcp --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT --protocol tcp --match conntrack ! --ctstate ESTABLISHED,RELATED --jump NOGO_700
${IPv4} --append NOGO_700 --jump LOG --log-level 4 --log-prefix "DROP_ESTa: "
${IPv4} --append NOGO_700 --jump ${DENY_MODE}
#
# Allow outgoing internet connections and verify incoming packet state to only allow associated replies
# Rule 701 - UDP
${IPv4} --flush NOGO_701
${IPv4} --delete-chain NOGO_701
${IPv4} --new-chain NOGO_701
#
${IPv4} --append OUTPUT --protocol udp --match conntrack --ctstate NEW,ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT --protocol udp --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT --protocol udp --match conntrack ! --ctstate ESTABLISHED,RELATED --jump NOGO_701
${IPv4} --append NOGO_701 --jump LOG --log-level 4 --log-prefix "DROP_ESTb: "
${IPv4} --append NOGO_701 --jump ${DENY_MODE}
#
# Allow outgoing internet connections and verify incoming packet state to only allow associated replies
# Rule 702 - All others unrelated to protocols
# (Review reasons for not allowing RELATED and implement if warranted)
${IPv4} --flush NOGO_702
${IPv4} --delete-chain NOGO_702
${IPv4} --new-chain NOGO_702
#
${IPv4} --append OUTPUT --match conntrack --ctstate NEW,ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
${IPv4} --append INPUT --match conntrack ! --ctstate ESTABLISHED --jump NOGO_702
${IPv4} --append NOGO_702 --jump LOG --log-level 4 --log-prefix "DROP_ESTc: "
${IPv4} --append NOGO_702 --jump ${DENY_MODE}
#============================== 200 series ==================================
#
# Loopback is critical to host internal processes (FUTURES: mechanisms to ensure legit traffic only on loopback
# Rule 200
# (something wrong here, fallback to basic loopback passthru)
${IPv4} --flush NOGO_200
${IPv4} --delete-chain NOGO_200
${IPv4} --new-chain NOGO_200
${IPv4} --append INPUT -i eth0 -s 127.0.0.0/8 --jump NOGO_200
${IPv4} --append INPUT -i lo ! -s 127.0.0.0/8 --jump NOGO_200
${IPv4} --append INPUT -i lo -s 127.0.0.0/8 --jump ACCEPT
${IPv4} --append NOGO_200 --jump LOG --log-level 4 --log-prefix "DROP_LOOPBACK: "
${IPv4} --append NOGO_200 --jump ${DENY_MODE}
#============================== 300 series ==================================
#
# INVALID packets should be ignored
# Rule 300
${IPv4} --flush NOGO_300
${IPv4} --delete-chain NOGO_300
${IPv4} --new-chain NOGO_300
${IPv4} --append INPUT --match conntrack --ctstate INVALID --jump NOGO_300
${IPv4} --append NOGO_300 --jump LOG --log-level 4 --log-prefix "DROP_INVALID: "
${IPv4} --append NOGO_300 --jump ${DENY_MODE}
#
# BOGON packets should be ignored
# Rule 301
${IPv4} --flush NOGO_301
${IPv4} --delete-chain NOGO_301
${IPv4} --new-chain NOGO_301
#???# ${IPv4} --append INPUT -i eth0 -s 192.168.0.0/16 --jump NOGO_301 # (C) Own LAN IP/mask ????
${IPv4} --append INPUT -i eth0 -s 192.0.2.0/24 --jump NOGO_301 ### ???
#
${IPv4} --append INPUT -i eth0 -s 10.0.0.0/8 --jump NOGO_301 # (A)
${IPv4} --append INPUT -i eth0 -s 172.16.0.0/12 --jump NOGO_301 # (B)
${IPv4} --append INPUT -i eth0 -s 224.0.0.0/4 --jump NOGO_301 # (D MULTICAST)
${IPv4} --append INPUT -i eth0 -s 240.0.0.0/5 --jump NOGO_301 # (E)
#
${IPv4} --append INPUT -i eth0 -s 169.254.0.0/16 --jump NOGO_301 ### ???
${IPv4} --append NOGO_301 --jump LOG --log-level 4 --log-prefix "DROP_BOGON: "
${IPv4} --append NOGO_301 --jump ${DENY_MODE}
#============================== 900 series ==================================
#
# Drop everything that did not match above or log then drop tem
# Rule 999
# Track ignored INPUT
${IPv4} --append INPUT --jump LOG --log-level 4 --log-prefix "DROP_INPUT: "
${IPv4} --append INPUT --jump ${DENY_MODE}
# Track ignored OUTPUT
${IPv4} --append OUTPUT --jump LOG --log-level 4 --log-prefix "DROP_OUTPUT: "
${IPv4} --append OUTPUT --jump ${DENY_MODE}
#============================== Housekeeping ================================
#
# Save image of latest ruleset for restore at next reboot
# Rule 999+
#${IPv4}-save >/dev/null 2>&1
#${IPv6}-save >/dev/null 2>&1
#
# Display latest ruleset
# Rule 999+
#${IPv4} -n -L -v --line-numbers
#${IPv6} -n -L -v --line-numbers
#===================================================================================
# END OR PROGRAM
#===================================================================================
exit 0
预先感谢您的协助。
解决方案
推荐阅读
- .net - 加载 html 文件时 CefSharp Chromiumbrowser 冻结
- sql - 选择最大日期小于上一年的 12 月 31 日的行
- php - TYPO3 - 自己的升级向导:使用来自其他表的 SELECT 插入
- aws-lambda - “errorMessage”:“[Errno 28] 设备上没有剩余空间”AWS-Lambda
- multithreading - 我使用锁定例程执行任务的实现有什么问题?
- python - 神经网络没有预测正确的数字
- wordpress - 为什么我可以在 ACF 要求的空白字段中提交我的帖子?
- logging - opencensus Azure 处理程序在 Azure 函数应用上创建重复日志
- javascript - React JS - 应用程序没有填满整个页面
- reactjs - 材料ui反应js按钮文本未显示