linux - 为什么我的 iptables 防火墙会阻止除 Google 网站之外的所有网站?
问题描述
非常感谢您花时间帮助我解决我试图解决的这个问题。
我正在使用在 Raspbian(Debian 派生)发行版上运行的 Raspberry Pi4。
我正在学习很多关于使用 iptables 设置防火墙规则的知识。我想阻止通过浏览器访问所有互联网站点。
我添加了以下规则:
sudo iptables -A OUTPUT -p tcp -j REJECT
我的理解是,该命令应该在 OUTPUT 链上附加(-A)一条规则,该规则使用 tcp 协议(-p)拒绝任何出站请求。
我期望在这里发生的事情是应该阻止通过我的浏览器与站点的任何连接。这似乎适用于除 Google 网站以外的所有网站,例如www.google.com或 docs.google.com。我不知道为什么,但这些网站仍然可以访问。
我还尝试了以下规则,该规则将通过我的 wifi 网络设备丢弃任何请求。
sudo iptables -A OUTPUT -o wlan0 -j DROP
我期望在这里发生的事情是一样的。但是,与谷歌网站的连接再次通过。
iptables -L 的打印输出:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with icmp-port-unreachable
Chain INPUT_direct (1 references)
target prot opt source destination
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- anywhere anywhere [goto]
IN_public all -- anywhere anywhere [goto]
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- anywhere anywhere [goto]
FWDI_public all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- anywhere anywhere [goto]
FWDO_public all -- anywhere anywhere [goto]
Chain OUTPUT_direct (1 references)
target prot opt source destination
Chain IN_public (2 references)
target prot opt source destination
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain IN_public_log (1 references)
target prot opt source destination
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,UNTRACKED
Chain FWDI_public (2 references)
target prot opt source destination
FWDI_public_log all -- anywhere anywhere
FWDI_public_deny all -- anywhere anywhere
FWDI_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDO_public (2 references)
target prot opt source destination
FWDO_public_log all -- anywhere anywhere
FWDO_public_deny all -- anywhere anywhere
FWDO_public_allow all -- anywhere anywhere
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-input (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-logging-input (1 references)
target prot opt source destination
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
Chain ufw-track-forward (1 references)
target prot opt source destination
这一行是我添加的:
REJECT tcp -- anywhere anywhere reject-with icmp-port-unreachable
它出现在链输出部分下:
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with icmp-port-unreachable
我究竟做错了什么?谢谢你的帮助。
解决方案
它可能已被早期目标之一接受。尝试(从控制台)将它移到开头,我认为它会是-I OUTPUT 1
(Insert in OUTPUT
before 1) 而不是 -A
. 有一个打印计数器的-v
选项;-L
做一堆谷歌连接来找出数据包属于哪个规则来帮助调试。但似乎 Raspbian 是开箱即用的,可以使用ufw
防火墙。您可能会搜索如何配置它。添加您自己的 IP 表条目可能会发生冲突。尝试sudo ufw status verbose
或man ufw
。
推荐阅读
- reactjs - React 如何以正确的方式分离逻辑和 UI?
- python - 如何从另一个 .conf 文件中的文件(.TXT 或 .conf)读取值
- php - 如何将html输入的值与sql数据库的值进行比较
- python - Python Tkinter:使用循环创建多个按钮
- azure-data-studio - azure datas studio:e.getTreeItem 不是函数
- scala - 遍历状态列表直到所有批处理
- node.js - 用传单在地图上显示点
- python - NumPy - 将向量乘以标量添加到矩阵
- python - Django 与 MongoDB 不使用 ORM
- go - 用 AQL 保存 []byte?