我試圖測試應用程序在連接到特定服務時會發生什麼情況。我運行Ubuntu 13.10,它聽起來像ufw(簡單防火牆)是正確的選擇,但我不能按預期工作。我確信這是簡單的,我做錯了,但ufw的手冊頁給出了一個例子,阻止所有我正在遵循的端口的訪問,它不工作...下面是我經歷過的步驟。簡單防火牆(UFW) - 如何阻止本地主機上的單個端口
火起來的應用程序和運行netstat來找出它連接到外部服務上的端口:
$ netstat
Proto Recv-Q Send-Q Local Address Foreign Address State
...
tcp6 0 0 mymachine.blah:39163 remoteservice.blah:2181 ESTABLISHED
...
所以現在我嘗試做任何通訊塊本地端口39163:
$ sudo ufw deny 39163
Rule added
Rule added (v6)
我可以檢查,並且規則有:
$ sudo ufw status
Status: active
To Action From
-- ------ ----
39163 DENY Anywhere
39163 DENY Anywhere (v6)
但我可以在我的APPLICAT看離子日誌,它仍然在傳遞到遠程服務,它也看起來這是從netstat的情況:
$ netstat
Proto Recv-Q Send-Q Local Address Foreign Address State
...
tcp6 0 0 mymachine.blah:39163 remoteservice.blah:2181 ESTABLISHED
...
良好的措施我使用相同的UFW否認命令遠程端口2181也試過(只如果我誤解了,你指定的端口應該是遠程端口而不是本地端口),但這也沒有任何區別。
[編輯] iptables的輸出是相當大的。我剔除了我認爲不相關的鏈條(所有的鏈條都沒有規則,沒有引用,或者兩者都有)。其餘的在下面。注意我從來沒有用iptables手動做過任何事情,我一直使用ufw或gufw(GUI前端去ufw)。
你可以在底部看到我的規則(Chain ufw-user-input which is referencing port 39163)。我懷疑這個問題可能是Chain ufw-user-input(與我的規則)是由鏈ufw-before-input引用的,但是這又不被引用。但是我對iptables確實不是很瞭解,以確認這是問題還是如何解決它 - 我希望只使用更簡單的ufw實用程序。
$ sudo iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain ufw-before-input (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere state INVALID
DROP all -- anywhere anywhere state INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere state INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-user-input (1 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:39163
DROP udp -- anywhere anywhere udp dpt:39163
你能告訴我們它生成的實際iptables規則嗎?你的意思是你的iptables是 – cnicutar
嗎? – MLSC
@cnicutar - 已添加到原始文章。 – asibs