Блок весь трафик в определенном интерфейсе
Я пытался заблокировать весь трафик в определенном интерфейсе (который является внешней беспроводной связью) кроме просмотра при помощи ufw:
sudo ufw enable
sudo ufw deny out on wlx00252245ed96
sudo ufw allow out on wlx00252245ed96 to any from any port 80 proto tcp
sudo ufw allow out on wlx00252245ed96 to any from any port 80 proto udp
sudo ufw allow out on wlx00252245ed96 to any from any port 443 proto tcp
sudo ufw allow out on wlx00252245ed96 to any from any port 443 proto udp
Однако все еще не может сделать просмотра! Я пропускаю что-то?
Вот ufw состояние:
~$ sudo ufw status
Status: active
To Action From
-- ------ ----
Anywhere DENY OUT Anywhere on wlx00252245ed96
Anywhere ALLOW OUT 80/tcp on wlx00252245ed96
Anywhere ALLOW OUT 80/udp on wlx00252245ed96
Anywhere ALLOW OUT 443/tcp on wlx00252245ed96
Anywhere ALLOW OUT 443/udp on wlx00252245ed96
Anywhere (v6) DENY OUT Anywhere (v6) on wlx00252245ed96
Anywhere (v6) ALLOW OUT 80/tcp (v6) on wlx00252245ed96
Anywhere (v6) ALLOW OUT 80/udp (v6) on wlx00252245ed96
Anywhere (v6) ALLOW OUT 443/tcp (v6) on wlx00252245ed96
Anywhere (v6) ALLOW OUT 443/udp (v6) on wlx00252245ed96
и вот iptables-L-v:
Chain INPUT (policy DROP 1 packets, 32 bytes)
pkts bytes target prot opt in out source destination
2329 780K ACCEPT udp -- ens33 any anywhere anywhere udp dpt:bootps
0 0 ACCEPT tcp -- ens33 any anywhere anywhere tcp dpt:bootps
232 14695 ACCEPT udp -- ens33 any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- ens33 any anywhere anywhere tcp dpt:domain
13379 3073K ufw-before-logging-input all -- any any anywhere anywhere
13379 3073K ufw-before-input all -- any any anywhere anywhere
787 782K ufw-after-input all -- any any anywhere anywhere
761 779K ufw-after-logging-input all -- any any anywhere anywhere
761 779K ufw-reject-input all -- any any anywhere anywhere
761 779K ufw-track-input all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
10621 1128K ACCEPT all -- any ens33 anywhere 10.42.0.0/24 state RELATED,ESTABLISHED
845 89027 ACCEPT all -- ens33 any 10.42.0.0/24 anywhere
0 0 ACCEPT all -- ens33 ens33 anywhere anywhere
0 0 REJECT all -- any ens33 anywhere anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- ens33 any anywhere anywhere reject-with icmp-port-unreachable
8 528 ufw-before-logging-forward all -- any any anywhere anywhere
8 528 ufw-before-forward all -- any any anywhere anywhere
8 528 ufw-after-forward all -- any any anywhere anywhere
8 528 ufw-after-logging-forward all -- any any anywhere anywhere
8 528 ufw-reject-forward all -- any any anywhere anywhere
8 528 ufw-track-forward all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 1 packets, 48 bytes)
pkts bytes target prot opt in out source destination
22932 2072K ufw-before-logging-output all -- any any anywhere anywhere
22932 2072K ufw-before-output all -- any any anywhere anywhere
920 162K ufw-after-output all -- any any anywhere anywhere
920 162K ufw-after-logging-output all -- any any anywhere anywhere
920 162K ufw-reject-output all -- any any anywhere anywhere
920 162K ufw-track-output all -- any any anywhere anywhere
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
6 468 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-ns
1 229 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-dgm
0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:netbios-ssn
0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:microsoft-ds
0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootps
0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootpc
0 0 ufw-skip-to-policy-input all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
1 32 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 ufw-user-forward all -- any any anywhere anywhere
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
49 3100 ACCEPT all -- lo any anywhere anywhere
5 803 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ufw-logging-deny all -- any any anywhere anywhere ctstate INVALID
0 0 DROP all -- any any anywhere anywhere ctstate INVALID
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
1 360 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
8 729 ufw-not-local all -- any any anywhere anywhere
0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns
0 0 ACCEPT udp -- any any anywhere 239.255.255.250 udp dpt:1900
8 729 ufw-user-input all -- any any anywhere anywhere
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
49 3100 ACCEPT all -- any lo anywhere anywhere
13 2099 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
67 8696 ufw-user-output all -- any any anywhere anywhere
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
1 32 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type MULTICAST
7 697 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- any any anywhere anywhere limit: avg 3/min burst 10
0 0 DROP all -- any any anywhere anywhere
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
7 697 DROP all -- any any anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere anywhere ctstate NEW
6 1968 ACCEPT udp -- any any anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
59 6632 DROP all -- any wlx00252245ed96 anywhere anywhere
0 0 ACCEPT tcp -- any wlx00252245ed96 anywhere anywhere tcp spt:http
0 0 ACCEPT udp -- any wlx00252245ed96 anywhere anywhere udp spt:http
0 0 ACCEPT tcp -- any wlx00252245ed96 anywhere anywhere tcp spt:https
0 0 ACCEPT udp -- any wlx00252245ed96 anywhere anywhere udp spt:https
0
задан Alex9766
5 November 2016 в 16:21
поделиться
1 ответ
Существует по крайней мере две проблемы. Во-первых, Ваши полные отклоняют правило, предшествует, Ваши определенные позволяют правила, и поэтому Вы никогда не будете поражать позволить правила. Во-вторых, Ваш позволять правила основаны на исходном порте, но они должны быть основаны на целевом порте.
Как примечание стороны, поскольку, что Вы желаете сделать Вас, не нуждаются в udp.
Для правильного функционирования, существуют потенциально некоторые другие проблемы. Например, вероятно, что необходимо позволить порт 53 для сервисов DNS (и tcp и udp).
Так (и правовая оговорка, я не использую ufw, только iptables, таким образом предполагая синтаксис):
sudo ufw allow out on wlx00252245ed96 to any port 80 proto tcp from any
sudo ufw allow out on wlx00252245ed96 to any port 443 proto tcp from any
sudo ufw deny out on wlx00252245ed96
В iptables, что Вы хотите для позволить правил, (на моем тестовом компьютере. Я не могу сделать примера правила ОТБРАСЫВАНИЯ, потому что он повредит мой тестовый компьютер):
Chain OUTPUT (policy ACCEPT 55 packets, 3244 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * enp9s0 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * enp9s0 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0
ответ дан Doug Smythies
28 September 2019 в 05:57
поделиться