linux – 试图使iptables无状态导致无法预料的过滤

前端之家收集整理的这篇文章主要介绍了linux – 试图使iptables无状态导致无法预料的过滤前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我试图通过调整iptables以不跟踪TCP连接的状态来提高服务器的性能.我正在看这个指南: http://cotdp.com/2011/07/nginix-on-a-256mb-vm-slice-24000-tps/

但是,如果我执行以下任何操作,似乎所有传出连接都被切断:

删除此规则:INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
添加这些:

iptables -t raw -I OUTPUT -j NOTRACK
iptables -t raw -I PREROUTING -j NOTRACK

在进行任何更改之后立即使其“ping google.com”返回关于无法找到“google.com”的错误(即DNS停止解析).

以下是启动时加载的规则,但fail2ban会添加其他规则:

*filter
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp --dport ssh -j ACCEPT
-A INPUT -p tcp --dport http -j ACCEPT
-A INPUT -p tcp --dport https -j ACCEPT
-A INPUT -p tcp --dport smtp -j ACCEPT
-A INPUT -p tcp --dport ssmtp -j ACCEPT
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT

这是iptables –list的输出

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh 
fail2ban-ssh-ddos  tcp  --  anywhere             anywhere            multiport dports ssh 
fail2ban-pam-generic  tcp  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             loopback/8          reject-with icmp-port-unreachable 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssmtp 
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain fail2ban-pam-generic (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-ssh-ddos (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

解决方法

您有一个阻止所有传入流量的规则:
-A INPUT -j REJECT

并且您停止连接跟踪,因此接受已建立连接的数据包的规则不再起作用:

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

因此,您的DNS数据包会消失,不会被跟踪,然后被第一条规则拒绝.

您需要启用第二个规则的跟踪才能工作,或者添加规则以允许来自“好”源的传入流量.

猜你在找的Linux相关文章