我将iptables设置为默认删除INPUT,OUTPUT和FORWARD规则本中的所有内容。但是我需要允许通过端口80(HTTP)和端口53(DNS)上的所有传入TCP / UDP请求进行连接。我有以下设置:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
However, when I try and run sudo apt-get install apache2
, the package is found, but it then hangs on actually downloading the package. Through my research, apt-get only needs HTTP and DNS ports to work in most cases. Am I missing anything? I tried to reference this post but to no avail.
Err:1 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 libapr1 amd64 1.5.2-3
Temporary failure resolving ‘us.archive.ubuntu.com’
Err:2 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 libaprutil1 amd64 1.5.4-1build1
Temporary failure resolving ‘us.archive.ubuntu.com’
0% [Connecting to us.archive.ubuntu.com]
系统信息: 发行人ID:Ubuntu 说明:Ubuntu 16.04.3 LTS 发行:16.04 代号:xenial
更新:解决方案不起作用
I followed tomasz's answer below again, but it did not work. apt-get
is still stuck downloading like in the example above (e.g. apache2) (i.e. no change). Here is my new iptables that I tried used:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW,RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:domain state NEW,RELATED,ESTABLISHED
我在OUTPUT规则手册中尝试了带有或不带有状态信息的版本,均未成功。
我已经通过测试系统深入研究了它的细节。
I was able to properly configure
iptables
with the following ruleset and getapt-get
to go outbound properly:This mirrors your latest configuration that you stated above. I am able to get
apt-get
to work properly, and to also make DNS queries without issue.但是,请务必注意,您的系统在将主机名解析为IP地址时遇到了问题,并且给您解析错误。
Make sure that your
/etc/resolv.conf
is properly configured, and contains at the bare minimum something like this:With an
/etc/resolv.conf
set up this way, with the sameiptables
rulesets you have in place, I am able to, without issue, reach out and get proper DNS resolution on my Internet-facing systems and within my own LAN subnets which can go out to the Internet from inside the network.It sounds more to me like your
/etc/resolv.conf
is not set up correctly, and the misconfiguration is resulting in your system failing to configure DNS properly.我不知道为什么需要在53和80上打开INPUT,但是如果那是为了接收DNS和HTTP的响应,那是错误的。这是通过以下行完成的:
(Just as in this answer to the post you mention.)