IPtable不阻止某些端口

发布于

我的iptables配置允许进行一些通信,但是我注意到我没有特定的规则允许使用端口TCP 993(由我的电子邮件客户端使用)进行流量。 当我打开电子邮件客户端时,所有通过端口TCP / 993的通信都通过防火墙。 显然,我需要这种流量,但是奇怪的是我在防火墙中允许了这种流量。

这是我的iptables规则;

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:76]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LOGGING - [0:0]
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Allow any related or establishe connections" -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "Allow any related or establishe connections" -j ACCEPT
-A INPUT -i lo -m comment --comment "Allow incoming traffic to loopback" -j ACCEPT
-A OUTPUT -o lo -m comment --comment "Allow outgoing traffic to loopback" -j ACCEPT
-A INPUT -i eth1+ -p udp -m udp --dport 67:68 -m comment --comment "Allow incoming DHCP" -j ACCEPT
-A INPUT -i eth1.10 -p tcp -m tcp --dport 21 -s 10.10.10.0/24 -m comment --comment "Allow incoming FTP from VLAN10" -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 21 -m comment --comment "Allow outgoing FTP" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -s 10.10.10.0/24 -m comment --comment "Allow incoming SSH from VLAN10" -j ACCEPT
-A OUTPUT -o eth1+ -p tcp -m tcp --dport 22 -m comment --comment "Allow outgoing SSH" -j ACCEPT
-A INPUT -i eth1+ -p udp -m udp --dport 53 -m comment --comment "Allow incoming UDP DNS" -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -m comment --comment "Allow outgoing UDP DNS" -j ACCEPT
-A INPUT -i eth1+ -p tcp -m tcp --dport 80 -m comment --comment "Allow incoming HTTP" -j ACCEPT
-A INPUT -i eth1+ -p tcp -m tcp --dport 443 -m comment --comment "Allow incoming HTTPS" -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -m comment --comment "Allow outgoing HTTP" -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -m comment --comment "Allow outgoing HTTPS" -j ACCEPT
-A FORWARD -i eth1+ -o eth0 -m comment --comment "Allow traffic from all internal (eth1+) to external (eth0)" -j ACCEPT
-A FORWARD -i eth0 -o eth1+ -m comment --comment "Allow traffic from all internal (eth1+) to external (eth0)" -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j LOGGING
-A INPUT -p tcp --tcp-flags ALL ALL -j LOGGING
-A INPUT -p tcp --tcp-flags ALL NONE -j LOGGING
-A INPUT -f -j LOGGING
-A INPUT -j LOGGING
-A OUTPUT -j LOGGING
-A LOGGING -m limit --limit 5/minute -j LOG --log-prefix "ipt-dropped: " --log-level 7
-A LOGGING -j DROP
COMMIT

*mangle
:PREROUTING ACCEPT [4:1084]
:INPUT ACCEPT [4:1084]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:76]
:POSTROUTING ACCEPT [1:76]
COMMIT

因此,您可以看到(我认为)没有允许tcp / 993的规则。

使用tcpdump:

13:20:13.683689 IP 64.90.62.162.993 > 10.10.10.12.62264: Flags [P.], seq 6234:6288, ack 735, win 236, length 54
13:20:13.687844 IP 10.10.10.12.62264 > 64.90.62.162.993: Flags [P.], seq 735:792, ack 6288, win 515, length 57
13:20:13.913290 IP 64.90.62.162.993 > 10.10.10.12.62264: Flags [P.], seq 6288:6651, ack 792, win 236, length 363
13:20:13.916872 IP 10.10.10.12.62264 > 64.90.62.162.993: Flags [P.], seq 792:832, ack 6651, win 514, length 40

是否有些人认为我误会了我的规则?

希望有人帮助我。

问候。 拉斐尔