为什么UFW阻止ICMP目的地--尽管显然有允许它们的规则,却无法到达它们?
为什么UFW阻止ICMP目的地--尽管显然有允许它们的规则,却无法到达它们?
提问于 2021-04-26 14:01:58
Ubuntu20.04.2LTS,我运行的UFW大多是默认配置,允许一些端口通过与"ufw允许“,但没有做任何手动阻塞或配置文件编辑。
我正在检查UFW日志,并注意到传入的ICMP目的地-无法到达的消息( IPv4和IPv6)由于不清楚的原因而被阻塞。
UFW似乎具有默认配置,可以通过:
root@hostname:/etc/ufw# grep -R icmp * | grep dest
before.rules:-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
before.rules:-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
before6.rules:-A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
before6.rules:-A ufw6-before-output -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
before6.rules:-A ufw6-before-forward -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT我在日志里看到的是:
IPV4:
Apr 26 07:50:04 hostname kernel: [721900.768277] [UFW BLOCK] IN=eth0 OUT= MAC=XXX SRC=(foreignIPV4) DST=(myIPV4) LEN=104 TOS=0x00 PREC=0x00 TTL=50 ID=11553 PROTO=ICMP TYPE=3 CODE=3 [SRC=(myIPV4) DST=(foreignIPV4) LEN=76 TOS=0x00 PREC=0x00 TTL=50 ID=55473 DF PROTO=UDP SPT=123 DPT=30516 LEN=56 ]注: TYPE=3 CODE=3 =目标不可达/端口不可达
IPV6:
Apr 25 17:58:36 hostname kernel: [672013.171362] [UFW BLOCK] IN=eth0 OUT= MAC=XXX SRC=(foreignIPV6) DST=(myIPV6) LEN=144 TC=40 HOPLIMIT=240 FLOWLBL=0 PROTO=ICMPv6 TYPE=1 CODE=4 [SRC=(myIPV6) DST=(foreignIPV6) LEN=96 TC=32 HOPLIMIT=50 FLOWLBL=950125 PROTO=UDP SPT=123 DPT=48280 LEN=56 ]注: TYPE=1 CODE=4 =目标不可达/端口不可达
ICMP消息与NTP通信量有关(UDP端口123);我为ntppool.org运行NTP服务器,有时当我的服务器响应客户端时,客户端用ICMP消息进行响应,指示无法到达他们发送的初始NTP请求的端口。在这个时候,我不太感兴趣为什么有些客户会这样回应,我只是想弄清楚为什么UFW会阻塞ICMP消息。
为了进行测试,我找到了一个名为"nping“的程序,我可以从我的家庭Windows系统中运行它来发送我的服务器定制的ICMP消息。我试着发送无法到达的目的地消息,看看它们是否会出现在UFW日志中,但它们没有出现。因此,有可能UFW没有阻止100%的这些消息,而是根据未知的标准屏蔽了一些消息。
添加"iptables -xvnL“输出:
root@hostname:/var/log# sudo iptables -xvnL
Chain INPUT (policy DROP 12439 packets, 776590 bytes)
pkts bytes target prot opt in out source destination
145170103 11118327896 ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
145170103 11118327896 ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
3633596 110434934 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
3630280 110246698 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
3630280 110246698 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
3630280 110246698 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 16 packets, 960 bytes)
pkts bytes target prot opt in out source destination
79090294 6301946512 ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
79090294 6301946512 ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
15895 983433 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
15895 983433 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
15895 983433 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
15895 983433 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
37 2886 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
11 548 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
187 9508 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
786 47222 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
34 29905 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
6164343 472366977 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
845 74528 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
845 74528 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
9836 782534 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
4502728 342015963 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
4502702 342013987 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
34 29905 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
5271469 405354822 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
62 4258 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
620 55772 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
165 13988 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
4502728 342015963 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
235 12942 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
9 540 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
37 2758 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
401 23204 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
329 19016 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
4489126 341176077 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
132 3750 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:37
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination回答 1
Ask Ubuntu用户
回答已采纳
发布于 2022-11-05 19:47:11
这与以下事实有关:我编辑了我的before.rules和以前的6条规则,以禁用NTP流量的连接跟踪。这显然会导致与该通信量相关的ICMP消息被标记为“无效”连接跟踪状态。
在标准配置中,“无效”删除发生在ICMP之前,允许:
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT我编辑了before.rules和swap 6规则,以交换这两个块,以便在发生“无效”检查之前允许ICMP:
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
# moved to after ICMP to prevent NTP stuff from being blocked
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP页面原文内容由Ask Ubuntu提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://askubuntu.com/questions/1334100
复制相关文章
相似问题
腾讯云开发者
