UFW governa no lugar e permite que o tráfego ainda seja permitido

Question

UFW governa no lugar e permite que o tráfego ainda seja permitido

#1 resposta do (1 votos)

2

Eu tenho o UFW configurado para tentar bloquear alguns IPs indesejados e solicitações associadas.

#ufw status |less
Status: active

To                         Action      From
--                         ------      ----
37.187.183.206             DENY        Anywhere
Anywhere                   DENY        37.187.183.206
198.41.249.59              DENY        Anywhere
Anywhere                   DENY        198.41.249.59
162.159.251.59             DENY        Anywhere
Anywhere                   DENY        162.159.251.59

O status ativo confirma que o UFW está habilitado e eu tenho 3 IPs aqui bloqueados tanto de entrada quanto de saída. Essas regras foram inseridas com "ufw insert 1", assim são as primeiras regras processadas. No entanto, pings e solicitações ainda estão passando por

# ping 193.201.224.10
PING 193.201.224.10 (193.201.224.10) 56(84) bytes of data.
64 bytes from 193.201.224.10: icmp_req=1 ttl=52 time=354 ms
64 bytes from 193.201.224.10: icmp_req=2 ttl=52 time=356 ms

E também os pedidos reais

#wget 37.187.183.206
--2015-02-13 06:37:23--  http://37.187.183.206/
Connecting to 37.187.183.206:80... connected.
HTTP request sent, awaiting response... 302 Found

Alguma idéia sobre a causa?

Editar: saída do iptables conforme solicitado

Chain INPUT (policy DROP 27 packets, 1100 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 105M   11G fail2ban-apache-overflows  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
 105M   11G fail2ban-apache-noscript  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
 105M   11G fail2ban-apache  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
    0     0 fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
1107M  884G ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
1107M  884G ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1109 49748 ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1109 49748 ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1109 49748 ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1109 49748 ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 108 packets, 4992 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 746M  274G ufw-before-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 746M  274G ufw-before-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  54M 3681M ufw-after-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  54M 3681M ufw-after-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  54M 3681M ufw-reject-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  54M 3681M ufw-track-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-apache (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 105M   11G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-apache-noscript (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 105M   11G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-apache-overflows (1 references)
pkts bytes target     prot opt in     out     source               destination         
 105M   11G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-ssh (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138
    0     0 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:139
    0     0 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ufw-skip-to-policy-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  149  6980 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw-user-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-input (1 references)
pkts bytes target     prot opt in     out     source               destination         
  54M 7592M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
1042M  875G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
4052K  435M ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
4052K  435M DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
6880K  500M ufw-not-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            239.255.255.250      udp dpt:1900
6880K  500M ufw-user-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  54M 7592M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
 638M  263G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  54M 3681M ufw-user-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 3915  189K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID limit: avg 3/min burst 10
 3805  185K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
pkts bytes target     prot opt in     out     source               destination         
  54M 7592M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
1042M  875G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
4052K  435M ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
4052K  435M DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
6880K  500M ufw-not-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            239.255.255.250      udp dpt:1900
6880K  500M ufw-user-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  54M 7592M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
 638M  263G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  54M 3681M ufw-user-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 3915  189K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID limit: avg 3/min burst 10
 3805  185K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
 pkts bytes target     prot opt in     out     source               destination         
6880K  500M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-input (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  16M  979M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
  38M 2701M ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW

Chain ufw-user-forward (1 references)
Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            37.187.183.206      
    0     0 DROP       all  --  *      *       37.187.183.206       0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            198.41.249.59       
    0     0 DROP       all  --  *      *       198.41.249.59        0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            162.159.251.59      
    0     0 DROP       all  --  *      *       162.159.251.59       0.0.0.0/0           
   10   600 DROP       all  --  *      *       220.181.108.153      0.0.0.0/0           
    0     0 DROP       all  --  *      *       220.176.172.157      0.0.0.0/0           
    0     0 DROP       all  --  *      *       222.70.153.55        0.0.0.0/0           
    0     0 DROP       all  --  *      *       94.153.11.136        0.0.0.0/0           
    0     0 DROP       all  --  *      *       178.63.95.202        0.0.0.0/0           
  270 10920 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1433
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1433
   11   488 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:81
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:81
 3838  206K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2222
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:2222
   16   832 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:10000
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:10000
 1019 51256 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3096
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3096
    0     0 ACCEPT     tcp  --  *      *       27.131.130.17        0.0.0.0/0            tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       27.131.130.19        0.0.0.0/0            tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       61.7.147.82          0.0.0.0/0            tcp dpt:21
  844 42932 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:21
 1057 63508 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8010
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:8010
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8011
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:8011

firewall ufw linux

por Mark Walker 13.02.2015 / 07:40

1 resposta

Tags firewall ufw linux

Como posso redirecionar solicitações de um site no IIS para um servidor externo diferente? Solicitar problema de tempo limite com nginx, unicórnio e trilhos

score 1 · Accepted Answer

A resposta curta: As regras que você criou para ufw são na cadeia INPUT que não impacta o tráfego de rede originado do sistema rodando ufw. Você precisa de regras na cadeia OUTPUT para gerenciar esse tráfego.

A resposta longa: A primeira coisa a saber em um netfilter firewall (o nome do projeto para o firewall de filtro de pacotes do kernel) regras são verificadas sequencialmente e o destino do pacote (ACCEPT, DROP, REJECT etc.) é determinado em um primeira correspondência.

Do seu iptables -L -n -v , você vê duas tecnologias complementares que gerenciam o seu filtro de pacotes, ambas ufw e fail2ban criaram conjuntos de regras ipchains.

O conjunto de regras gerenciado pelo fail2ban é processado primeiro, porque na cadeia INPUT as cadeias fail2ban são listadas primeiro. Aqueles se aplicam às portas padrão do servidor web 80 & 443 ou para a porta ssh 22.

Como aparentemente nenhum usuário de abuso foi detectado, nenhum endereço IP é excluído pelas regras do fail2ban, eles não correspondem a nada ainda e usam RETURN para processamento adicional do pacote a ser feito pelos conjuntos de regras do ufw.

Lá você vê todas as regras personalizadas do ufw no ufw-user-input e os contadores mostram de fato o que você já deduziu do comando wget 37.187.183.206 : aparentemente, essas regras nunca foram correspondidas.

Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 DROP       all  --  *      *       0.0.0.0/0            37.187.183.206 
    0     0 DROP       all  --  *      *       37.187.183.206       0.0.0.0/0 
    ...

A razão para isto é que os pacotes originados de seu sistema, como aqueles criados a partir de seu comando wget, devem ser filtrados na cadeia OUTPUT e nunca coincidir com a cadeia INPUT.

Todo o tráfego a partir de 37.187.183.206 é bloqueado e se o seu sistema for um router / firewall entre o seu servidor e o 37.187.183.206 esse tráfego também será bloqueado, mas os pacotes criados pelo seu servidor são um caso especial e não estão bloqueados.

Para esse caso de uso especial, eles também devem estar na cadeia ufw-user-output .

O motivo pelo qual as solicitações de ping de 37.187.183.206 são permitidas está na cadeia ufw-before-input a regra para aceitar solicitações de eco (ICMP tipo 8) é aceita antes que a cadeia com suas regras personalizadas seja referenciada.

Chain ufw-before-input (1 references)
pkts bytes target     prot opt in     out     source      destination         
        <snip>
0     0 ACCEPT       icmp --  *      *       0.0.0.0/0      0.0.0.0/0   icmptype 8
        <snip>
6880K  500M ufw-user-input  all  --  *  *  0.0.0.0/0      0.0.0.0/0