Por que o iptables está fluindo? [fechadas]

0

Eu tenho a configuração do iptables:

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere     

E depois, tentando isso:

user@debian:~$ host yahoo.com
../../../../lib/isc/unix/net.c:581: sendmsg() failed: Operation not permitted
yahoo.com has address 98.138.219.232
yahoo.com has address 72.30.35.9
yahoo.com has address 72.30.35.10
yahoo.com has address 98.137.246.7
yahoo.com has address 98.137.246.8
yahoo.com has address 98.138.219.231
yahoo.com has IPv6 address 2001:4998:c:1023::5
yahoo.com has IPv6 address 2001:4998:44:41d::3
yahoo.com has IPv6 address 2001:4998:44:41d::4
yahoo.com has IPv6 address 2001:4998:58:1836::10
yahoo.com has IPv6 address 2001:4998:58:1836::11
yahoo.com has IPv6 address 2001:4998:c:1023::4
yahoo.com mail is handled by 1 mta7.am0.yahoodns.net.
yahoo.com mail is handled by 1 mta5.am0.yahoodns.net.
yahoo.com mail is handled by 1 mta6.am0.yahoodns.net.

Como? Eu pensei, era "cache", e tente alguns outros domínios. Todos foram resolvidos.

"Ok, talvez seja algum cache DNS local" - desligue a Internet da máquina. Ok não resolveu.

Como? Por quê?

    
por user41204 14.06.2018 / 14:45

1 resposta

1

Resolvido!

Eu não percebi essa mágica:

yahoo.com has address 98.138.219.231
yahoo.com has IPv6 address 2001:4998:c:1023::5

E assim, eu tenho que configurar regras para "ip6tables":

# ip6tables -P INPUT DROP
# ip6tables -P OUTPUT DROP
# ip6tables -P FORWARD DROP

e meu resultado:

../../../../lib/isc/unix/net.c:581: sendmsg() failed: Operation not permitted
../../../../lib/isc/unix/net.c:581: sendmsg() failed: Operation not permitted
;; connection timed out ; no servers could be reached

P.S. Se eu me lembrei do "tcpdump", o problema foi resolvido mais rápido.

    
por 14.06.2018 / 15:12