Não é possível acessar sites da web ao executar o script iptables!

Question

Não é possível acessar sites da web ao executar o script iptables!

#1 resposta do (1 votos)

0

Eu escrevi script para proteger minha máquina:

#!/bin/bash

ssh=1.1.1.1
http='1.1.1.1 2.2.2.2'

# Clear any previous rules.
iptables -F

# Default drop policy.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#iptables -A INPUT  -p tcp -m state --state NEW,ESTABLISHED     -j ACCEPT
#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

iptables -N SSH_CHECK
iptables -N HTTP_CHECK
iptables -A INPUT -p tcp --dport 22 -j SSH_CHECK
iptables -A INPUT -p tcp --dport 80 -j HTTP_CHECK
iptables -A INPUT -p tcp --dport 443 -j HTTP_CHECK

iptables -A SSH_CHECK -s $ssh -j ACCEPT -m comment --comment "Allowing $ssh to ssh from his IP"
for web in $http; do
    iptables -A HTTP_CHECK -s $web -j ACCEPT -m comment --comment "Allowing $web to visit my HTTP/S server"
done

#Allowing http[s] from inside to outside
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --sport 80,443 -m state --state ESTABLISHED -j ACCEPT

#Allow ssh from inside to outside
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

#Allow working on localhost
iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

#Allow ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

A saída de iptables -L -v é:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SSH_CHECK  tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
    0     0 HTTP_CHECK  tcp  --  any    any     anywhere             anywhere             tcp dpt:http
    0     0 HTTP_CHECK  tcp  --  any    any     anywhere             anywhere             tcp dpt:https
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             multiport sports http,https state ESTABLISHED
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp spt:ssh state ESTABLISHED
    0     0 ACCEPT     all  --  lo     any     localhost            localhost           
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-reply

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  any    eth0    anywhere             anywhere             multiport dports http,https state NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  any    eth0    anywhere             anywhere             tcp dpt:ssh state NEW,ESTABLISHED
    0     0 ACCEPT     all  --  any    lo      localhost            localhost           
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request

Chain HTTP_CHECK (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     1.1.1.1              anywhere             /* Allowing 1.1.1.1 to visit my HTTP/S server */
    0     0 ACCEPT     all  --  any    any     2.2.2.2              anywhere             /* Allowing 2.2.2.2 to visit my HTTP/S server */

Chain SSH_CHECK (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     1.1.1.1              anywhere             /* Allowing 1.1.1.1 to ssh from his IP */

1) Eu quero abrir sites com esta política, mas não posso. porque? como posso consertar isso? 2) O que são essas regras quando eu descomente-as no meu script?

#iptables -A INPUT  -p tcp -m state --state NEW,ESTABLISHED     -j ACCEPT
#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

security iptables https linux http

por MLSC 31.12.2015 / 07:02

1 resposta

Tags security iptables https linux http

Listar clientes conectados a um alvo iscsi Erro de intérprete incorreto ao tentar executar um script

score 1 · Answer 1

Você está sem acesso ao DNS, que é necessário para resolver o acesso à Web usando nomes.

Eu mudaria as regras destas formas:

#!/bin/bash

ssh=1.1.1.1
http='1.1.1.1 2.2.2.2'
if=eth0

# Clear any previous rules.
iptables -F

# Default drop policy.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow all related and established packets
iptables -A INPUT  -p tcp -m state --state RELATED,ESTABLISHED     -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED     -j ACCEPT

#iptables -A INPUT  -p tcp -m state --state NEW,ESTABLISHED     -j ACCEPT
#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

iptables -N SSH_CHECK
iptables -N HTTP_CHECK
iptables -A INPUT -p tcp --dport 22 -j SSH_CHECK
iptables -A INPUT -p tcp --dport 80 -j HTTP_CHECK
iptables -A INPUT -p tcp --dport 443 -j HTTP_CHECK

iptables -A SSH_CHECK -s $ssh -j ACCEPT -m comment --comment "Allowing $ssh to ssh from his IP"
for web in $http; do
    iptables -A HTTP_CHECK -s $web -j ACCEPT -m comment --comment "Allowing $web to visit my HTTP/S server"
done

#Allowing http[s] from inside to outside
iptables -A OUTPUT -o $if -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
# Allow DNS - you might want to limit this to a few know, trusted servers
iptables -A OUTPUT -o $if -p udp --dport 53 -j ACCEPT

#Allow ssh from inside to outside
iptables -A OUTPUT -o $if -p tcp --dport 22 -m state --state NEW -j ACCEPT

#Allow working on localhost, using any IP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#Allow ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

As regras comentadas:

O primeiro permitirá todas as conexões TCP de entrada.
O segundo parece tentar impedir que novas conexões TCP sejam estabelecidas usando nada além de pacotes SYN, o que não faz muito sentido ... (não estou completamente certo sobre isso, presumo que o ! aplica-se apenas ao itme diretamente depois dele, já que parece ser o caminho comum para fazer as coisas) A resposta para isso tem alguns detalhes sobre isso Mais informações em frozentux