0

我写了一个小脚本来永久阻止 IP 地址。

#!/bin/bash

ip=${1:?No IP address given. Exit.}

if [[ $ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
  iptables -A INPUT -s $ip -j DROP
  iptables-save > /etc/iptables/rules.v4
  ip6tables-save > /etc/iptables/rules.v6
else
  echo "IP address is wrong."
fi

我可以在 中看到被阻止的 IP 地址/etc/iptables/rules.v4。但是这个IP无论如何都可以访问我的网站。

网站作为服务托管在 apache2 上(不是像 docker 这样的容器)。

iptables -L -nvx

Chain INPUT (policy DROP 21899 packets, 1395887 bytes)
    pkts      bytes target     prot opt in     out     source               destination
    7832   616486 f2b-sshd   tcp  --  *      *       xxx/0            xxx/0            multiport dports 22
  630319 164084564 ufw-before-logging-input  all  --  *      *       xxx/0            xxx/0
  630319 164084564 ufw-before-input  all  --  *      *       xxx/0            xxx/0
   33255  1982017 ufw-after-input  all  --  *      *       xxx/0            xxx/0
   21899  1395887 ufw-after-logging-input  all  --  *      *       xxx/0            xxx/0
   21899  1395887 ufw-reject-input  all  --  *      *       xxx/0            xxx/0
   21899  1395887 ufw-track-input  all  --  *      *       xxx/0            xxx/0
       0        0 DROP       all  --  *      *       xxx      xxx/0    
       0        0 DROP       all  --  *      *       xxx      xxx/0    
       0        0 DROP       all  --  *      *       xxx      xxx/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ufw-before-logging-forward  all  --  *      *       xxx/0            xxx/0
       0        0 ufw-before-forward  all  --  *      *       xxx/0            xxx/0
       0        0 ufw-after-forward  all  --  *      *       xxx/0            xxx/0
       0        0 ufw-after-logging-forward  all  --  *      *       xxx/0            xxx/0
       0        0 ufw-reject-forward  all  --  *      *       xxx/0            xxx/0
       0        0 ufw-track-forward  all  --  *      *       xxx/0            xxx/0

Chain OUTPUT (policy ACCEPT 4306 packets, 258439 bytes)
    pkts      bytes target     prot opt in     out     source               destination
  687419 822425050 ufw-before-logging-output  all  --  *      *       xxx/0            xxx/0
  687419 822425050 ufw-before-output  all  --  *      *       xxx/0            xxx/0
   10217   812202 ufw-after-output  all  --  *      *       xxx/0            xxx/0
   10217   812202 ufw-after-logging-output  all  --  *      *       xxx/0            xxx/0
   10217   812202 ufw-reject-output  all  --  *      *       xxx/0            xxx/0
   10217   812202 ufw-track-output  all  --  *      *       xxx/0            xxx/0

Chain ufw-before-logging-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-before-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination
   11311  4558603 ACCEPT     all  --  lo     *       xxx/0            xxx/0    
  553834 155622301 ACCEPT     all  --  *      *       xxx/0            xxx/0            ctstate RELATED,ESTABLISHED
    6758   435582 ufw-logging-deny  all  --  *      *       xxx/0            xxx/0            ctstate INVALID
    6758   435582 DROP       all  --  *      *       xxx/0            xxx/0            ctstate INVALID
       0        0 ACCEPT     icmp --  *      *       xxx/0            xxx/0            icmptype 3
       0        0 ACCEPT     icmp --  *      *       xxx/0            xxx/0            icmptype 11
       0        0 ACCEPT     icmp --  *      *       xxx/0            xxx/0            icmptype 12
     700    43597 ACCEPT     icmp --  *      *       xxx/0            xxx/0            icmptype 8
       0        0 ACCEPT     udp  --  *      *       xxx/0            xxx/0            udp spt:67 dpt:68
   57716  3424481 ufw-not-local  all  --  *      *       xxx/0            xxx/0
       0        0 ACCEPT     udp  --  *      *       xxx/0            xxx          udp dpt:5353
       0        0 ACCEPT     udp  --  *      *       xxx/0            xxx      udp dpt:1900
   57716  3424481 ufw-user-input  all  --  *      *       xxx/0            xxx/0

Chain ufw-before-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination
   11311  4558603 ACCEPT     all  --  *      lo      xxx/0            xxx/0    
  665891 817054245 ACCEPT     all  --  *      *       xxx/0            xxx/0            ctstate RELATED,ESTABLISHED
   10217   812202 ufw-user-output  all  --  *      *       xxx/0            xxx/0

Chain ufw-before-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  *      *       xxx/0            xxx/0            ctstate RELATED,ESTABLISHED
       0        0 ACCEPT     icmp --  *      *       xxx/0            xxx/0            icmptype 3
       0        0 ACCEPT     icmp --  *      *       xxx/0            xxx/0            icmptype 11
       0        0 ACCEPT     icmp --  *      *       xxx/0            xxx/0            icmptype 12
       0        0 ACCEPT     icmp --  *      *       xxx/0            xxx/0            icmptype 8
       0        0 ufw-user-forward  all  --  *      *       xxx/0            xxx/0

Chain ufw-after-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination
      16     1249 ufw-skip-to-policy-input  udp  --  *      *       xxx/0            xxx/0            udp dpt:137
       0        0 ufw-skip-to-policy-input  udp  --  *      *       xxx/0            xxx/0            udp dpt:138
     112     4744 ufw-skip-to-policy-input  tcp  --  *      *       xxx/0            xxx/0            tcp dpt:139
   11223   579324 ufw-skip-to-policy-input  tcp  --  *      *       xxx/0            xxx/0            tcp dpt:445
       0        0 ufw-skip-to-policy-input  udp  --  *      *       xxx/0            xxx/0            udp dpt:67
       0        0 ufw-skip-to-policy-input  udp  --  *      *       xxx/0            xxx/0            udp dpt:68
       5      813 ufw-skip-to-policy-input  all  --  *      *       xxx/0            xxx/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-after-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-after-logging-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination
   14614   844988 LOG        all  --  *      *       xxx/0            xxx/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-after-logging-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 LOG        all  --  *      *       xxx/0            xxx/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-reject-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-reject-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-reject-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-track-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-track-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination
    3145   372522 ACCEPT     tcp  --  *      *       xxx/0            xxx/0            ctstate NEW
    2766   181241 ACCEPT     udp  --  *      *       xxx/0            xxx/0            ctstate NEW

Chain ufw-track-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-logging-deny (2 references)
    pkts      bytes target     prot opt in     out     source               destination
    3634   301938 RETURN     all  --  *      *       xxx/0            xxx/0            ctstate INVALID limit: avg 3/min burst 10
     436    20712 LOG        all  --  *      *       xxx/0            xxx/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-logging-allow (0 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 LOG        all  --  *      *       xxx/0            xxx/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-skip-to-policy-input (7 references)
    pkts      bytes target     prot opt in     out     source               destination
   11356   586130 DROP       all  --  *      *       xxx/0            xxx/0    

Chain ufw-skip-to-policy-output (0 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  *      *       xxx/0            xxx/0    

Chain ufw-skip-to-policy-forward (0 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 DROP       all  --  *      *       xxx/0            xxx/0    

Chain ufw-not-local (1 references)
    pkts      bytes target     prot opt in     out     source               destination
   57711  3423668 RETURN     all  --  *      *       xxx/0            xxx/0            ADDRTYPE match dst-type LOCAL
       0        0 RETURN     all  --  *      *       xxx/0            xxx/0            ADDRTYPE match dst-type MULTICAST
       5      813 RETURN     all  --  *      *       xxx/0            xxx/0            ADDRTYPE match dst-type BROADCAST
       0        0 ufw-logging-deny  all  --  *      *       xxx/0            xxx/0            limit: avg 3/min burst 10
       0        0 DROP       all  --  *      *       xxx/0            xxx/0    

Chain ufw-user-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination
    5043   297568 ACCEPT     tcp  --  *      *       xxx/0            xxx/0            tcp dpt:22
       0        0 ACCEPT     udp  --  *      *       xxx/0            xxx/0            udp dpt:22
    1391    77976 ACCEPT     tcp  --  *      *       xxx/0            xxx/0            tcp dpt:80
       1       44 ACCEPT     udp  --  *      *       xxx/0            xxx/0            udp dpt:80
   11880   654869 ACCEPT     tcp  --  *      *       xxx/0            xxx/0            tcp dpt:443
       6     7065 ACCEPT     udp  --  *      *       xxx/0            xxx/0            udp dpt:443
      51     2268 ACCEPT     tcp  --  *      *       xxx/0            xxx/0                                  tcp dpt:25
       0        0 ACCEPT     udp  --  *      *       xxx/0            xxx/0            udp dpt:25
      85     4248 ACCEPT     tcp  --  *      *       xxx/0            xxx/0            tcp dpt:465
       0        0 ACCEPT     udp  --  *      *       xxx/0            xxx/0            udp dpt:465
      94     4728 ACCEPT     tcp  --  *      *       xxx/0            xxx/0                                                                 tcp dpt:21
       0        0 ACCEPT     udp  --  *      *       xxx/0            xxx/0            udp dpt:21
       0        0 ACCEPT     tcp  --  *      *       xxx/0            xxx/0            tcp dpt:21
       6      240 ACCEPT     tcp  --  *      *       xxx/0            xxx/0                      multiport dports 49152:65534
     988   151807 ACCEPT     udp  --  *      *       xxx/0            xxx/0            multiport dports 49152:65534

Chain ufw-user-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-user-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-user-logging-input (0 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-user-logging-output (0 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-user-logging-forward (0 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain ufw-user-limit (0 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 LOG        all  --  *      *       xxx/0            xxx/0            limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
       0        0 REJECT     all  --  *      *       xxx/0            xxx/0            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  *      *       xxx/0            xxx/0    

Chain f2b-sshd (1 references)
    pkts      bytes target     prot opt in     out     source               destination
      15      924 REJECT     all  --  *      *       xxx       xxx/0            reject-with icmp-port-unreachable
      25     1592 REJECT     all  --  *      *       xxx         xxx/0            reject-with icmp-port-unreachable
      19     1444 REJECT     all  --  *      *       xxx        xxx/0            reject-with icmp-port-unreachable
      23     1780 REJECT     all  --  *      *       xxx        xxx/0            reject-with icmp-port-unreachable
      14      908 REJECT     all  --  *      *       xxx       xxx/0            reject-with icmp-port-unreachable
      14      884 REJECT     all  --  *      *       xxx         xxx/0            reject-with icmp-port-unreachable
      19     1408 REJECT     all  --  *      *       xxx      xxx/0            reject-with icmp-port-unreachable
      21     1628 REJECT     all  --  *      *       xxx       xxx/0            reject-with icmp-port-unreachable
       0        0 REJECT     all  --  *      *       xxx       xxx/0            reject-with icmp-port-unreachable
      14      884 REJECT     all  --  *      *       xxx       xxx/0            reject-with icmp-port-unreachable
      20     1580 REJECT     all  --  *      *       xxx       xxx/0            reject-with icmp-port-unreachable
       3      180 REJECT     all  --  *      *       xxx         xxx/0            reject-with icmp-port-unreachable
      26     1956 REJECT     all  --  *      *       xxx          xxx/0            reject-with icmp-port-unreachable
      14      884 REJECT     all  --  *      *       xxx        xxx/0            reject-with icmp-port-unreachable
      29     2192 REJECT     all  --  *      *       xxx       xxx/0            reject-with icmp-port-unreachable
      20     1580 REJECT     all  --  *      *       xxx      xxx/0            reject-with icmp-port-unreachable
       0        0 REJECT     all  --  *      *       xxx      xxx/0            reject-with icmp-port-unreachable
      28     2084 REJECT     all  --  *      *       xxx        xxx/0            reject-with icmp-port-unreachable
      20     1512 REJECT     all  --  *      *       xxx       xxx/0            reject-with icmp-port-unreachable
      19     1420 REJECT     all  --  *      *       xxx        xxx/0            reject-with icmp-port-unreachable
      15      924 REJECT     all  --  *      *       xxx         xxx/0            reject-with icmp-port-unreachable
      28     2092 REJECT     all  --  *      *       xxx       xxx/0            reject-with icmp-port-unreachable
      28     2028 REJECT     all  --  *      *       xxx        xxx/0            reject-with icmp-port-unreachable
      28     2040 REJECT     all  --  *      *       xxx      xxx/0            reject-with icmp-port-unreachable
      28     2040 REJECT     all  --  *      *       xxx         xxx/0            reject-with icmp-port-unreachable
      17     1064 REJECT     all  --  *      *       xxx       xxx/0            reject-with icmp-port-unreachable
      20     1604 REJECT     all  --  *      *       xxx      xxx/0            reject-with icmp-port-unreachable
      14      884 REJECT     all  --  *      *       xxx        xxx/0            reject-with icmp-port-unreachable
      26     1928 REJECT     all  --  *      *       xxx       xxx/0            reject-with icmp-port-unreachable
      26     1868 REJECT     all  --  *      *       xxx       xxx/0            reject-with icmp-port-unreachable
      20     1268 REJECT     all  --  *      *       xxx        xxx/0            reject-with icmp-port-unreachable
      14      856 REJECT     all  --  *      *       xxx       xxx/0            reject-with icmp-port-unreachable
      20     1580 REJECT     all  --  *      *       xxx      xxx/0            reject-with icmp-port-unreachable
      12      648 REJECT     all  --  *      *       xxx       xxx/0            reject-with icmp-port-unreachable
      12      648 REJECT     all  --  *      *       xxx         xxx/0            reject-with icmp-port-unreachable
    6992   557746 RETURN     all  --  *      *       xxx/0            xxx/0  

sudo iptables -t nat -L -nvx

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

/etc/iptables/rules.v4包含被阻止的 IP 地址(标有“HERE IS MY BLOCKED”):

cat /etc/iptables/rules.v4

*filter
:INPUT DROP [21956:1398629]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4314:258919]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-reject-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-not-local - [0:0]
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:f2b-sshd - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A INPUT -s xxx.xxx.xxx/32 -j DROP
-A INPUT -s HERE IS MY BLOCKED IP/32 -j DROP
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d xxx.xxx.xxx/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d xxx.xxx.xxx/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-skip-to-policy-forward -j DROP
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 22 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 80 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 443 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 9200 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 9200 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 5601 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 5601 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 9300 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 9300 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 12201 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 25 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 25 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 465 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 465 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 587 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 587 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 143 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 143 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 993 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 993 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 110 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 110 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 995 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 995 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 115 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 21 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 21 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 21 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 49152 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 49152 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 65534 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 65534 -j ACCEPT
-A ufw-user-input -p tcp -m multiport --dports 49152:65534 -j ACCEPT
-A ufw-user-input -p udp -m multiport --dports 49152:65534 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
-A f2b-sshd -s xxx.xxx.xxx/32 -j REJECT --reject-with icmp-port-unreachable

-A f2b-sshd -j RETURN
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

但是如果我运行这个命令sudo iptables -L -v | grep '116.xx.xx.105',我没有得到任何结果。

编辑

我正在使用名为 ufw 的防火墙。所以我试图用sudo ufw deny from xxx.xxx.xxx to any. 它也不起作用。

我添加-A ufw-before-input -s xxx.xxx.xxx.xxx -j DROP到文件/etc/ufw/before.rules中。然后我通过重新加载规则sudo ufw reload。没有错误,但我仍然可以访问该页面。

sudo ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere                   DENY IN     xxx.xxx.xxx.xxx
22/tcp                     ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
443/tcp (v6)               ALLOW IN    Anywhere (v6)

sudo ifconfig -a

ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet x.x.x.x  netmask 255.255.252.0  broadcast x.x.x.x
        inet6 x::x:x:x:xprefixlen 64  scopeid 0x20<link>
        ether 06:da:10:79:72:23  txqueuelen 1000  (Ethernet)
        RX packets 3225  bytes 192577 (188.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 150  bytes 29553 (28.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Lokale Schleife)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

怎么了?

4

1 回答 1

0

我通过直接使用 ufw 而不是 IPtables 解决了这个问题。

我先重置了 IPtables 和 ufw。

然后我设置默认值:

sudo ufw default deny incoming
sudo ufw default allow outgoing

然后我添加了我的标准规则,例如:

sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https

然后我阻止了严重的 IP 地址: sudo ufw insert 1 deny from {IP_ADDRESS}.

这不起作用:sudo ufw deny from {IP_ADDRESS}因为关于允许 http 的第一条规则接受所有传入请求。这就是为什么我使用带有insert 1的命令将我的拒绝命令放在顶部的原因。否则,拒绝命令将是接受传入 HTTP 请求后的最后一个命令。允许和拒绝的顺序是问题所在。

然后激活 ufw sudo ufw enable

我可以通过sudo ufw status verbose.

感谢您的意见!

于 2019-10-03T09:11:43.660 回答