我写了一个小脚本来永久阻止 IP 地址。
#!/bin/bash
ip=${1:?No IP address given. Exit.}
if [[ $ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
iptables -A INPUT -s $ip -j DROP
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
else
echo "IP address is wrong."
fi
我可以在 中看到被阻止的 IP 地址/etc/iptables/rules.v4。但是这个IP无论如何都可以访问我的网站。
网站作为服务托管在 apache2 上(不是像 docker 这样的容器)。
iptables -L -nvx:
Chain INPUT (policy DROP 21899 packets, 1395887 bytes)
pkts bytes target prot opt in out source destination
7832 616486 f2b-sshd tcp -- * * xxx/0 xxx/0 multiport dports 22
630319 164084564 ufw-before-logging-input all -- * * xxx/0 xxx/0
630319 164084564 ufw-before-input all -- * * xxx/0 xxx/0
33255 1982017 ufw-after-input all -- * * xxx/0 xxx/0
21899 1395887 ufw-after-logging-input all -- * * xxx/0 xxx/0
21899 1395887 ufw-reject-input all -- * * xxx/0 xxx/0
21899 1395887 ufw-track-input all -- * * xxx/0 xxx/0
0 0 DROP all -- * * xxx xxx/0
0 0 DROP all -- * * xxx xxx/0
0 0 DROP all -- * * xxx xxx/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- * * xxx/0 xxx/0
0 0 ufw-before-forward all -- * * xxx/0 xxx/0
0 0 ufw-after-forward all -- * * xxx/0 xxx/0
0 0 ufw-after-logging-forward all -- * * xxx/0 xxx/0
0 0 ufw-reject-forward all -- * * xxx/0 xxx/0
0 0 ufw-track-forward all -- * * xxx/0 xxx/0
Chain OUTPUT (policy ACCEPT 4306 packets, 258439 bytes)
pkts bytes target prot opt in out source destination
687419 822425050 ufw-before-logging-output all -- * * xxx/0 xxx/0
687419 822425050 ufw-before-output all -- * * xxx/0 xxx/0
10217 812202 ufw-after-output all -- * * xxx/0 xxx/0
10217 812202 ufw-after-logging-output all -- * * xxx/0 xxx/0
10217 812202 ufw-reject-output all -- * * xxx/0 xxx/0
10217 812202 ufw-track-output all -- * * xxx/0 xxx/0
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
11311 4558603 ACCEPT all -- lo * xxx/0 xxx/0
553834 155622301 ACCEPT all -- * * xxx/0 xxx/0 ctstate RELATED,ESTABLISHED
6758 435582 ufw-logging-deny all -- * * xxx/0 xxx/0 ctstate INVALID
6758 435582 DROP all -- * * xxx/0 xxx/0 ctstate INVALID
0 0 ACCEPT icmp -- * * xxx/0 xxx/0 icmptype 3
0 0 ACCEPT icmp -- * * xxx/0 xxx/0 icmptype 11
0 0 ACCEPT icmp -- * * xxx/0 xxx/0 icmptype 12
700 43597 ACCEPT icmp -- * * xxx/0 xxx/0 icmptype 8
0 0 ACCEPT udp -- * * xxx/0 xxx/0 udp spt:67 dpt:68
57716 3424481 ufw-not-local all -- * * xxx/0 xxx/0
0 0 ACCEPT udp -- * * xxx/0 xxx udp dpt:5353
0 0 ACCEPT udp -- * * xxx/0 xxx udp dpt:1900
57716 3424481 ufw-user-input all -- * * xxx/0 xxx/0
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
11311 4558603 ACCEPT all -- * lo xxx/0 xxx/0
665891 817054245 ACCEPT all -- * * xxx/0 xxx/0 ctstate RELATED,ESTABLISHED
10217 812202 ufw-user-output all -- * * xxx/0 xxx/0
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * xxx/0 xxx/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * xxx/0 xxx/0 icmptype 3
0 0 ACCEPT icmp -- * * xxx/0 xxx/0 icmptype 11
0 0 ACCEPT icmp -- * * xxx/0 xxx/0 icmptype 12
0 0 ACCEPT icmp -- * * xxx/0 xxx/0 icmptype 8
0 0 ufw-user-forward all -- * * xxx/0 xxx/0
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
16 1249 ufw-skip-to-policy-input udp -- * * xxx/0 xxx/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * xxx/0 xxx/0 udp dpt:138
112 4744 ufw-skip-to-policy-input tcp -- * * xxx/0 xxx/0 tcp dpt:139
11223 579324 ufw-skip-to-policy-input tcp -- * * xxx/0 xxx/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * xxx/0 xxx/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * xxx/0 xxx/0 udp dpt:68
5 813 ufw-skip-to-policy-input all -- * * xxx/0 xxx/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
14614 844988 LOG all -- * * xxx/0 xxx/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * xxx/0 xxx/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
3145 372522 ACCEPT tcp -- * * xxx/0 xxx/0 ctstate NEW
2766 181241 ACCEPT udp -- * * xxx/0 xxx/0 ctstate NEW
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
3634 301938 RETURN all -- * * xxx/0 xxx/0 ctstate INVALID limit: avg 3/min burst 10
436 20712 LOG all -- * * xxx/0 xxx/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * xxx/0 xxx/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
11356 586130 DROP all -- * * xxx/0 xxx/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * xxx/0 xxx/0
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * xxx/0 xxx/0
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
57711 3423668 RETURN all -- * * xxx/0 xxx/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * xxx/0 xxx/0 ADDRTYPE match dst-type MULTICAST
5 813 RETURN all -- * * xxx/0 xxx/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * xxx/0 xxx/0 limit: avg 3/min burst 10
0 0 DROP all -- * * xxx/0 xxx/0
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
5043 297568 ACCEPT tcp -- * * xxx/0 xxx/0 tcp dpt:22
0 0 ACCEPT udp -- * * xxx/0 xxx/0 udp dpt:22
1391 77976 ACCEPT tcp -- * * xxx/0 xxx/0 tcp dpt:80
1 44 ACCEPT udp -- * * xxx/0 xxx/0 udp dpt:80
11880 654869 ACCEPT tcp -- * * xxx/0 xxx/0 tcp dpt:443
6 7065 ACCEPT udp -- * * xxx/0 xxx/0 udp dpt:443
51 2268 ACCEPT tcp -- * * xxx/0 xxx/0 tcp dpt:25
0 0 ACCEPT udp -- * * xxx/0 xxx/0 udp dpt:25
85 4248 ACCEPT tcp -- * * xxx/0 xxx/0 tcp dpt:465
0 0 ACCEPT udp -- * * xxx/0 xxx/0 udp dpt:465
94 4728 ACCEPT tcp -- * * xxx/0 xxx/0 tcp dpt:21
0 0 ACCEPT udp -- * * xxx/0 xxx/0 udp dpt:21
0 0 ACCEPT tcp -- * * xxx/0 xxx/0 tcp dpt:21
6 240 ACCEPT tcp -- * * xxx/0 xxx/0 multiport dports 49152:65534
988 151807 ACCEPT udp -- * * xxx/0 xxx/0 multiport dports 49152:65534
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * xxx/0 xxx/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * xxx/0 xxx/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * xxx/0 xxx/0
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
15 924 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
25 1592 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
19 1444 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
23 1780 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
14 908 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
14 884 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
19 1408 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
21 1628 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
14 884 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
20 1580 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
3 180 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
26 1956 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
14 884 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
29 2192 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
20 1580 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
28 2084 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
20 1512 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
19 1420 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
15 924 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
28 2092 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
28 2028 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
28 2040 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
28 2040 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
17 1064 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
20 1604 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
14 884 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
26 1928 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
26 1868 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
20 1268 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
14 856 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
20 1580 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
12 648 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
12 648 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
6992 557746 RETURN all -- * * xxx/0 xxx/0
sudo iptables -t nat -L -nvx:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
/etc/iptables/rules.v4包含被阻止的 IP 地址(标有“HERE IS MY BLOCKED”):
cat /etc/iptables/rules.v4:
*filter
:INPUT DROP [21956:1398629]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4314:258919]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-reject-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-not-local - [0:0]
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:f2b-sshd - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A INPUT -s xxx.xxx.xxx/32 -j DROP
-A INPUT -s HERE IS MY BLOCKED IP/32 -j DROP
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d xxx.xxx.xxx/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d xxx.xxx.xxx/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-skip-to-policy-forward -j DROP
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 22 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 80 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 443 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 9200 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 9200 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 5601 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 5601 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 9300 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 9300 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 12201 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 25 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 25 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 465 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 465 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 587 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 587 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 143 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 143 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 993 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 993 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 110 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 110 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 995 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 995 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 115 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 21 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 21 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 21 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 49152 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 49152 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 65534 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 65534 -j ACCEPT
-A ufw-user-input -p tcp -m multiport --dports 49152:65534 -j ACCEPT
-A ufw-user-input -p udp -m multiport --dports 49152:65534 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
-A f2b-sshd -s xxx.xxx.xxx/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -j RETURN
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
但是如果我运行这个命令sudo iptables -L -v | grep '116.xx.xx.105',我没有得到任何结果。
编辑
我正在使用名为 ufw 的防火墙。所以我试图用sudo ufw deny from xxx.xxx.xxx to any. 它也不起作用。
我添加-A ufw-before-input -s xxx.xxx.xxx.xxx -j DROP到文件/etc/ufw/before.rules中。然后我通过重新加载规则sudo ufw reload。没有错误,但我仍然可以访问该页面。
sudo ufw status verbose:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
Anywhere DENY IN xxx.xxx.xxx.xxx
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
sudo ifconfig -a:
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet x.x.x.x netmask 255.255.252.0 broadcast x.x.x.x
inet6 x::x:x:x:xprefixlen 64 scopeid 0x20<link>
ether 06:da:10:79:72:23 txqueuelen 1000 (Ethernet)
RX packets 3225 bytes 192577 (188.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 150 bytes 29553 (28.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Lokale Schleife)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
怎么了?