0

我的服务器中有一个规则集,如下所示:

table inet firewall {
    chain INBOUND {
        type filter hook input priority filter; policy drop;
        ct state established,related accept
        ct state invalid drop
        iif "lo" counter packets 0 bytes 0 accept
        ip protocol icmp limit rate 4/second accept
        ip6 nexthdr ipv6-icmp limit rate 4/second accept
        ip protocol igmp limit rate 4/second accept
        tcp dport 22 accept
        log
    }

    chain FORWARD {
        type filter hook forward priority filter; policy drop;
    }

    chain OUTBOUND {
        type filter hook output priority filter; policy drop;
        oif "lo" counter packets 35 bytes 1946 accept
        tcp dport 22 accept
    }
}

即使应该打开端口,我也无法从端口 22 上的 ssh 连接。如果我输入:

$ nft flush ruleset,则 22 端口允许连接。

我做错了什么?

4

2 回答 2

1

在我看来,“OUTBOUND”链中的规则是问题所在。

你有tcp dport 22 accept,但我认为这应该是tcp sport 22 accept因为当 SSH 数据包从你的服务器出站时,它们的源端口是 22,而不是目标端口 22。

于 2021-10-21T22:15:27.727 回答
0

OUTBOUND将您的链条更改为:

chain OUTBOUND {
    type filter hook output priority filter; policy drop;

    # Allow traffic from established and related packets, drop invalid
    ct state vmap { established : accept, related : accept, invalid : drop }
    
    # Allow loopback
    oif "lo" accept

    # Accepted ports out (DNS / DHCP / TIME / WEB for package updates / SMTP)
    ct state new udp dport { 53, 67, 123, 547 } accept
    ct state new tcp dport { 53, 80, 443, 587 } accept 

    log prefix "DROP_output: " limit rate 3/second     
}

  • 不接受related出站连接停止sshd响应。

  • 始终在每个默认拒绝链的末尾记录丢弃的数据包。通常,当某些东西不工作时,它是防火墙问题。

于 2021-10-29T03:27:24.863 回答