iptables가 나가는 액세스를 차단하지 못하도록 방지

iptables가 나가는 액세스를 차단하지 못하도록 방지

Centos6의 Apache는 원격 클라이언트 액세스를 허용합니다. 그러나 iptables를 비활성화하지 않는 한 서버는 나가는 액세스(예 ping google.com: ssh등)를 허용하지 않습니다.

iptables가 나가는 액세스를 차단하는 이유는 무엇이며 이를 방지하려면 어떻게 해야 합니까?

[Michael@vps2 ~]$ ping google.com
^C
[Michael@vps2 ~]$ ping localhost
PING localhost.localdomain (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=1 ttl=64 time=0.019 ms
^C
--- localhost.localdomain ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 789ms
rtt min/avg/max/mdev = 0.019/0.019/0.019/0.000 ms
[Michael@vps2 ~]$ sudo /etc/init.d/iptables status
Table: mangle
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination

Table: filter
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1443
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:10000
6    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1337
8    DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

[Michael@vps2 ~]$ sudo iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  380 41335 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:https
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ies-lm
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ndmp
    2   168 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:menandmice-dns
   23  1208 DROP       all  --  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 352 packets, 55019 bytes)
 pkts bytes target     prot opt in     out     source               destination
[Michael@vps2 ~]$ sudo /etc/init.d/iptables stop
iptables: Setting chains to policy ACCEPT: mangle filter   [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
[Michael@vps2 ~]$ ping google.com
PING google.com (172.217.4.110) 56(84) bytes of data.
64 bytes from ord36s04-in-f110.1e100.net (172.217.4.110): icmp_seq=1 ttl=55 time=1.08 ms
64 bytes from ord36s04-in-f110.1e100.net (172.217.4.110): icmp_seq=2 ttl=55 time=1.00 ms
^C
--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1209ms
rtt min/avg/max/mdev = 1.002/1.045/1.088/0.043 ms
[Michael@vps2 ~]$

답변1

먼저, 관련 있고 설정된 패킷을 활성화해야 합니다. 규칙 목록의 맨 위에 놓습니다.

# iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT

또한 ICMP는 TCP 및 UDP와 다른 프로토콜이므로 명시적으로 허용해야 합니다. 나는 일반적으로 ICMP를 완전히 허용합니다. ICMP를 차단하면 조각화와 같은 문제가 발생할 수 있기 때문입니다.

# iptables -I INPUT 2 -p icmp  -j ACCEPT

또 다른 점: "모두 제거" 규칙을 추가하는 대신 체인의 정책을 변경할 수 있습니다.

# iptables -P INPUT DROP

관련 정보