Iptables

為什麼 iptables 不拒絕 ping?

  • November 8, 2019

我是 iptables 新手。雖然在過去的幾天裡我一直在努力學習,但這個問題讓我很頭疼!

首先,環境是在 Fedora 30 主機上執行的 VMWare (CentOS7)。在 VM 中,有一個執行 OCP 的 libvirt。

Local ethernet interface = ens33
libvirt bridge = virbr0
OCP bridge = crc


[danielyeap@localhost dnsmasq.d]$ ifconfig 
crc: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
       inet 192.168.130.1  netmask 255.255.255.0  broadcast 192.168.130.255
       ether 52:54:00:fd:be:d0  txqueuelen 1000  (Ethernet)

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
       inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
       ether 02:42:f4:2b:9f:8c  txqueuelen 0  (Ethernet)

ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
       inet 192.168.0.125  netmask 255.255.255.0  broadcast 192.168.0.255
       inet6 fe80::a7ec:bc4d:3bae:8902  prefixlen 64  scopeid 0x20<link>
       ether 00:0c:29:2d:54:83  txqueuelen 1000  (Ethernet)

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
       inet 127.0.0.1  netmask 255.0.0.0
       inet6 ::1  prefixlen 128  scopeid 0x10<host>
       loop  txqueuelen 1000  (Local Loopback)

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
       inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
       ether 52:54:00:c0:c1:92  txqueuelen 1000  (Ethernet)

vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
       inet6 fe80::fcfd:fcff:fe07:2182  prefixlen 64  scopeid 0x20<link>
       ether fe:fd:fc:07:21:82  txqueuelen 1000  (Ethernet)



[root@localhost docker]# brctl show
bridge name     bridge id               STP enabled     interfaces
crc             8000.525400fdbed0       yes             crc-nic
                                                       vnet0
docker0         8000.0242f42b9f8c       no
virbr0          8000.525400c0c192       yes             virbr0-nic
[root@localhost docker]#

出於學習目的,我決定在“FORWARD”和“INPUT”鏈的第一行添加 ICMP reject:

[root@localhost ~]# iptables -I FORWARD 1 -p icmp --icmp-type echo-request -j REJECT
[root@localhost ~]# iptables -I INPUT 1 -p icmp --icmp-type echo-request -j REJECT
[root@localhost ~]# 


[FORWARD CHAIN]
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REJECT     icmp --  any    any     anywhere             anywhere             icmp echo-request reject-with icmp-port-unreachable
2     240K   70M DOCKER-USER  all  --  any    any     anywhere             anywhere
3     240K   70M DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere
4        0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
5        0     0 DOCKER     all  --  any    docker0  anywhere             anywhere
6        0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere
7        0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere
8        0     0 ACCEPT     all  --  any    virbr0  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
9        0     0 ACCEPT     all  --  virbr0 any     192.168.122.0/24     anywhere
10   0     0 ACCEPT     all  --  virbr0 virbr0  anywhere             anywhere
11   0     0 REJECT     all  --  any    virbr0  anywhere             anywhere             reject-with icmp-port-unreachable
12       0     0 REJECT     all  --  virbr0 any     anywhere             anywhere             reject-with icmp-port-unreachable
13    125K   56M ACCEPT     all  --  any    crc     anywhere             192.168.130.0/24     ctstate RELATED,ESTABLISHED
14    116K   14M ACCEPT     all  --  crc    any     192.168.130.0/24     anywhere
15       0     0 ACCEPT     all  --  crc    crc     anywhere             anywhere
16     180 14160 REJECT     all  --  any    crc     anywhere             anywhere             reject-with icmp-port-unreachable
17   0     0 REJECT     all  --  crc    any     anywhere             anywhere             reject-with icmp-port-unreachable
18   0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
19   0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
20   0     0 FORWARD_direct  all  --  any    any     anywhere             anywhere
21   0     0 FORWARD_IN_ZONES_SOURCE  all  --  any    any     anywhere             anywhere
22   0     0 FORWARD_IN_ZONES  all  --  any    any     anywhere             anywhere
23   0     0 FORWARD_OUT_ZONES_SOURCE  all  --  any    any     anywhere             anywhere
24   0     0 FORWARD_OUT_ZONES  all  --  any    any     anywhere             anywhere
25   0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
26   0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-host-prohibited


[INPUT CHAIN]
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REJECT     icmp --  any    any     anywhere             anywhere             icmp echo-request reject-with icmp-port-unre
achable
2        0     0 ACCEPT     udp  --  virbr0 any     anywhere             anywhere             udp dpt:domain
3        0     0 ACCEPT     tcp  --  virbr0 any     anywhere             anywhere             tcp dpt:domain
4        0     0 ACCEPT     udp  --  virbr0 any     anywhere             anywhere             udp dpt:bootps
5        0     0 ACCEPT     tcp  --  virbr0 any     anywhere             anywhere             tcp dpt:bootps
6      330 18782 ACCEPT     udp  --  crc    any     anywhere             anywhere             udp dpt:domain
7        0     0 ACCEPT     tcp  --  crc    any     anywhere             anywhere             tcp dpt:domain
8       26  8430 ACCEPT     udp  --  crc    any     anywhere             anywhere             udp dpt:bootps
9        0     0 REJECT     icmp --  any    any     anywhere             anywhere             icmp echo-request reject-with icmp-port-unre
achable
10       0     0 ACCEPT     tcp  --  crc    any     anywhere             anywhere             tcp dpt:bootps
11    737K  232M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
12    357K   26M ACCEPT     all  --  lo     any     anywhere             anywhere
13    1400  168K INPUT_direct  all  --  any    any     anywhere             anywhere
14    1400  168K INPUT_ZONES_SOURCE  all  --  any    any     anywhere             anywhere
15    1400  168K INPUT_ZONES  all  --  any    any     anywhere             anywhere
16   0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
17    1395  168K REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-host-prohibited

據我所知,我對 192.168.130.0/24 的 ping 應該完全被阻止。對於 192.168.130.1(crc 介面),數據包應該在 INPUT 鏈中結束,因為核心會將流量視為自己的流量。對於 192.168.130.11(OCP 路由器),數據包應該由 FORWARD 連結收。

然而,結果出乎我的意料。雖然 INPUT 鏈正確處理了 192.168.130.1 的流量,但 INPUT 和 FORWARD 鏈似乎沒有接收 192.168.130.11 的流量。

[root@localhost ~]# ping 192.168.130.11
PING 192.168.130.11 (192.168.130.11) 56(84) bytes of data.
64 bytes from 192.168.130.11: icmp_seq=1 ttl=64 time=0.218 ms
64 bytes from 192.168.130.11: icmp_seq=2 ttl=64 time=0.227 ms
64 bytes from 192.168.130.11: icmp_seq=3 ttl=64 time=0.183 ms
64 bytes from 192.168.130.11: icmp_seq=4 ttl=64 time=0.971 ms
64 bytes from 192.168.130.11: icmp_seq=5 ttl=64 time=0.180 ms
64 bytes from 192.168.130.11: icmp_seq=6 ttl=64 time=0.171 ms
64 bytes from 192.168.130.11: icmp_seq=7 ttl=64 time=0.238 ms
...

[root@localhost ~]# ping 192.168.130.1
PING 192.168.130.1 (192.168.130.1) 56(84) bytes of data.
From 192.168.130.1 icmp_seq=1 Destination Port Unreachable
From 192.168.130.1 icmp_seq=2 Destination Port Unreachable
From 192.168.130.1 icmp_seq=3 Destination Port Unreachable
From 192.168.130.1 icmp_seq=4 Destination Port Unreachable
From 192.168.130.1 icmp_seq=5 Destination Port Unreachable
From 192.168.130.1 icmp_seq=6 Destination Port Unreachable

知道為什麼嗎?

謝謝。

您為 INPUT(傳入流量)FORWARD(轉發,即路由流量)阻止了 ICMP,但沒有為 OUTPUT(本地生成的傳出流量)阻止 ICMP。因此,您的 ICMP 回應要求不會被阻止離開系統。答案(echo-r​​eply)也沒有阻止它的規則:ping 有效。

要阻止本地發出的 ping,您還應該添加以下規則:

iptables -I OUTPUT 1 -p icmp --icmp-type echo-request -j REJECT

要測試 FORWARD 規則,ping 必須從另一個路由主機完成。

引用自:https://unix.stackexchange.com/questions/551029

相關問答

Iptables

儘管阻止了傳入的 ping 數據包,但仍接收 ping 數據包

  • December 23, 2020
檢視問答
Linux

ping 是否省略了 iptables / 後路由規則

  • October 23, 2018
檢視問答
Ubuntu

Ping 在伺服器的輔助介面上不起作用

  • November 15, 2017
檢視問答
Linux

是什麼阻止了機器響應 ping?

  • March 23, 2016
檢視問答
Bash

Ping 文件中的 IP

  • November 5, 2022
檢視問答
Iptables

將防火牆規則從 iptables 轉換為 nftables

  • October 22, 2022
檢視問答