即使我允許，IPTables 也會阻止所有到 http 的傳出流量

我正在使用以下程式碼來允許 DNS 請求以及到埠的傳出流量443，22以及80

但是，由於某種原因，所有到埠的流量都443被阻止了80

# Allowing DNS lookups (tcp, udp port 53) to server '8.8.8.8'
/sbin/iptables -A OUTPUT -p udp -d 8.8.8.8 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p udp -s 8.8.8.8 --sport 53 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -d 8.8.8.8 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 8.8.8.8 --sport 53 -m state --state ESTABLISHED -j ACCEPT

# Allowing DNS lookups (tcp, udp port 53) to server '127.0.0.53'
/sbin/iptables -A OUTPUT -p udp -d 127.0.0.53 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p udp -s 127.0.0.53 --sport 53 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -d 127.0.0.53 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 127.0.0.53 --sport 53 -m state --state ESTABLISHED -j ACCEPT


# allow all and everything on localhost
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# Allowing new and established incoming connections to port 22, 80, 443
/sbin/iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT

# Allow all outgoing connections to port 22
/sbin/iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# Allow outgoing icmp connections (pings,...)
/sbin/iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections to port 123 (ntp syncs)
/sbin/iptables -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix IP INPUT drop:
/sbin/iptables -A INPUT -j DROP
/sbin/iptables -A OUTPUT -j LOG -m limit --limit 12/min --log-level 4 --log-prefix IP OUTPUT drop:
/sbin/iptables -A OUTPUT -j DROP

# Set default policy to 'DROP'
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP

我可以在系統日誌中看到以下內容，

Sep 28 08:17:06 ip-172-31-57-142 kernel: [  486.605568] IP OUTPUT drop: IN= OUT=eth0 SRC=172.31.57.142 DST=172.217.7.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30718 DF PROTO=TCP SPT=37026 DPT=443 WINDOW=62727 RES=0x00 SYN URGP=0
Sep 28 08:17:07 ip-172-31-57-142 kernel: [  487.617296] IP OUTPUT drop: IN= OUT=eth0 SRC=172.31.57.142 DST=172.217.7.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30719 DF PROTO=TCP SPT=37026 DPT=443 WINDOW=62727 RES=0x00 SYN URGP=0

我不確定我做錯了什麼。

讓我們看一下其中的一部分，您希望在埠 tcp/22 上允許 ssh 的出站連接

# Allowing new and established incoming connections to port 22, 80, 443
/sbin/iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT

# Allow all outgoing connections to port 22
/sbin/iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

第一對規則沒有按照評論所說的那樣做。第二對應該可以工作，但過於慷慨。所有四個規則都幾乎正確，但最終不夠正確。相反，保持簡單

# Allow outgoing connections to port tcp/22
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT

# Allow return traffic for established connections
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT

引用自：https://unix.stackexchange.com/questions/611790