nftables 不允许 ssh
nftables don´t allow ssh
我的服务器中有一个如下所示的规则集:
table inet firewall {
chain INBOUND {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state invalid drop
iif "lo" counter packets 0 bytes 0 accept
ip protocol icmp limit rate 4/second accept
ip6 nexthdr ipv6-icmp limit rate 4/second accept
ip protocol igmp limit rate 4/second accept
tcp dport 22 accept
log
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
}
chain OUTBOUND {
type filter hook output priority filter; policy drop;
oif "lo" counter packets 35 bytes 1946 accept
tcp dport 22 accept
}
}
我无法从端口 22 上的 ssh 连接,尽管应该打开。如果我输入:
$ nft flush ruleset,那么,22口允许连接
我做错了什么?
在我看来,“OUTBOUND”链中的规则是问题所在。
您有 tcp dport 22 accept,但我认为应该是 tcp sport 22 accept,因为当 SSH 数据包从您的服务器出站时,它们的源端口为 22,而不是目标端口 22。
将您的 OUTBOUND 链更改为:
chain OUTBOUND {
type filter hook output priority filter; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# Allow loopback
oif "lo" accept
# Accepted ports out (DNS / DHCP / TIME / WEB for package updates / SMTP)
ct state new udp dport { 53, 67, 123, 547 } accept
ct state new tcp dport { 53, 80, 443, 587 } accept
log prefix "DROP_output: " limit rate 3/second
}
不接受 related 出站连接已停止 sshd 响应。
始终在每个默认拒绝链的末尾记录丢弃的数据包。通常当某些东西不工作时,这是防火墙问题。
我的服务器中有一个如下所示的规则集:
table inet firewall {
chain INBOUND {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state invalid drop
iif "lo" counter packets 0 bytes 0 accept
ip protocol icmp limit rate 4/second accept
ip6 nexthdr ipv6-icmp limit rate 4/second accept
ip protocol igmp limit rate 4/second accept
tcp dport 22 accept
log
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
}
chain OUTBOUND {
type filter hook output priority filter; policy drop;
oif "lo" counter packets 35 bytes 1946 accept
tcp dport 22 accept
}
}
我无法从端口 22 上的 ssh 连接,尽管应该打开。如果我输入:
$ nft flush ruleset,那么,22口允许连接
我做错了什么?
在我看来,“OUTBOUND”链中的规则是问题所在。
您有 tcp dport 22 accept,但我认为应该是 tcp sport 22 accept,因为当 SSH 数据包从您的服务器出站时,它们的源端口为 22,而不是目标端口 22。
将您的 OUTBOUND 链更改为:
chain OUTBOUND {
type filter hook output priority filter; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# Allow loopback
oif "lo" accept
# Accepted ports out (DNS / DHCP / TIME / WEB for package updates / SMTP)
ct state new udp dport { 53, 67, 123, 547 } accept
ct state new tcp dport { 53, 80, 443, 587 } accept
log prefix "DROP_output: " limit rate 3/second
}
不接受
related出站连接已停止sshd响应。始终在每个默认拒绝链的末尾记录丢弃的数据包。通常当某些东西不工作时,这是防火墙问题。