我写了一个小脚本来永久阻止IP地址。
ValidationError我可以在{{ field.errors }}中看到被阻止的IP地址。但是该IP仍然可以访问我的网站。
网站作为服务托管在apache2上(不是像docker这样的容器)。
#!/bin/bash
ip=${1:?No IP address given. Exit.}
if [[ $ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
iptables -A INPUT -s $ip -j DROP
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
else
echo "IP address is wrong."
fi
:
/etc/iptables/rules.v4 iptables -L -nvx:
Chain INPUT (policy DROP 21899 packets, 1395887 bytes)
pkts bytes target prot opt in out source destination
7832 616486 f2b-sshd tcp -- * * xxx/0 xxx/0 multiport dports 22
630319 164084564 ufw-before-logging-input all -- * * xxx/0 xxx/0
630319 164084564 ufw-before-input all -- * * xxx/0 xxx/0
33255 1982017 ufw-after-input all -- * * xxx/0 xxx/0
21899 1395887 ufw-after-logging-input all -- * * xxx/0 xxx/0
21899 1395887 ufw-reject-input all -- * * xxx/0 xxx/0
21899 1395887 ufw-track-input all -- * * xxx/0 xxx/0
0 0 DROP all -- * * xxx xxx/0
0 0 DROP all -- * * xxx xxx/0
0 0 DROP all -- * * xxx xxx/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- * * xxx/0 xxx/0
0 0 ufw-before-forward all -- * * xxx/0 xxx/0
0 0 ufw-after-forward all -- * * xxx/0 xxx/0
0 0 ufw-after-logging-forward all -- * * xxx/0 xxx/0
0 0 ufw-reject-forward all -- * * xxx/0 xxx/0
0 0 ufw-track-forward all -- * * xxx/0 xxx/0
Chain OUTPUT (policy ACCEPT 4306 packets, 258439 bytes)
pkts bytes target prot opt in out source destination
687419 822425050 ufw-before-logging-output all -- * * xxx/0 xxx/0
687419 822425050 ufw-before-output all -- * * xxx/0 xxx/0
10217 812202 ufw-after-output all -- * * xxx/0 xxx/0
10217 812202 ufw-after-logging-output all -- * * xxx/0 xxx/0
10217 812202 ufw-reject-output all -- * * xxx/0 xxx/0
10217 812202 ufw-track-output all -- * * xxx/0 xxx/0
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
11311 4558603 ACCEPT all -- lo * xxx/0 xxx/0
553834 155622301 ACCEPT all -- * * xxx/0 xxx/0 ctstate RELATED,ESTABLISHED
6758 435582 ufw-logging-deny all -- * * xxx/0 xxx/0 ctstate INVALID
6758 435582 DROP all -- * * xxx/0 xxx/0 ctstate INVALID
0 0 ACCEPT icmp -- * * xxx/0 xxx/0 icmptype 3
0 0 ACCEPT icmp -- * * xxx/0 xxx/0 icmptype 11
0 0 ACCEPT icmp -- * * xxx/0 xxx/0 icmptype 12
700 43597 ACCEPT icmp -- * * xxx/0 xxx/0 icmptype 8
0 0 ACCEPT udp -- * * xxx/0 xxx/0 udp spt:67 dpt:68
57716 3424481 ufw-not-local all -- * * xxx/0 xxx/0
0 0 ACCEPT udp -- * * xxx/0 xxx udp dpt:5353
0 0 ACCEPT udp -- * * xxx/0 xxx udp dpt:1900
57716 3424481 ufw-user-input all -- * * xxx/0 xxx/0
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
11311 4558603 ACCEPT all -- * lo xxx/0 xxx/0
665891 817054245 ACCEPT all -- * * xxx/0 xxx/0 ctstate RELATED,ESTABLISHED
10217 812202 ufw-user-output all -- * * xxx/0 xxx/0
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * xxx/0 xxx/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * xxx/0 xxx/0 icmptype 3
0 0 ACCEPT icmp -- * * xxx/0 xxx/0 icmptype 11
0 0 ACCEPT icmp -- * * xxx/0 xxx/0 icmptype 12
0 0 ACCEPT icmp -- * * xxx/0 xxx/0 icmptype 8
0 0 ufw-user-forward all -- * * xxx/0 xxx/0
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
16 1249 ufw-skip-to-policy-input udp -- * * xxx/0 xxx/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * xxx/0 xxx/0 udp dpt:138
112 4744 ufw-skip-to-policy-input tcp -- * * xxx/0 xxx/0 tcp dpt:139
11223 579324 ufw-skip-to-policy-input tcp -- * * xxx/0 xxx/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * xxx/0 xxx/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * xxx/0 xxx/0 udp dpt:68
5 813 ufw-skip-to-policy-input all -- * * xxx/0 xxx/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
14614 844988 LOG all -- * * xxx/0 xxx/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * xxx/0 xxx/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
3145 372522 ACCEPT tcp -- * * xxx/0 xxx/0 ctstate NEW
2766 181241 ACCEPT udp -- * * xxx/0 xxx/0 ctstate NEW
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
3634 301938 RETURN all -- * * xxx/0 xxx/0 ctstate INVALID limit: avg 3/min burst 10
436 20712 LOG all -- * * xxx/0 xxx/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * xxx/0 xxx/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
11356 586130 DROP all -- * * xxx/0 xxx/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * xxx/0 xxx/0
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * xxx/0 xxx/0
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
57711 3423668 RETURN all -- * * xxx/0 xxx/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * xxx/0 xxx/0 ADDRTYPE match dst-type MULTICAST
5 813 RETURN all -- * * xxx/0 xxx/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * xxx/0 xxx/0 limit: avg 3/min burst 10
0 0 DROP all -- * * xxx/0 xxx/0
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
5043 297568 ACCEPT tcp -- * * xxx/0 xxx/0 tcp dpt:22
0 0 ACCEPT udp -- * * xxx/0 xxx/0 udp dpt:22
1391 77976 ACCEPT tcp -- * * xxx/0 xxx/0 tcp dpt:80
1 44 ACCEPT udp -- * * xxx/0 xxx/0 udp dpt:80
11880 654869 ACCEPT tcp -- * * xxx/0 xxx/0 tcp dpt:443
6 7065 ACCEPT udp -- * * xxx/0 xxx/0 udp dpt:443
51 2268 ACCEPT tcp -- * * xxx/0 xxx/0 tcp dpt:25
0 0 ACCEPT udp -- * * xxx/0 xxx/0 udp dpt:25
85 4248 ACCEPT tcp -- * * xxx/0 xxx/0 tcp dpt:465
0 0 ACCEPT udp -- * * xxx/0 xxx/0 udp dpt:465
94 4728 ACCEPT tcp -- * * xxx/0 xxx/0 tcp dpt:21
0 0 ACCEPT udp -- * * xxx/0 xxx/0 udp dpt:21
0 0 ACCEPT tcp -- * * xxx/0 xxx/0 tcp dpt:21
6 240 ACCEPT tcp -- * * xxx/0 xxx/0 multiport dports 49152:65534
988 151807 ACCEPT udp -- * * xxx/0 xxx/0 multiport dports 49152:65534
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * xxx/0 xxx/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * xxx/0 xxx/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * xxx/0 xxx/0
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
15 924 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
25 1592 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
19 1444 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
23 1780 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
14 908 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
14 884 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
19 1408 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
21 1628 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
14 884 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
20 1580 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
3 180 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
26 1956 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
14 884 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
29 2192 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
20 1580 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
28 2084 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
20 1512 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
19 1420 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
15 924 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
28 2092 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
28 2028 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
28 2040 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
28 2040 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
17 1064 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
20 1604 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
14 884 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
26 1928 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
26 1868 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
20 1268 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
14 856 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
20 1580 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
12 648 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
12 648 REJECT all -- * * xxx xxx/0 reject-with icmp-port-unreachable
6992 557746 RETURN all -- * * xxx/0 xxx/0
sudo iptables -t nat -L -nvx包含被阻止的IP地址(标记为“这里是我的阻止”):
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
:
/etc/iptables/rules.v4但是,如果我运行此命令cat /etc/iptables/rules.v4,则没有结果。
我正在使用名为ufw的防火墙。因此,我尝试使用*filter
:INPUT DROP [21956:1398629]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4314:258919]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-reject-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-not-local - [0:0]
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:f2b-sshd - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A INPUT -s xxx.xxx.xxx/32 -j DROP
-A INPUT -s HERE IS MY BLOCKED IP/32 -j DROP
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d xxx.xxx.xxx/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d xxx.xxx.xxx/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-skip-to-policy-forward -j DROP
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 22 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 80 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 443 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 9200 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 9200 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 5601 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 5601 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 9300 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 9300 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 12201 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 25 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 25 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 465 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 465 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 587 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 587 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 143 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 143 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 993 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 993 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 110 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 110 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 995 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 995 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 115 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 21 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 21 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 21 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 49152 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 49152 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 65534 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 65534 -j ACCEPT
-A ufw-user-input -p tcp -m multiport --dports 49152:65534 -j ACCEPT
-A ufw-user-input -p udp -m multiport --dports 49152:65534 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
-A f2b-sshd -s xxx.xxx.xxx/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -j RETURN
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
阻止IP。它也不起作用。
我已将sudo iptables -L -v | grep '116.xx.xx.105'添加到文件sudo ufw deny from xxx.xxx.xxx to any中。然后,我通过-A ufw-before-input -s xxx.xxx.xxx.xxx -j DROP重新加载了规则。没有错误,但我仍然可以访问该页面。
/etc/ufw/before.rules:
sudo ufw reload sudo ufw status verbose:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
Anywhere DENY IN xxx.xxx.xxx.xxx
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
怎么了?
答案 0 :(得分:0)
我通过直接使用ufw而不是IPtables解决了这个问题。
我先重置IPtables,然后重新设置ufw。
然后我设置默认值:
sudo ufw default deny incoming
sudo ufw default allow outgoing
然后我添加了我的标准规则,例如:
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
然后我阻止了严格的IP地址:
sudo ufw insert 1 deny from {IP_ADDRESS}。
这不起作用:sudo ufw deny from {IP_ADDRESS},因为有关允许http的第一个规则接受所有传入的请求。这就是为什么我在 insert 1 中使用命令将 deny 命令放在顶部的原因。否则, deny 命令将是接受传入的HTTP请求后的最后一个命令。问题是允许和拒绝的顺序。
然后激活ufw sudo ufw enable。
我可以通过sudo ufw status verbose控制结果。
感谢您的评论!