Я установил iptables и настроил его под свои нужды. Проблема в том, что apt-get больше не работает. Вот мои Iptables ( iptables -L -n
):
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
ACCEPT tcp -- 192.168.178.0/24 0.0.0.0/0 multiport dports 20,21,22
ACCEPT tcp -- 192.168.178.0/24 0.0.0.0/0 multiport dports 53,137,138,139,445
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 53,80,443 state NEW,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 192.168.178.0/24 multiport sports 20,21,22,53,137,138,139,445
И, например, sudo apt-get install git
застревает здесь:
admin@nibbler:~$ sudo apt-get install git
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
git-man liberror-perl
Suggested packages:
git-daemon-run | git-daemon-sysvinit git-doc git-el git-email git-gui gitk gitweb git-arch git-cvs git-mediawiki git-svn
The following NEW packages will be installed:
git git-man liberror-perl
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 3.760 kB of archives.
After this operation, 25,6 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Ign:1 http://de.archive.ubuntu.com/ubuntu xenial/main i386 liberror-perl all 0.17-1.2
0% [Connecting to de.archive.ubuntu.com]
Я прочитал здесь несколько тем, но не нашел решение. Может ли кто-нибудь помочь мне здесь? Я не вижу своей ошибки.
Я изменил цепочку OUTPUT на
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 53,80,443 state NEW,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 192.168.178.0/24 multiport sports 20,21,22,53,137,138,139,445
Я добавил запись в цепочки OUTPUT, INPUT и FORWARD, и это дает мне следующее:
Apr 11 10:40:01 nibbler kernel: [ 1052.948383] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=64463 DF PROTO=UDP SPT=54652 DPT=53 LEN=50
Apr 11 10:40:01 nibbler kernel: [ 1052.948407] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=64464 DF PROTO=UDP SPT=54652 DPT=53 LEN=50
Apr 11 10:40:06 nibbler kernel: [ 1057.953476] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=106 DF PROTO=UDP SPT=54652 DPT=53 LEN=50
Apr 11 10:40:06 nibbler kernel: [ 1057.953499] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=107 DF PROTO=UDP SPT=54652 DPT=53 LEN=50
Apr 11 10:40:08 nibbler kernel: [ 1060.196071] IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:ac:bc:32:b7:0b:8f:08:00 SRC=192.168.178.20 DST=255.255.255.255 LEN=261 TOS=0x00 PREC=0x00 TTL=64 ID=9332 PROTO=UDP SPT=17500 DPT=17500 LEN=241
Apr 11 10:40:08 nibbler kernel: [ 1060.196655] IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:ac:bc:32:b7:0b:8f:08:00 SRC=192.168.178.20 DST=192.168.178.255 LEN=261 TOS=0x00 PREC=0x00 TTL=64 ID=16345 PROTO=UDP SPT=17500 DPT=17500 LEN=241
Apr 11 10:40:08 nibbler kernel: [ 1060.239479] IN=enp2s0 OUT= MAC=01:00:5e:00:00:fb:ac:bc:32:c2:61:c1:08:00 SRC=192.168.178.22 DST=224.0.0.251 LEN=68 TOS=0x00 PREC=0x00 TTL=1 ID=14994 PROTO=UDP SPT=5353 DPT=5353 LEN=48
Apr 11 10:40:08 nibbler kernel: [ 1060.240904] IN=enp2s0 OUT= MAC=01:00:5e:00:00:fb:ac:bc:32:c2:61:c1:08:00 SRC=192.168.178.22 DST=224.0.0.251 LEN=68 TOS=0x00 PREC=0x00 TTL=1 ID=14995 PROTO=UDP SPT=5353 DPT=5353 LEN=48
Apr 11 10:40:09 nibbler kernel: [ 1061.243128] IN=enp2s0 OUT= MAC=01:00:5e:00:00:fb:ac:bc:32:c2:61:c1:08:00 SRC=192.168.178.22 DST=224.0.0.251 LEN=68 TOS=0x00 PREC=0x00 TTL=1 ID=14996 PROTO=UDP SPT=5353 DPT=5353 LEN=48
Apr 11 10:40:11 nibbler kernel: [ 1062.958890] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=930 DF PROTO=UDP SPT=39987 DPT=53 LEN=40
Apr 11 10:40:11 nibbler kernel: [ 1062.958913] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=931 DF PROTO=UDP SPT=39987 DPT=53 LEN=40
Apr 11 10:40:11 nibbler kernel: [ 1063.242960] IN=enp2s0 OUT= MAC=01:00:5e:00:00:fb:ac:bc:32:c2:61:c1:08:00 SRC=192.168.178.22 DST=224.0.0.251 LEN=68 TOS=0x00 PREC=0x00 TTL=1 ID=14997 PROTO=UDP SPT=5353 DPT=5353 LEN=48
Apr 11 10:40:12 nibbler kernel: [ 1063.947249] IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:ac:bc:32:b7:0b:8f:08:00 SRC=192.168.178.20 DST=192.168.178.255 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=57187 PROTO=UDP SPT=57621 DPT=57621 LEN=52
Apr 11 10:40:13 nibbler kernel: [ 1065.017788] IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:40:f3:82:01:fe:08:00 SRC=192.168.178.26 DST=255.255.255.255 LEN=403 TOS=0x00 PREC=0x00 TTL=64 ID=747 PROTO=UDP SPT=17500 DPT=17500 LEN=383
Apr 11 10:40:13 nibbler kernel: [ 1065.017886] IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:40:f3:82:01:fe:08:00 SRC=192.168.178.26 DST=192.168.178.255 LEN=403 TOS=0x00 PREC=0x00 TTL=64 ID=39400 PROTO=UDP SPT=17500 DPT=17500 LEN=383
Apr 11 10:40:15 nibbler kernel: [ 1067.431341] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=1189 DF PROTO=UDP SPT=44968 DPT=53 LEN=58
Apr 11 10:40:16 nibbler kernel: [ 1067.963986] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1221 DF PROTO=UDP SPT=39987 DPT=53 LEN=40
Apr 11 10:40:16 nibbler kernel: [ 1067.964022] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1222 DF PROTO=UDP SPT=39987 DPT=53 LEN=40
Apr 11 10:40:17 nibbler kernel: [ 1068.610989] IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:ac:bc:32:c2:83:61:08:00 SRC=192.168.178.25 DST=255.255.255.255 LEN=215 TOS=0x00 PREC=0x00 TTL=64 ID=49624 PROTO=UDP SPT=17500 DPT=17500 LEN=195
Apr 11 10:40:17 nibbler kernel: [ 1068.611063] IN=enp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:ac:bc:32:c2:83:61:08:00 SRC=192.168.178.25 DST=192.168.178.255 LEN=215 TOS=0x00 PREC=0x00 TTL=64 ID=35073 PROTO=UDP SPT=17500 DPT=17500 LEN=195
Apr 11 10:40:20 nibbler kernel: [ 1072.436408] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=1890 DF PROTO=UDP SPT=44968 DPT=53 LEN=58
Apr 11 10:40:21 nibbler kernel: [ 1072.969138] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=1949 DF PROTO=UDP SPT=52381 DPT=53 LEN=50
Apr 11 10:40:21 nibbler kernel: [ 1072.969160] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=1950 DF PROTO=UDP SPT=52381 DPT=53 LEN=50
Apr 11 10:40:26 nibbler kernel: [ 1077.441470] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=2666 DF PROTO=UDP SPT=44968 DPT=53 LEN=58
Apr 11 10:40:26 nibbler kernel: [ 1077.974220] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=2722 DF PROTO=UDP SPT=52381 DPT=53 LEN=50
Apr 11 10:40:26 nibbler kernel: [ 1077.974242] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=2723 DF PROTO=UDP SPT=52381 DPT=53 LEN=50
не уверен, что мне следует прочитать из этого. .
В ваших журналах указано, что вы блокируете трафик DNS.
Apr 11 10:40:21 nibbler kernel: [ 1072.969160] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=1950 DF PROTO=UDP SPT=52381 DPT=53 LEN=50
Apr 11 10:40:26 nibbler kernel: [ 1077.441470] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=2666 DF PROTO=UDP SPT=44968 DPT=53 LEN=58
Apr 11 10:40:26 nibbler kernel: [ 1077.974220] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=2722 DF PROTO=UDP SPT=52381 DPT=53 LEN=50
Apr 11 10:40:26 nibbler kernel: [ 1077.974242] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=2723 DF PROTO=UDP SPT=52381 DPT=53 LEN=50
Может быть, у вас есть dnsmasq или несвязанный рекурсивный преобразователь, на который вы направляете свои DNS-запросы ?
Либо разрешите трафик на ваших интерфейсах обратной связи
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
, либо в цепочке INPUT разрешите трафик DNS между SRC = 127.0.0.1
и DST = 127.0.1.1
Я бы посоветовал использовать таблицу RAW в iptables. Это должно дать вам (для любого совпадающего пакета) информацию для каждого правила, через которое проходит этот пакет.
Убедитесь, что модуль ip_conntrack загружен в ядро, чтобы включить соответствие ESTABLISHED.
apt-get
требует dns
и http
- оба присутствуют в вашей цепочке OUTPUT. Я думаю, вам нужно добавить ESTABLISHED
к типу состояния подключения, потому что теперь у вас есть только NEW
.