当连接到internet时,Shorewall正在破坏数据包/会话。
当连接到internet时,Shorewall正在破坏数据包/会话。
提问于 2011-12-21 11:49:33
我很乐意转发任何进一步的数据,如果需要,如防火墙,规则等。如果有人可以浏览我的配置,看看是否有任何明显的错误。
问题:
一切都很好然后突然系统停止工作..。(没有管理员的任何更改)(可能是自动更新的结果?)
所有的会话通过防火墙到互联网暂停。
防火墙之间的会话(如。代理,ssh,邮件等)都正常工作。
通过防火墙的Ping工作正常(因为它是无会话的?)
如果使用代理,浏览服务器的工作效率为100%,但如果直接浏览,则会超时。
环境:
Ubuntu10.4LTS服务器
内核linux 2.6.32-37-generic
海岸4.4.6
Iptable 1.4.4
pppoe v3.8
webmin管理器v1.570
配置
IPTABLE列表
root@gateway2:~# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
loc2fw all -- anywhere anywhere
eth1_in all -- anywhere anywhere
ppp0_in all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `INPUT:REJECT:'
reject all -- anywhere anywhere [goto]
Chain FORWARD (policy DROP)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
loc_frwd all -- anywhere anywhere
eth1_fwd all -- anywhere anywhere
ppp0_fwd all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `FORWARD:REJECT:'
reject all -- anywhere anywhere [goto]
Chain OUTPUT (policy DROP)
target prot opt source destination
fw2loc all -- anywhere anywhere
fw2net all -- anywhere anywhere
fw2net all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `OUTPUT:REJECT:'
reject all -- anywhere anywhere [goto]
Chain Drop (2 references)
target prot opt source destination
all -- anywhere anywhere
reject tcp -- anywhere anywhere tcp dpt:auth /* Auth */
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
ACCEPT icmp -- anywhere anywhere icmp time-exceeded /* Needed ICMP types */
dropInvalid all -- anywhere anywhere
DROP udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
DROP tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpt:1900 /* UPnP */
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain /* Late DNS Replies */
Chain Reject (4 references)
target prot opt source destination
all -- anywhere anywhere
reject tcp -- anywhere anywhere tcp dpt:auth /* Auth */
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
ACCEPT icmp -- anywhere anywhere icmp time-exceeded /* Needed ICMP types */
dropInvalid all -- anywhere anywhere
reject udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds /* SMB */
reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
reject udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
reject tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpt:1900 /* UPnP */
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain /* Late DNS Replies */
Chain dropBcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
DROP all -- anywhere base-address.mcast.net/4
Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
Chain dynamic (2 references)
target prot opt source destination
Chain eth1_fwd (1 references)
target prot opt source destination
smurfs all -- anywhere anywhere state INVALID,NEW
tcpflags tcp -- anywhere anywhere
net_frwd all -- anywhere anywhere
Chain eth1_in (1 references)
target prot opt source destination
smurfs all -- anywhere anywhere state INVALID,NEW
tcpflags tcp -- anywhere anywhere
net2fw all -- anywhere anywhere
Chain fw2loc (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `fw2loc:REJECT:'
reject all -- anywhere anywhere [goto]
Chain fw2net (2 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain loc2fw (1 references)
target prot opt source destination
smurfs all -- anywhere anywhere state INVALID,NEW
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain loc2net (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain loc_frwd (1 references)
target prot opt source destination
smurfs all -- anywhere anywhere state INVALID,NEW
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
loc2net all -- anywhere anywhere
loc2net all -- anywhere anywhere
Chain log0 (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level crit prefix `net2fw:ACCEPT:'
ACCEPT all -- anywhere anywhere
Chain log1 (1 references)
target prot opt source destination
LOG all -- anywhere anywhere /* Permit incoming traffic on certain ports */ LOG level info prefix `net2fw:ACCEPT:'
ACCEPT all -- anywhere anywhere /* Permit incoming traffic on certain ports */
Chain logdrop (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain logflags (5 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info ip-options prefix `logflags:DROP:'
DROP all -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
reject all -- anywhere anywhere
Chain net2fw (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
log0 tcp -- 192.168.1.99 anywhere [goto] tcp dpt:ssh
DROP icmp -- anywhere anywhere icmp echo-request /* Ping */
log1 tcp -- anywhere anywhere [goto] tcp dpt:ssh /* Permit incoming traffic on certain ports */
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp /* Allow mail on SMTP, submission and IMAP */
ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp /* Allow mail on SMTP, submission and IMAP */
ACCEPT tcp -- anywhere anywhere tcp dpt:submission /* Allow mail on SMTP, submission and IMAP */
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 /* Allow mail on SMTP, submission and IMAP */
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps /* Allow mail on SMTP, submission and IMAP */
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `net2fw:DROP:'
DROP all -- anywhere anywhere
Chain net2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `net2loc:DROP:'
DROP all -- anywhere anywhere
Chain net_frwd (2 references)
target prot opt source destination
net2loc all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain ppp0_fwd (1 references)
target prot opt source destination
smurfs all -- anywhere anywhere state INVALID,NEW
tcpflags tcp -- anywhere anywhere
net_frwd all -- anywhere anywhere
Chain ppp0_in (1 references)
target prot opt source destination
smurfs all -- anywhere anywhere state INVALID,NEW
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
tcpflags tcp -- anywhere anywhere
net2fw all -- anywhere anywhere
Chain reject (11 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match src-type BROADCAST
DROP all -- base-address.mcast.net/4 anywhere
DROP igmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain shorewall (0 references)
target prot opt source destination
Chain smurfs (6 references)
target prot opt source destination
RETURN all -- default anywhere
LOG all -- anywhere anywhere ADDRTYPE match src-type BROADCAST LOG level info prefix `smurfs:DROP:'
DROP all -- anywhere anywhere ADDRTYPE match src-type BROADCAST
LOG all -- base-address.mcast.net/4 anywhere LOG level info prefix `smurfs:DROP:'
DROP all -- base-address.mcast.net/4 anywhere
Chain tcpflags (6 references)
target prot opt source destination
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
logflags tcp -- anywhere anywhere tcp spt:0 flags:FIN,SYN,RST,ACK/SYN回答 1
Ask Ubuntu用户
发布于 2012-04-03 22:07:52
如果您注意到这个问题发生在更新之后(有时会发生)或升级本身,则是一个回归,它被认为是一个bug。请上报。
Bug报告(我如何提交一个窃听器?)。
页面原文内容由Ask Ubuntu提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://askubuntu.com/questions/89467
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号