为什么我的iptables配置允许非TOR流量?
为什么我的iptables配置允许非TOR流量?
提问于 2016-07-15 19:45:51
这到底是怎么回事?我制定了以下规则:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 127.0.0.0/8
ACCEPT all -- anywhere anywhere owner UID match debian-tor
ACCEPT all -- anywhere anywhere state ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable这些在nat上:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
RETURN all -- anywhere anywhere owner UID match debian-tor
REDIRECT udp -- anywhere anywhere udp dpt:domain redir ports 53
RETURN all -- anywhere 127.0.0.0/9
REDIRECT tcp -- anywhere anywhere redir ports 9051
REDIRECT udp -- anywhere anywhere redir ports 9051
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination如您所见,除了tor流量和已建立的流量(?)外,所有传出流量都被阻塞。和托尔在一起。为什么我仍然有活动的Tcp连接,为前。堆栈交换?
ESTAB 0 0 192.168.1.107:53532 151.101.193.69:https
ESTAB 0 0 192.168.1.107:56648 151.101.1.69:https
ESTAB 0 0 192.168.1.107:59170 198.252.206.25:https
ESTAB 0 0 192.168.1.107:36078 151.101.12.133:https
ESTAB 0 0 192.168.1.107:45418 172.217.19.238:https
ESTAB 0 0 192.168.1.107:35364 172.217.21.106:https
ESTAB 0 0 192.168.1.107:56650 151.101.1.69:https 198.252.206.25
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#
#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=198.252.206.25?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#
NetRange: 198.252.206.0 - 198.252.206.255
CIDR: 198.252.206.0/24
NetName: SE-NET01
NetHandle: NET-198-252-206-0-1
Parent: NET198 (NET-198-0-0-0-0)
NetType: Direct Assignment
OriginAS: AS25791
Organization: Stack Exchange, Inc. (SE-111)
RegDate: 2012-10-17
Updated: 2012-10-17
Comment: http://stackexchange.com
Ref: https://whois.arin.net/rest/net/NET-198-252-206-0-1
OrgName: Stack Exchange, Inc.
OrgId: SE-111
Address: 110 William St.
Address: Floor 28
City: New York
StateProv: NY
PostalCode: 10038
Country: US
RegDate: 2012-09-14
Updated: 2014-09-16
Ref: https://whois.arin.net/rest/org/SE-111
OrgAbuseHandle: SYSAD101-ARIN
OrgAbuseName: Sysadmin Team
OrgAbusePhone: +1-212-232-8280
OrgAbuseEmail: sysadmin-team@stackexchange.com
OrgAbuseRef: https://whois.arin.net/rest/poc/SYSAD101-ARIN
OrgTechHandle: SYSAD101-ARIN
OrgTechName: Sysadmin Team
OrgTechPhone: +1-212-232-8280
OrgTechEmail: sysadmin-team@stackexchange.com
OrgTechRef: https://whois.arin.net/rest/poc/SYSAD101-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#这里发生什么事情?我的印象是,日复一日,iptable被严重破坏了。
回答 1
Unix & Linux用户
发布于 2016-07-18 09:25:45
在输出结束时添加一个-J日志规则,这样您就可以知道哪些数据包是按照其余的规则进行的。另外,将-v添加到iptables -L也有帮助,因为您可以看到更多的细节,包括每条规则中的数据包数量。
例如:
iptables -A OUTPUT -j LOG --log-prefix "firewall:ACCEPT:" --log-level 6而且,如果隐私是优先考虑的话,我会这样做的.我不相信任何人会为此目的制定完美的规则。相反,我会制造一台单独的机器,它是客户端,除了通过tor之外,没有办法使用任何互联网连接。那样的话,即使你的机器有恶意软件通过清除网发送数据包来泄露你的身份,它也只是无法连接。如果你按自己的方式去做,那么失败只会通过清除网而不是被阻止,就像你已经看到的那样。
页面原文内容由Unix & Linux提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://unix.stackexchange.com/questions/296205
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号