Sur Ubuntu 16.04, j’ai installé ufw et l’a configuré de sorte qu’il ait le statut suivant (Sudo ufw status verbose
):
Status: active
Logging: on (full)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
80,443/tcp (Nginx Full) ALLOW IN Anywhere
995/tcp (Dovecot Secure POP3) ALLOW IN Anywhere
993/tcp (Dovecot Secure IMAP) ALLOW IN Anywhere
22/tcp (OpenSSH) ALLOW IN Anywhere
25/tcp (Postfix) ALLOW IN Anywhere
465/tcp (Postfix SMTPS) ALLOW IN Anywhere
9522/tcp (hinext) ALLOW IN Anywhere
9522,9523/tcp (hinext) ALLOW IN Anywhere
9524/tcp (test) ALLOW IN Anywhere
9522/tcp (hinext (v6)) ALLOW IN Anywhere (v6)
9522,9523/tcp (hinext (v6)) ALLOW IN Anywhere (v6)
9524/tcp (test (v6)) ALLOW IN Anywhere (v6)
Comme on peut le constater, le port 8822 ne figure pas dans la liste et doit donc être bloqué par la stratégie par défaut (qui est deny
pour la chaîne incoming
.).
MAIS: Je peux ouvrir une connexion SSH sur le port 8822 du monde extérieur sur mon serveur SSH qui écoute sur les ports 22 et 8822.
Pourquoi le trafic à destination du port 8822 peut-il traverser le pare-feu d'ufw sans être abandonné?
Pour plus d'informations de diagnostic, iptables-save -c
dit ceci:
# Generated by iptables-save v1.6.0 on Tue Apr 24 23:55:19 2018
*raw
:PREROUTING ACCEPT [622500:111511726]
:OUTPUT ACCEPT [631989:135819596]
COMMIT
# Completed on Tue Apr 24 23:55:19 2018
# Generated by iptables-save v1.6.0 on Tue Apr 24 23:55:19 2018
*mangle
:PREROUTING ACCEPT [622500:111511726]
:INPUT ACCEPT [622500:111511726]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [631989:135819596]
:POSTROUTING ACCEPT [631989:135819596]
COMMIT
# Completed on Tue Apr 24 23:55:19 2018
# Generated by iptables-save v1.6.0 on Tue Apr 24 23:55:19 2018
*nat
:PREROUTING ACCEPT [46994:2923568]
:POSTROUTING ACCEPT [7607:511281]
:OUTPUT ACCEPT [7607:511281]
COMMIT
# Completed on Tue Apr 24 23:55:19 2018
# Generated by iptables-save v1.6.0 on Tue Apr 24 23:55:19 2018
*filter
:INPUT ACCEPT [63:5355]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VZ_FORWARD - [0:0]
:VZ_INPUT - [0:0]
:VZ_OUTPUT - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
[622500:111511726] -A INPUT -j VZ_INPUT
[491972:96179570] -A INPUT -j ufw-before-logging-input
[491972:96179570] -A INPUT -j ufw-before-input
[21445:1425920] -A INPUT -j ufw-after-input
[17022:1199401] -A INPUT -j ufw-after-logging-input
[17022:1199401] -A INPUT -j ufw-reject-input
[17022:1199401] -A INPUT -j ufw-track-input
[0:0] -A FORWARD -j VZ_FORWARD
[0:0] -A FORWARD -j ufw-before-logging-forward
[0:0] -A FORWARD -j ufw-before-forward
[0:0] -A FORWARD -j ufw-after-forward
[0:0] -A FORWARD -j ufw-after-logging-forward
[0:0] -A FORWARD -j ufw-reject-forward
[0:0] -A FORWARD -j ufw-track-forward
[631989:135819596] -A OUTPUT -j VZ_OUTPUT
[478124:111192792] -A OUTPUT -j ufw-before-logging-output
[478124:111192792] -A OUTPUT -j ufw-before-output
[4466:322671] -A OUTPUT -j ufw-after-output
[4466:322671] -A OUTPUT -j ufw-after-logging-output
[4466:322671] -A OUTPUT -j ufw-reject-output
[4466:322671] -A OUTPUT -j ufw-track-output
[23:1823] -A VZ_INPUT -p tcp -m tcp --dport 80 -j ACCEPT
[5136:565736] -A VZ_INPUT -p tcp -m tcp --dport 22 -j ACCEPT
[4:172] -A VZ_INPUT -p tcp -m tcp --dport 25 -j ACCEPT
[4:172] -A VZ_INPUT -p tcp -m tcp --dport 110 -j ACCEPT
[6:304] -A VZ_INPUT -p tcp -m tcp --dport 53 -j ACCEPT
[2:115] -A VZ_INPUT -p udp -m udp --dport 53 -j ACCEPT
[410:19580] -A VZ_INPUT -p tcp -m tcp --dport 32768:65535 -j ACCEPT
[39:3651] -A VZ_INPUT -p udp -m udp --dport 32768:65535 -j ACCEPT
[1:44] -A VZ_INPUT -p tcp -m tcp --dport 8880 -j ACCEPT
[3:152] -A VZ_INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
[8:470] -A VZ_INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -j ACCEPT
[0:0] -A VZ_INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p udp -j ACCEPT
[17:2105] -A VZ_OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
[4940:995587] -A VZ_OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
[4:214] -A VZ_OUTPUT -p tcp -m tcp --sport 25 -j ACCEPT
[4:192] -A VZ_OUTPUT -p tcp -m tcp --sport 110 -j ACCEPT
[6:240] -A VZ_OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT
[0:0] -A VZ_OUTPUT -p udp -m udp --sport 53 -j ACCEPT
[3888:279384] -A VZ_OUTPUT -p tcp -j ACCEPT
[39:2831] -A VZ_OUTPUT -p udp -j ACCEPT
[0:0] -A VZ_OUTPUT -p tcp -m tcp --sport 8880 -j ACCEPT
[0:0] -A VZ_OUTPUT -p tcp -m tcp --sport 8443 -j ACCEPT
[0:0] -A VZ_OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -j ACCEPT
[0:0] -A VZ_OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p udp -j ACCEPT
[5:391] -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
[16:700] -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
[1936:99244] -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
[0:0] -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] "
[63:5355] -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] "
[0:0] -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] "
[0:0] -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0:0] -A ufw-before-forward -j ufw-user-forward
[10789:9641505] -A ufw-before-input -i lo -j ACCEPT
[252164:53646696] -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[3048:131944] -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
[3048:131944] -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
[21:952] -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0:0] -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
[22062:1348553] -A ufw-before-input -j ufw-not-local
[0:0] -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
[0:0] -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
[22062:1348553] -A ufw-before-input -j ufw-user-input
[0:0] -A ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] "
[327:39433] -A ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] "
[10:3444] -A ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] "
[10789:9641505] -A ufw-before-output -o lo -j ACCEPT
[277561:60253281] -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[1888:133952] -A ufw-before-output -j ufw-user-output
[0:0] -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] "
[29:1244] -A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] "
[29:1244] -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] "
[22062:1348553] -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
[0:0] -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
[0:0] -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
[0:0] -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
[0:0] -A ufw-not-local -j DROP
[0:0] -A ufw-skip-to-policy-forward -j DROP
[1957:100335] -A ufw-skip-to-policy-input -j DROP
[0:0] -A ufw-skip-to-policy-output -j ACCEPT
[1:60] -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
[1746:126492] -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
[526:29104] -A ufw-user-input -p tcp -m multiport --dports 80,443 -m comment --comment "\'dapp_Nginx%20Full\'" -j ACCEPT
[76:3832] -A ufw-user-input -p tcp -m tcp --dport 995 -m comment --comment "\'dapp_Dovecot%20Secure%20POP3\'" -j ACCEPT
[8:372] -A ufw-user-input -p tcp -m tcp --dport 993 -m comment --comment "\'dapp_Dovecot%20Secure%20IMAP\'" -j ACCEPT
[9724:581800] -A ufw-user-input -p tcp -m tcp --dport 22 -m comment --comment "\'dapp_OpenSSH\'" -j ACCEPT
[61:3500] -A ufw-user-input -p tcp -m tcp --dport 25 -m comment --comment "\'dapp_Postfix\'" -j ACCEPT
[10:456] -A ufw-user-input -p tcp -m tcp --dport 465 -m comment --comment "\'dapp_Postfix%20SMTPS\'" -j ACCEPT
[0:0] -A ufw-user-input -p tcp -m tcp --dport 9522 -m comment --comment "\'dapp_hinext\'" -j ACCEPT
[1:52] -A ufw-user-input -p tcp -m multiport --dports 9522,9523 -m comment --comment "\'dapp_hinext\'" -j ACCEPT
[5:256] -A ufw-user-input -p tcp -m tcp --dport 9524 -m comment --comment "\'dapp_test\'" -j ACCEPT
[0:0] -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
[0:0] -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
[0:0] -A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Tue Apr 24 23:55:19 2018
J'ai redémarré le pare-feu avec Sudo service ufw restart
. Après cela, le port 8822 a été bloqué par usw - comme il se doit.
De plus, le iptables-save
me raconte aussi l'histoire souhaitée: voir l'extrait suivant:
*filter
:INPUT DROP [6:320]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
Notez la stratégie par défaut "DROP", alors que dans mon post initial, j'avais remarqué une stratégie par défaut "ACCEPTER" que je ne comprenais pas.
Donc, redémarrer ufw a apparemment fait l'affaire.