2 votos

UFW no bloquea aunque la CAÍDA de la política

En Ubuntu 16.04, he instalado ufw y configurado de manera que tiene el estado siguiente (sudo ufw status verbose):

Status: active
Logging: on (full)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80,443/tcp (Nginx Full)    ALLOW IN    Anywhere
995/tcp (Dovecot Secure POP3) ALLOW IN    Anywhere
993/tcp (Dovecot Secure IMAP) ALLOW IN    Anywhere
22/tcp (OpenSSH)           ALLOW IN    Anywhere
25/tcp (Postfix)           ALLOW IN    Anywhere
465/tcp (Postfix SMTPS)    ALLOW IN    Anywhere
9522/tcp (hinext)          ALLOW IN    Anywhere
9522,9523/tcp (hinext)     ALLOW IN    Anywhere
9524/tcp (test)            ALLOW IN    Anywhere
9522/tcp (hinext (v6))     ALLOW IN    Anywhere (v6)
9522,9523/tcp (hinext (v6)) ALLOW IN    Anywhere (v6)
9524/tcp (test (v6))       ALLOW IN    Anywhere (v6)

Como puede verse, el puerto 8822 NO está en la lista y por lo tanto debe ser bloqueado por la política por defecto (que es deny de la incoming de la cadena).

PERO: no puedo abrir una conexión SSH al puerto 8822 del mundo exterior a mi servidor SSH escuchando en los puertos 22 y 8822.

¿Por qué el tráfico al puerto 8822 atravesar la ufw firewall sin estar caído?

Para más información de diagnóstico, iptables-save -c dice esto:

# Generated by iptables-save v1.6.0 on Tue Apr 24 23:55:19 2018
*raw
:PREROUTING ACCEPT [622500:111511726]
:OUTPUT ACCEPT [631989:135819596]
COMMIT
# Completed on Tue Apr 24 23:55:19 2018
# Generated by iptables-save v1.6.0 on Tue Apr 24 23:55:19 2018
*mangle
:PREROUTING ACCEPT [622500:111511726]
:INPUT ACCEPT [622500:111511726]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [631989:135819596]
:POSTROUTING ACCEPT [631989:135819596]
COMMIT
# Completed on Tue Apr 24 23:55:19 2018
# Generated by iptables-save v1.6.0 on Tue Apr 24 23:55:19 2018
*nat
:PREROUTING ACCEPT [46994:2923568]
:POSTROUTING ACCEPT [7607:511281]
:OUTPUT ACCEPT [7607:511281]
COMMIT
# Completed on Tue Apr 24 23:55:19 2018
# Generated by iptables-save v1.6.0 on Tue Apr 24 23:55:19 2018
*filter
:INPUT ACCEPT [63:5355]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VZ_FORWARD - [0:0]
:VZ_INPUT - [0:0]
:VZ_OUTPUT - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
[622500:111511726] -A INPUT -j VZ_INPUT
[491972:96179570] -A INPUT -j ufw-before-logging-input
[491972:96179570] -A INPUT -j ufw-before-input
[21445:1425920] -A INPUT -j ufw-after-input
[17022:1199401] -A INPUT -j ufw-after-logging-input
[17022:1199401] -A INPUT -j ufw-reject-input
[17022:1199401] -A INPUT -j ufw-track-input
[0:0] -A FORWARD -j VZ_FORWARD
[0:0] -A FORWARD -j ufw-before-logging-forward
[0:0] -A FORWARD -j ufw-before-forward
[0:0] -A FORWARD -j ufw-after-forward
[0:0] -A FORWARD -j ufw-after-logging-forward
[0:0] -A FORWARD -j ufw-reject-forward
[0:0] -A FORWARD -j ufw-track-forward
[631989:135819596] -A OUTPUT -j VZ_OUTPUT
[478124:111192792] -A OUTPUT -j ufw-before-logging-output
[478124:111192792] -A OUTPUT -j ufw-before-output
[4466:322671] -A OUTPUT -j ufw-after-output
[4466:322671] -A OUTPUT -j ufw-after-logging-output
[4466:322671] -A OUTPUT -j ufw-reject-output
[4466:322671] -A OUTPUT -j ufw-track-output
[23:1823] -A VZ_INPUT -p tcp -m tcp --dport 80 -j ACCEPT
[5136:565736] -A VZ_INPUT -p tcp -m tcp --dport 22 -j ACCEPT
[4:172] -A VZ_INPUT -p tcp -m tcp --dport 25 -j ACCEPT
[4:172] -A VZ_INPUT -p tcp -m tcp --dport 110 -j ACCEPT
[6:304] -A VZ_INPUT -p tcp -m tcp --dport 53 -j ACCEPT
[2:115] -A VZ_INPUT -p udp -m udp --dport 53 -j ACCEPT
[410:19580] -A VZ_INPUT -p tcp -m tcp --dport 32768:65535 -j ACCEPT
[39:3651] -A VZ_INPUT -p udp -m udp --dport 32768:65535 -j ACCEPT
[1:44] -A VZ_INPUT -p tcp -m tcp --dport 8880 -j ACCEPT
[3:152] -A VZ_INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
[8:470] -A VZ_INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -j ACCEPT
[0:0] -A VZ_INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p udp -j ACCEPT
[17:2105] -A VZ_OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
[4940:995587] -A VZ_OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
[4:214] -A VZ_OUTPUT -p tcp -m tcp --sport 25 -j ACCEPT
[4:192] -A VZ_OUTPUT -p tcp -m tcp --sport 110 -j ACCEPT
[6:240] -A VZ_OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT
[0:0] -A VZ_OUTPUT -p udp -m udp --sport 53 -j ACCEPT
[3888:279384] -A VZ_OUTPUT -p tcp -j ACCEPT
[39:2831] -A VZ_OUTPUT -p udp -j ACCEPT
[0:0] -A VZ_OUTPUT -p tcp -m tcp --sport 8880 -j ACCEPT
[0:0] -A VZ_OUTPUT -p tcp -m tcp --sport 8443 -j ACCEPT
[0:0] -A VZ_OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -j ACCEPT
[0:0] -A VZ_OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p udp -j ACCEPT
[5:391] -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
[16:700] -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
[1936:99244] -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
[0:0] -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
[0:0] -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] "
[63:5355] -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] "
[0:0] -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] "
[0:0] -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
[0:0] -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0:0] -A ufw-before-forward -j ufw-user-forward
[10789:9641505] -A ufw-before-input -i lo -j ACCEPT
[252164:53646696] -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[3048:131944] -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
[3048:131944] -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
[21:952] -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0:0] -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
[22062:1348553] -A ufw-before-input -j ufw-not-local
[0:0] -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
[0:0] -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
[22062:1348553] -A ufw-before-input -j ufw-user-input
[0:0] -A ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] "
[327:39433] -A ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] "
[10:3444] -A ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] "
[10789:9641505] -A ufw-before-output -o lo -j ACCEPT
[277561:60253281] -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[1888:133952] -A ufw-before-output -j ufw-user-output
[0:0] -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] "
[29:1244] -A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] "
[29:1244] -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] "
[22062:1348553] -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
[0:0] -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
[0:0] -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
[0:0] -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
[0:0] -A ufw-not-local -j DROP
[0:0] -A ufw-skip-to-policy-forward -j DROP
[1957:100335] -A ufw-skip-to-policy-input -j DROP
[0:0] -A ufw-skip-to-policy-output -j ACCEPT
[1:60] -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
[1746:126492] -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
[526:29104] -A ufw-user-input -p tcp -m multiport --dports 80,443 -m comment --comment "\'dapp_Nginx%20Full\'" -j ACCEPT
[76:3832] -A ufw-user-input -p tcp -m tcp --dport 995 -m comment --comment "\'dapp_Dovecot%20Secure%20POP3\'" -j ACCEPT
[8:372] -A ufw-user-input -p tcp -m tcp --dport 993 -m comment --comment "\'dapp_Dovecot%20Secure%20IMAP\'" -j ACCEPT
[9724:581800] -A ufw-user-input -p tcp -m tcp --dport 22 -m comment --comment "\'dapp_OpenSSH\'" -j ACCEPT
[61:3500] -A ufw-user-input -p tcp -m tcp --dport 25 -m comment --comment "\'dapp_Postfix\'" -j ACCEPT
[10:456] -A ufw-user-input -p tcp -m tcp --dport 465 -m comment --comment "\'dapp_Postfix%20SMTPS\'" -j ACCEPT
[0:0] -A ufw-user-input -p tcp -m tcp --dport 9522 -m comment --comment "\'dapp_hinext\'" -j ACCEPT
[1:52] -A ufw-user-input -p tcp -m multiport --dports 9522,9523 -m comment --comment "\'dapp_hinext\'" -j ACCEPT
[5:256] -A ufw-user-input -p tcp -m tcp --dport 9524 -m comment --comment "\'dapp_test\'" -j ACCEPT
[0:0] -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
[0:0] -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
[0:0] -A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Tue Apr 24 23:55:19 2018

0voto

andimeier Puntos 111

He reiniciado el servidor de seguridad con sudo service ufw restart. Después de eso, el puerto 8822 fue bloqueado por la usw - como debe ser.

Además, el iptables-save también me dice que el deseado historia: consulte este extracto:

*filter
:INPUT DROP [6:320]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

Aviso de la "CAÍDA" de la política predeterminada, mientras que en mi primer post me di cuenta de una "ACEPTAR" de la política predeterminada que yo no entendía.

Así, al reiniciar ufw al parecer hizo el truco.

EnMiMaquinaFunciona.com

EnMiMaquinaFunciona es una comunidad de administradores de sistemas en la que puedes resolver tus problemas y dudas.
Puedes consultar las preguntas de otros sysadmin, hacer tus propias preguntas o resolver las de los demás.

Powered by: