Нечто непонятное для меня.
Если ребутнуть сервер, то после загрузке имеем вот такой iptables
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-logging-output (1 references)
target prot opt source destination
LOG all -- anywhere anywhere ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
LOG all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT INVALID] "
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh /* 'dapp_OpenSSH' */
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT tcp -- anywhere anywhere tcp dpt:openvpn
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:https
ACCEPT udp -- 10.100.0.0/24 I2TPVPN udp dpt:domain
ACCEPT tcp -- 10.100.0.0/24 I2TPVPN tcp dpt:domain
ACCEPT tcp -- 10.100.0.0/24 I2TPVPN tcp dpt:http
ACCEPT udp -- anywhere anywhere multiport dports netbios-ns,netbios-dgm /* 'dapp_Samba' */
ACCEPT tcp -- anywhere anywhere multiport dports netbios-ssn,microsoft-ds /* 'dapp_Samba' */
ACCEPT tcp -- 10.100.0.0/16 anywhere tcp dpt:ftp
ACCEPT udp -- 10.100.0.0/16 anywhere udp dpt:fsp
ACCEPT tcp -- 10.100.0.0/16 anywhere tcp dpt:ftp-data
ACCEPT udp -- 10.100.0.0/16 anywhere udp dpt:20
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
Но если дать команду
sudo ufw reload
то имеем iptables уже такой:
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- 10.100.0.0/24 anywhere policy match dir in pol ipsec proto esp
ACCEPT all -- anywhere 10.100.0.0/24 policy match dir out pol ipsec proto esp
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-logging-output (1 references)
target prot opt source destination
LOG all -- anywhere anywhere ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
LOG all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT INVALID] "
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh /* 'dapp_OpenSSH' */
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT tcp -- anywhere anywhere tcp dpt:openvpn
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:https
ACCEPT udp -- 10.100.0.0/24 I2TPVPN udp dpt:domain
ACCEPT tcp -- 10.100.0.0/24 I2TPVPN tcp dpt:domain
ACCEPT tcp -- 10.100.0.0/24 I2TPVPN tcp dpt:http
ACCEPT udp -- anywhere anywhere multiport dports netbios-ns,netbios-dgm /* 'dapp_Samba' */
ACCEPT tcp -- anywhere anywhere multiport dports netbios-ssn,microsoft-ds /* 'dapp_Samba' */
ACCEPT tcp -- 10.100.0.0/16 anywhere tcp dpt:ftp
ACCEPT udp -- 10.100.0.0/16 anywhere udp dpt:fsp
ACCEPT tcp -- 10.100.0.0/16 anywhere tcp dpt:ftp-data
ACCEPT udp -- 10.100.0.0/16 anywhere udp dpt:20
ACCEPT udp -- anywhere anywhere multiport dports isakmp,ipsec-nat-t
ACCEPT tcp -- anywhere anywhere tcp dpt:8000
ACCEPT udp -- anywhere anywhere udp dpt:8000
ACCEPT tcp -- anywhere anywhere tcp dpt:853
ACCEPT udp -- anywhere anywhere udp dpt:853
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
(правила F2B и начало убрал, но они одинаковые, чтобы не грузить текст).
Разницу выделил жирным.
Вот разница:
diff iptbl3 iptbl4
158a159,160
> ACCEPT all -- 10.100.0.0/24 anywhere policy match dir in pol ipsec proto esp
> ACCEPT all -- anywhere 10.100.0.0/24 policy match dir out pol ipsec proto esp
261,262d262
< ACCEPT tcp -- anywhere anywhere tcp dpt:domain
< ACCEPT udp -- anywhere anywhere udp dpt:domain
275a276,280
> ACCEPT udp -- anywhere anywhere multiport dports isakmp,ipsec-nat-t
> ACCEPT tcp -- anywhere anywhere tcp dpt:8000
> ACCEPT udp -- anywhere anywhere udp dpt:8000
> ACCEPT tcp -- anywhere anywhere tcp dpt:853
> ACCEPT udp -- anywhere anywhere udp dpt:853
При этом если дать
sudo ufw status numbered
то в правилах никакой разницы не вижу.
Ну, или иными словами, проще
alex@I2TPVPN:~$ sudo iptables --list | grep 853
alex@I2TPVPN:~$ sudo ufw reload
Firewall reloaded
alex@I2TPVPN:~$ sudo iptables --list | grep 853
ACCEPT tcp -- anywhere anywhere tcp dpt:853
ACCEPT udp -- anywhere anywhere udp dpt:853
Отчего так?
Почему это нужно: потому что после перезагрузки не работает DNS сервер, и приходится вручную перезагружать UFW.