我实现了https://askubuntu.com/a/997525/672396中介绍的一个方法我的程序应该工作之后,但没有。终端返回的消息是
ping: google.com: Temporary failure in name resolution
你可以看到我所做的一切:
$ sudo iptables -I OUTPUT 1 -m owner --gid-owner has-internet
u@h ~
$ sudo iptables -I OUTPUT 2 -j DROP
u@h ~
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
all -- anywhere anywhere owner GID match has-internet
DROP all -- anywhere anywhere
u@h ~
$ ls -l myping
-rwxr-xr-x 1 u has-internet 8 May 29 14:36 myping
u@h ~
$ cat myping
ping $1
u@h ~
$ ./myping google.com
ping: google.com: Temporary failure in name resolution
u@h ~
$ sudo iptables -D OUTPUT 2
u@h ~
$ ./myping google.com
PING google.com (142.250.179.142) 56(84) bytes of data.
64 bytes from ams17s10-in-f14.1e100.net (142.250.179.142): icmp_seq=1 ttl=115 time=31.3 ms
64 bytes from ams17s10-in-f14.1e100.net (142.250.179.142): icmp_seq=2 ttl=115 time=24.3 ms
64 bytes from ams17s10-in-f14.1e100.net (142.250.179.142): icmp_seq=3 ttl=115 time=29.4 ms
myping程序如下:
ping $1
如何修理?谢谢你
<标题>编辑我纠正了,但仍然不工作:
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
u@h ~
$ sudo iptables -I OUTPUT 1 -m owner --gid-owner has-internet -j ACCEPT
u@h ~
$ sudo iptables -P OUTPUT DROP
u@h ~
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere owner GID match has-internet
u@h ~
$ ./myping google.com
ping: google.com: Temporary failure in name resolution
u@h ~
sudo chmod g+s myping
使has-internet为所有者的第一组。还是不行
$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT DROP
-A OUTPUT -m owner --gid-owner 1001 -j ACCEPT
u@h ~
$ ls -l myping
-rwxr-sr-x 1 has-internet has-internet 13 May 30 09:43 myping
u@h ~
$ ./myping google.com
ping: google.com: Temporary failure in name resolution
u@h ~
我来试试:
第一行应该是:
sudo iptables -I OUTPUT 1 -m owner --gid-owner has-internet -j ACCEPT
不是
sudo iptables -I OUTPUT 1 -m owner --gid-owner has-internet
附加:您可以将默认策略更改为DROP,而不是添加DROP语句:
iptables -P OUTPUT DROP
不是
sudo iptables -I OUTPUT 2 -j DROP
同时,在myping上添加setgid位,以便它作为组所有者而不是用户
执行。sudo chmod g+s myping