防火墙配置是基本的服务器防护措施
创建一个基本的防火墙文件(开放部分端口80-http、443-https、20/21-ftp、22-ssh、ping等)
cat /etc/iptables.basic.rule
- *filter
- # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
- -A INPUT -i lo -j ACCEPT
- -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
- # Accepts all established inbound connections
- -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- # Allows all outbound traffic
- # You could modify this to only allow certain traffic
- -A OUTPUT -j ACCEPT
- # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
- -A INPUT -p tcp --dport 80 -j ACCEPT
- -A INPUT -p tcp --dport 443 -j ACCEPT
- -A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
- -A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
- # Allows SSH connections
- # THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
- -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
- # Now you should read up on iptables rules and consider whether ssh access
- # for everyone is really desired. Most likely you will only allow access from certain IPs.
- # Allow ping
- -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
- # log iptables denied calls (access via 'dmesg' command)
- -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
- # Reject all other inbound - default deny unless explicitly allowed policy:
- -A INPUT -j REJECT
- -A FORWARD -j REJECT
- COMMIT
Or (示例)
- # Generated by iptables-save v1.4.14 on Wed Nov 11 17:22:03 2015
- *filter
- :INPUT DROP [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- :syn-flood - [0:0]
- -A INPUT -i lo -j ACCEPT
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
- -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
- -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
- -A INPUT -s 221.226.186.102 -p tcp -m state --state NEW -m tcp --dport 873 -j ACCEPT
- -A INPUT -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT
- -A INPUT -p tcp -m state --state NEW -m tcp --dport 20000:30000 -j ACCEPT
- -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
- -A INPUT -p icmp -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
- -A INPUT -p icmp -m limit --limit 1/sec --limit-burst 10 -j ACCEPT
- -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood
- -A INPUT -j REJECT --reject-with icmp-host-prohibited
- -A syn-flood -p tcp -m limit --limit 3/sec --limit-burst 6 -j RETURN
- -A syn-flood -j REJECT --reject-with icmp-port-unreachable
- COMMIT
- # Completed on Wed Nov 11 17:22:03 2015
2、使配置文件生效
root@Debain:~# iptables-restore < /etc/iptables.basic.rule
3、查看生效的配置文件
root@Debain:~# iptables -L
- Chain INPUT (policy ACCEPT)
- target prot opt source destination
- ACCEPT all -- anywhere anywhere
- REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable
- ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
- ACCEPT tcp -- anywhere anywhere tcp dpt:www
- ACCEPT tcp -- anywhere anywhere tcp dpt:https
- ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp state NEW,ESTABLISHED
- ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp-data state NEW,ESTABLISHED
- ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
- ACCEPT icmp -- anywhere anywhere icmp echo-request
- LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: '
- REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
- Chain FORWARD (policy ACCEPT)
- target prot opt source destination
- REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
- Chain OUTPUT (policy ACCEPT)
- target prot opt source destination
- ACCEPT all -- anywhere anywhere
没有评论