我有一个Ubuntu LTS运行了几年的系统。昨天停电导致我的电脑无法使用。恢复供电后,我启动了系统,一切似乎都正常,除了iptables。每当我重新启动此系统时,它ufw总是会启动,即使我已将其配置为不启动。我更喜欢iptables这样做,因为我了解它,所以我关闭了“ufw”,然后iptables按照以下步骤重新配置并重新启动它:
sudo ufw disable
sudo ip_tables_reset.sh
sudo ip_tables_config.sh
sudo iptables restart
并验证
sudo iptables -S
返回:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
现在
sudo iptables restart
返回
Bad argument 'restart'
但多年来我一直忠实地使用这个程序。据我所知,我最近没有安装任何更新。
是什么变化导致这种可靠的方法现在失效了?
参考: iptables v1.4.12
答案1
你提到这个命令
sudo iptables restart # wrong usage, its not a service
下面的脚本集是你如何备份、启用或禁用防火墙...首先验证你是否安装了该软件包
dpkg -l | grep iptables
查看当前 iptable 设置的一种方法
sudo iptables -L -n
显示当前 iptable 规则的规范方法(仅显示无变化)
sudo iptables-save
查看你的规则,你没有阻止传入流量(你的防护罩已关闭),而以下规则确实阻止了除指定端口之外的所有传入流量
*filter
:INPUT DROP [331:17104]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [9727:1360720]
:GitHubWebHooks - [0:0]
-A INPUT -p tcp -m tcp --dport 9000 -j GitHubWebHooks
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A GitHubWebHooks -s 192.30.252.0/22 -j ACCEPT
-A GitHubWebHooks -j DROP
COMMIT
注意我打开了一个特定的 IP 地址 192.30.252.0/22,这样我就可以运行一个服务器来监听传入的流量,所以所有提到的 GitHubWebHooks 都是可选的...如果你将上面的内容保存到一个文件中,然后将该文件作为你的规则加载,那么你就可以开始了...防护罩
在更改任何内容之前,请将当前规则转储到输出文件中
vi 防火墙_保存_当前规则.sh
#!/usr/bin/env /bin/bash
set -o errexit # exit on error
# dump current iptable rules to file
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
# ........
curr_timestamp=$(date '+%H%M%S%N')
curr_rulesfile=/etc/iptables/rules.v4.${curr_timestamp}.current_rules
rulesdir=$( dirname $curr_rulesfile )
if [[ ! -d $rulesdir ]]; then
echo about to create dir $rulesdir
mkdir $rulesdir
fi
iptables-save > ${curr_rulesfile} # dump current iptable rules into output timestamped file
echo curr_rulesfile $curr_rulesfile
现在执行上述脚本来保存当前的 iptable 规则
sudo ./firewall_save_current_rules.sh
下面的代码将定义一组新规则,我们默认阻止除指定部分(特别是 ssh 端口 + 普通 http 和 https 端口)之外的所有传入流量
vi 防火墙_shields_up.sh
#!/usr/bin/env /bin/bash
set -o errexit # exit on error
# create new set of iptable rules from inline list of rules - Block all incoming traffic by default except specified
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
# ........
curr_timestamp=$(date '+%H%M%S%N')
new_rulesfile=/etc/iptables/rules.v4.${curr_timestamp}.new_rules
rulesdir=$( dirname $new_rulesfile )
if [[ ! -d $rulesdir ]]; then
echo about to create dir $rulesdir
mkdir $rulesdir
fi
# ..... park into a new file below list of iptable rules
cat << EOF > ${new_rulesfile}
*filter
:INPUT DROP [331:17104]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [9727:1360720]
:GitHubWebHooks - [0:0]
-A INPUT -p tcp -m tcp --dport 9000 -j GitHubWebHooks
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A GitHubWebHooks -s 192.30.252.0/22 -j ACCEPT
-A GitHubWebHooks -j DROP
COMMIT
EOF
echo new_rulesfile $new_rulesfile
iptables-restore < ${new_rulesfile} # engage new iptable rules from file
echo here is new iptable settings
iptables-save
# ... if you are running docker you will want to bounce its daemon
# sudo service docker restart
执行上述脚本来定义新的 iptable 规则
sudo ./firewall_shields_up.sh
为了完整性,下面是一个故障排除脚本,它将通过打开所有传入和传出的流量来有效地禁用防火墙...如果您想要一个空白板,请运行,但是请运行上面的firewall_shields_up.sh以恢复正确的防火墙
vi 防火墙_shields_down.sh
#!/usr/bin/env /bin/bash
set -o errexit # exit on error
# open up all incoming and outgoing traffic ... effectively disabling the firewall
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
# ........ lets first backup current rules into timestamped file
curr_timestamp=$(date '+%H%M%S%N')
curr_rulesfile=/etc/iptables/rules.v4.${curr_timestamp}.current_rules_before_opening_up_all_traffic
rulesdir=$( dirname $curr_rulesfile )
if [[ ! -d $rulesdir ]]; then
echo about to create dir $rulesdir
mkdir $rulesdir
fi
iptables-save > ${curr_rulesfile} # dump current iptable rules into output timestamped file
echo curr_rulesfile $curr_rulesfile
# ... now alter iptables to lower shield
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
# ... display new iptable rules
echo
echo following are the new iptable rules after we opened up all incoming and outgoing traffic
echo
iptables-save