允许来自游戏服务器的 IP

允许来自游戏服务器的 IP

我有 2 台服务器,1 台游戏服务器,ip 176.31.109.201 端口 28020 和 1 dedikeret 服务器,我在其中运行 mysql

我的问题是如何允许我的游戏服务器连接到我的firewall.sh中的dedikeret服务器mysql数据库

我的firewall.sh看起来像这样,很久以前一个朋友为我做的:

#!/bin/sh

# ---------------------------------------------------
# Placering af iptables, modprobe og sysctl
# ---------------------------------------------------

IPT="/sbin/iptables"
MOP="/sbin/modprobe"
SCTL="/sbin/sysctl -w"

# ---------------------------------------------------
# Interfaces
# ---------------------------------------------------

INET_IFACE="eth0"
#INET_ADDRESS="99.99.99.99"

LO_IFACE="lo"
LO_IP="127.0.0.1"

# ---------------------------------------------------
# Load moduler
# ---------------------------------------------------

$SCTL net.ipv4.tcp_syncookies="1"
$SCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
$SCTL net.ipv4.conf.all.accept_source_route="0"

# ---------------------------------------------------
# Ryd alle Chains - (Stop firewallen)
# ---------------------------------------------------
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

# Flush alt
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

# Slet andre kæder
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

if [ "$1" = "stop" ]
then
    echo "Firewall inaktiv - Alle policies = accept"
    exit 0
fi

# ---------------------------------------------------
# Opret selve firewallen (chains m.m.)
# ---------------------------------------------------
# Source dedicated server (SRCDS) game ports
SRCDS_PORTS="3478,4379,4380,27000:27050,27500:27510"
#
# Sæt standard policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# Opret user chains
# Bad chains = hurtig drop
$IPT -N bad_packets
$IPT -N bad_tcp_packets

# Inbound chains
$IPT -N udp_inbound
$IPT -N tcp_inbound

# Outbound chains
$IPT -N udp_outbound
$IPT -N tcp_outbound

# Andre chains
$IPT -N icmp_packets

# ---------------------------------------------------
# Bad packets
# ---------------------------------------------------

# $IPT -A bad_packets -p ALL -m state --state INVALID -j LOG --log-prefix "Invalid packet: "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP

# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets

# All good, so return
$IPT -A bad_packets -p ALL -j RETURN

# bad_tcp_packets chain
#
# All tcp packets will traverse this chain.
# Every new connection attempt should begin with
# a syn packet.  If it doesn't, it is likely a
# port scan.  This drops packets in state
# NEW that are not flagged as syn packets.

# $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn: "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

# $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP

# $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP

# $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

# $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN

# ---------------------------------------------------
# ICMP
# ---------------------------------------------------

# Fragmenterede ICMP pakker = DoS - vi dropper på stedet

# $IPT -A icmp_packets --fragment -p ICMP -j LOG --log-prefix "ICMP Fragment: "
$IPT -A icmp_packets --fragment -p ICMP -j DROP

# ICMP type 8 = ping - fjern comment for at tillade
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG --log-prefix "Ping detected: "
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

# Time Exceeded = 11 - Betragtes som ufarlig så vi tillader
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

$IPT -A icmp_packets -p ICMP -j RETURN


# ---------------------------------------------------
# UDP INBOUND
# ---------------------------------------------------

# Drop støj (netbios) fra windows maskiner
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP

# Tillad UDP til CSS servere
$IPT -A udp_inbound -p UDP -s 0/0 -m multiport --dports $SRCDS_PORTS -j ACCEPT
$IPT -A udp_inbound -p UDP -j RETURN

# ---------------------------------------------------
# TCP INBOUND
# ---------------------------------------------------

# Webserver (http og https)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT

# FTP Server
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT

# FTP Client (aktive transfers)
$IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT

# SSH
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT

# TCP til CSS - RCON
$IPT -A tcp_inbound -p TCP -s 0/0 -m multiport --dports $SRCDS_PORTS -j ACCEPT


# Webmin
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 10000 -j ACCEPT

$IPT -A tcp_inbound -p TCP -j RETURN


# ---------------------------------------------------
# UDP OUTBOUND
# ---------------------------------------------------
echo "udp outbound rules"
# Vi tillader al udgående UDP

$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT


# ---------------------------------------------------
# TCP OUTBOUND
# ---------------------------------------------------

# Vi tillader al udgående TCP
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT


# ---------------------------------------------------
# Overordnet INPUT chain
# ---------------------------------------------------
echo "Input chain"
# tillad alt til localhost
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# Drop skodpakker
$IPT -A INPUT -p ALL -j bad_packets

# Drop IGMP bcasts
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP

# Accepter forbindelser vi allerede har accepted
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

# Send andre inputs til vore userchains
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

# Drop bcasts der har overlevet hertil
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP

# ---------------------------------------------------
# Overordnet OUTPUT chain
# ---------------------------------------------------
echo "Output chain"
# Det eneste vi ikke tillader er inval icmp
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP

$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

# Hvis en OUTPUT havner her så er der noget helt galt!
$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "FW:OUTPUT dead packet: "

# ------------------------------------------------
# Fra anden FW
# ------------------------------------------------
echo "UDP flood attack defence"
# Set up UDP flood attack log-n-drop rule
iptables -N log_flood_attack
iptables -A log_flood_attack -j LOG --log-prefix "SRCDS:ATTACK:UDP_FLOOD: " --log-ip-options -m limit --limit 2/sec
iptables -A log_flood_attack -j DROP

echo "malformed packet protection"
# Set up malformed packet warning log rule
iptables -N log_malformed_packet
iptables -A log_malformed_packet -j LOG --log-prefix "SRCDS:WARNING:MALFORMED_PKT: " --log-ip-options -m limit --limit 2/sec
iptables -A log_malformed_packet -j ACCEPT

echo "outgoing DDoS protection"
# set up outgoing DDoS attack detection, log and drop
iptables -N log_outgoing_ddos
iptables -A log_outgoing_ddos -j LOG --log-prefix "WARNING:OUTGOING_DDOS: " --log-ip-options -m limit --limit 2/s
iptables -A log_outgoing_ddos -j DROP
iptables -A OUTPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j log_outgoing_ddos

# Log incoming small/malformed packet UDP attacks (typical CS DoS attack)
#iptables -A INPUT -p udp -m udp -m multiport --dports $SRCDS_PORTS -m length --length 0:32 -j log_malformed_packet
# Note: Disabled for now because it catches the traffic from HLSW (packet of length 9)
iptables -A INPUT -p udp -m udp -m multiport --dports $SRCDS_PORTS -m length --length 0:8 -j log_malformed_packet
iptables -A INPUT -p udp -m udp -m multiport --dports $SRCDS_PORTS -m length --length 10:28 -j log_malformed_packet
iptables -A INPUT -p udp -m udp -m multiport --dports $SRCDS_PORTS -m length --length 30:32 -j log_malformed_packet

echo "Single source UDP flooding protection - disabled for now (causes error)"

echo "Firewall aktiv..."

答案1

在 TCP 入站部分中,您必须添加一条规则以允许您的服务器:

# MySQL
$IPT -A tcp_inbound -p TCP -s 176.31.109.201 --dport 3306 -j ACCEPT

将此规则插入到清理规则之上,如下所示:

# MySQL
$IPT -A tcp_inbound -p TCP -s 176.31.109.201 --dport 3306 -j ACCEPT

$IPT -A tcp_inbound -p TCP -j RETURN

答案2

谢谢

所以如果我理解你的意思是对的?

$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 10000 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 176.31.109.201 --dport 3306 -j ACCEPT
$IPT -A tcp_inbound -p TCP -j RETURN

相关内容