我有 2 台服务器,1 台游戏服务器,ip 176.31.109.201 端口 28020 和 1 dedikeret 服务器,我在其中运行 mysql
我的问题是如何允许我的游戏服务器连接到我的firewall.sh中的dedikeret服务器mysql数据库
我的firewall.sh看起来像这样,很久以前一个朋友为我做的:
#!/bin/sh
# ---------------------------------------------------
# Placering af iptables, modprobe og sysctl
# ---------------------------------------------------
IPT="/sbin/iptables"
MOP="/sbin/modprobe"
SCTL="/sbin/sysctl -w"
# ---------------------------------------------------
# Interfaces
# ---------------------------------------------------
INET_IFACE="eth0"
#INET_ADDRESS="99.99.99.99"
LO_IFACE="lo"
LO_IP="127.0.0.1"
# ---------------------------------------------------
# Load moduler
# ---------------------------------------------------
$SCTL net.ipv4.tcp_syncookies="1"
$SCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
$SCTL net.ipv4.conf.all.accept_source_route="0"
# ---------------------------------------------------
# Ryd alle Chains - (Stop firewallen)
# ---------------------------------------------------
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
# Flush alt
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
# Slet andre kæder
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
echo "Firewall inaktiv - Alle policies = accept"
exit 0
fi
# ---------------------------------------------------
# Opret selve firewallen (chains m.m.)
# ---------------------------------------------------
# Source dedicated server (SRCDS) game ports
SRCDS_PORTS="3478,4379,4380,27000:27050,27500:27510"
#
# Sæt standard policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# Opret user chains
# Bad chains = hurtig drop
$IPT -N bad_packets
$IPT -N bad_tcp_packets
# Inbound chains
$IPT -N udp_inbound
$IPT -N tcp_inbound
# Outbound chains
$IPT -N udp_outbound
$IPT -N tcp_outbound
# Andre chains
$IPT -N icmp_packets
# ---------------------------------------------------
# Bad packets
# ---------------------------------------------------
# $IPT -A bad_packets -p ALL -m state --state INVALID -j LOG --log-prefix "Invalid packet: "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets
# All good, so return
$IPT -A bad_packets -p ALL -j RETURN
# bad_tcp_packets chain
#
# All tcp packets will traverse this chain.
# Every new connection attempt should begin with
# a syn packet. If it doesn't, it is likely a
# port scan. This drops packets in state
# NEW that are not flagged as syn packets.
# $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn: "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
# $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
# $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
# $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN
# ---------------------------------------------------
# ICMP
# ---------------------------------------------------
# Fragmenterede ICMP pakker = DoS - vi dropper på stedet
# $IPT -A icmp_packets --fragment -p ICMP -j LOG --log-prefix "ICMP Fragment: "
$IPT -A icmp_packets --fragment -p ICMP -j DROP
# ICMP type 8 = ping - fjern comment for at tillade
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG --log-prefix "Ping detected: "
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
# Time Exceeded = 11 - Betragtes som ufarlig så vi tillader
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
$IPT -A icmp_packets -p ICMP -j RETURN
# ---------------------------------------------------
# UDP INBOUND
# ---------------------------------------------------
# Drop støj (netbios) fra windows maskiner
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
# Tillad UDP til CSS servere
$IPT -A udp_inbound -p UDP -s 0/0 -m multiport --dports $SRCDS_PORTS -j ACCEPT
$IPT -A udp_inbound -p UDP -j RETURN
# ---------------------------------------------------
# TCP INBOUND
# ---------------------------------------------------
# Webserver (http og https)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT
# FTP Server
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT
# FTP Client (aktive transfers)
$IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT
# SSH
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
# TCP til CSS - RCON
$IPT -A tcp_inbound -p TCP -s 0/0 -m multiport --dports $SRCDS_PORTS -j ACCEPT
# Webmin
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 10000 -j ACCEPT
$IPT -A tcp_inbound -p TCP -j RETURN
# ---------------------------------------------------
# UDP OUTBOUND
# ---------------------------------------------------
echo "udp outbound rules"
# Vi tillader al udgående UDP
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
# ---------------------------------------------------
# TCP OUTBOUND
# ---------------------------------------------------
# Vi tillader al udgående TCP
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
# ---------------------------------------------------
# Overordnet INPUT chain
# ---------------------------------------------------
echo "Input chain"
# tillad alt til localhost
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
# Drop skodpakker
$IPT -A INPUT -p ALL -j bad_packets
# Drop IGMP bcasts
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
# Accepter forbindelser vi allerede har accepted
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
# Send andre inputs til vore userchains
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
# Drop bcasts der har overlevet hertil
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
# ---------------------------------------------------
# Overordnet OUTPUT chain
# ---------------------------------------------------
echo "Output chain"
# Det eneste vi ikke tillader er inval icmp
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
# Hvis en OUTPUT havner her så er der noget helt galt!
$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "FW:OUTPUT dead packet: "
# ------------------------------------------------
# Fra anden FW
# ------------------------------------------------
echo "UDP flood attack defence"
# Set up UDP flood attack log-n-drop rule
iptables -N log_flood_attack
iptables -A log_flood_attack -j LOG --log-prefix "SRCDS:ATTACK:UDP_FLOOD: " --log-ip-options -m limit --limit 2/sec
iptables -A log_flood_attack -j DROP
echo "malformed packet protection"
# Set up malformed packet warning log rule
iptables -N log_malformed_packet
iptables -A log_malformed_packet -j LOG --log-prefix "SRCDS:WARNING:MALFORMED_PKT: " --log-ip-options -m limit --limit 2/sec
iptables -A log_malformed_packet -j ACCEPT
echo "outgoing DDoS protection"
# set up outgoing DDoS attack detection, log and drop
iptables -N log_outgoing_ddos
iptables -A log_outgoing_ddos -j LOG --log-prefix "WARNING:OUTGOING_DDOS: " --log-ip-options -m limit --limit 2/s
iptables -A log_outgoing_ddos -j DROP
iptables -A OUTPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j log_outgoing_ddos
# Log incoming small/malformed packet UDP attacks (typical CS DoS attack)
#iptables -A INPUT -p udp -m udp -m multiport --dports $SRCDS_PORTS -m length --length 0:32 -j log_malformed_packet
# Note: Disabled for now because it catches the traffic from HLSW (packet of length 9)
iptables -A INPUT -p udp -m udp -m multiport --dports $SRCDS_PORTS -m length --length 0:8 -j log_malformed_packet
iptables -A INPUT -p udp -m udp -m multiport --dports $SRCDS_PORTS -m length --length 10:28 -j log_malformed_packet
iptables -A INPUT -p udp -m udp -m multiport --dports $SRCDS_PORTS -m length --length 30:32 -j log_malformed_packet
echo "Single source UDP flooding protection - disabled for now (causes error)"
echo "Firewall aktiv..."
答案1
在 TCP 入站部分中,您必须添加一条规则以允许您的服务器:
# MySQL
$IPT -A tcp_inbound -p TCP -s 176.31.109.201 --dport 3306 -j ACCEPT
将此规则插入到清理规则之上,如下所示:
# MySQL
$IPT -A tcp_inbound -p TCP -s 176.31.109.201 --dport 3306 -j ACCEPT
$IPT -A tcp_inbound -p TCP -j RETURN
答案2
谢谢
所以如果我理解你的意思是对的?
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 10000 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 176.31.109.201 --dport 3306 -j ACCEPT
$IPT -A tcp_inbound -p TCP -j RETURN