我的服务器在端口 1935 上运行 Nginx Rtmp Server
我正在运行一个防火墙脚本来阻止恶意客户端通过任何 TCP 端口连接我的服务器超过 30 次,脚本如下
#!/bin/sh
# The location of the iptables program
#
IPTABLES=/sbin/iptables
#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
EXTIF="ens3"
EXTIP1="92.186.5.80"
EXTIMESENTER=30
UNIVERSE="0.0.0.0/0"
#Clearing any previous configuration
#
echo " Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
# Otherwise, I can not seem to delete it later on
$IPTABLES -F add-to-connlimit-list
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
echo "...load xt_recent..."
modprobe -r xt_recent
modprobe xt_recent ip_list_tot=5000 ip_pkt_list_tot=128
echo "...load list limitation..."
#######################################################################
# USER DEFINED CHAIN SUBROUTINES:
# add-to-connlimit-list
# To many connections from an IP address has been detected.
$IPTABLES -N add-to-connlimit-list
$IPTABLES -A add-to-connlimit-list -m recent --set --name BADGUY_CONN
$IPTABLES -A add-to-connlimit-list -j DROP
echo "...Accept incomming traffic..."
# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT
# Just DROP invalid packets.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m state --state INVALID -j DROP
# external interface, from any source, for any remaining ICMP traffic is valid
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -j DROP
#allow TcpPorts
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 1 --seconds 432000 --name BADGUY_CONN -j DROP
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP1 -p tcp -m connlimit --connlimit-above $EXTIMESENTER -j add-to-connlimit-list
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP1 -m state --state NEW -p tcp -j ACCEPT
# Allow udp Packets
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP1 -m state --state NEW -p udp -j ACCEPT
# Allow any related traffic coming back to the server in. i moved it here to drop the attacker current connectivety as you told me
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# O.K. at this point, we will DROP the packet, however some will be dropped without logging just to make the log file
# less cluttered.
#
$IPTABLES -A INPUT -i $EXTIF -p udp -m multiport --dport 33434:33448 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp -m multiport --dport 23,2323 -j DROP
#this rule may not needed
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j DROP
我如何避免阻止连接到我的 RTMP 服务器的客户端?
答案1
移动此规则:
# Allow any related traffic coming back to the server in. i moved it here to drop the attacker current connectivety as you told me
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP1 -m state --state ESTABLISHED,RELATED -j ACCEPT
更早一点,比如说 ICMP 之后。
之后立即添加一条新规则,接受您的端口 1935 内容。您没有指定 tcp 或 udp。我将执行 tcp:
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 1935 -m state --state NEW -j ACCEPT
这将允许任何人尝试与您的 1935 端口建立新连接。如果您想阻止坏人名单上的人,请将此新规则放在坏人检查和连接限制检查之间,如下所示:
#allow TcpPorts
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 1 --seconds 432000 --name BADGUY_CONN -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 1935 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP1 -p tcp -m connlimit --connlimit-above $EXTIMESENTER -j add-to-connlimit-list
注1:未经测试。