Iptables 仅允许传入到 OpenSSH 的流量并阻止所有其他流量

最简单的方法是这样的：

0. 打开终端（如果尚未打开）
1. 阻止所有传入流量：

   sudo ufw default deny incoming
   

2. 允许 OpenSSH：

   sudo ufw allow OpenSSH
   

如果 SSH 连接来自有限的 IP 子集（例如内部网络），那么您可以将 OpenSSH 限制为只是本地网络如下：

sudo ufw allow from 192.168.0.0/24 to any port 22 proto tcp

^{笔记：确保更改192.168.0.0为适用于网络的值。}

以下是 iptables 规则创建脚本：

#!/bin/sh
FWVER=0.01
#
# ask1368071 Smythies 2021.10.08 Ver:0.01
#       See here:
#       https://askubuntu.com/questions/1368071/iptables-that-only-allow-incoming-traffic-to-openssh-and-block-all-other-traffic
#       run as sudo on s19.
#       log entries are only for each NEW ssh packet. It seems unreasonable to log every ssh packet, but it could be done.
#

echo "Loading ask1368071 rule set version $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Set for Smythies s19 computer (for testing). Edit for ask1368071's computer.
EXTIF="br0"
EXTIP="192.168.111.136"
NETWORK="192.168.111.0/24"
UNIVERSE="0.0.0.0/0"

# Clearing any previous configuration
# Be careful here. I can do this on s19, but do not know
# about Nigel's computer.
#
echo "  Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
# Smythies: While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z

# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# Allow any related traffic coming back to the server in.
# (Nigel did not ask for this, but I am assuming it is needed.)
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow and log new SSH connections
#
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j LOG --log-prefix "ssh traffic:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT

# Do not allow in anything else
# Could also just fall through to default policy here, but sometimes a logging rule is also desired.
#
$IPTABLES -A INPUT -i $EXTIF -j LOG --log-prefix "blocked traffic:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -j DROP

# Done.
#
echo ask1368071 rule set version $FWVER done.

这是启动新的 ssh 会话后的列表：

doug@s19:~/iptables/misc$ sudo iptables -xvnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
      66     5465 ACCEPT     all  --  br0    *       0.0.0.0/0            192.168.111.136      state RELATED,ESTABLISHED
       1       52 LOG        tcp  --  br0    *       0.0.0.0/0            192.168.111.136      state NEW tcp dpt:22 LOG flags 0 level 6 prefix "ssh traffic:"
       1       52 ACCEPT     tcp  --  br0    *       0.0.0.0/0            192.168.111.136      state NEW tcp dpt:22
      18     1382 LOG        all  --  br0    *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "blocked traffic:"
      18     1382 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 56 packets, 8793 bytes)
    pkts      bytes target     prot opt in     out     source               destination

以下是一些日志条目。哎呀，我的 Samba 共享被破坏了：

Oct  8 08:07:15 s19 kernel: [249075.860342] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53951 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0
Oct  8 08:07:16 s19 kernel: [249076.878329] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53957 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0
Oct  8 08:07:17 s19 kernel: [249077.896198] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53959 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0
Oct  8 08:07:18 s19 kernel: [249078.914012] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53960 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0
Oct  8 08:07:19 s19 kernel: [249079.931823] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53961 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0
Oct  8 08:07:20 s19 kernel: [249080.934176] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53962 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0
Oct  8 08:07:20 s19 kernel: [249081.115999] blocked traffic:IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:80:7d:3a:19:ea:59:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=336 TOS=0x00 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=316
Oct  8 08:07:20 s19 kernel: [249081.132297] blocked traffic:IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:80:7d:3a:19:ea:59:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=336 TOS=0x00 PREC=0x00 TTL=128 ID=1 PROTO=UDP SPT=68 DPT=67 LEN=316
Oct  8 08:07:21 s19 kernel: [249081.936134] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53964 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0
Oct  8 08:07:22 s19 kernel: [249082.938594] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53965 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0
Oct  8 08:07:23 s19 kernel: [249083.956556] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53966 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0
Oct  8 08:07:24 s19 kernel: [249084.958914] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53967 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0
Oct  8 08:07:25 s19 kernel: [249085.976907] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=53968 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=0 RES=0x00 ACK RST URGP=0
Oct  8 08:07:25 s19 kernel: [249085.981353] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53969 DF PROTO=TCP SPT=61348 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  8 08:07:26 s19 kernel: [249086.985732] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53970 DF PROTO=TCP SPT=61348 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  8 08:07:28 s19 kernel: [249089.005970] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53971 DF PROTO=TCP SPT=61348 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  8 08:07:32 s19 kernel: [249093.012998] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53973 DF PROTO=TCP SPT=61348 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  8 08:07:35 s19 kernel: [249096.205252] ssh traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53974 DF PROTO=TCP SPT=61351 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  8 08:07:40 s19 systemd[1]: Started Session 222 of user doug.
Oct  8 08:07:40 s19 kernel: [249101.031397] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53989 DF PROTO=TCP SPT=61348 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  8 08:07:46 s19 kernel: [249107.046666] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53997 DF PROTO=TCP SPT=61352 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  8 08:07:47 s19 kernel: [249108.061299] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53998 DF PROTO=TCP SPT=61352 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  8 08:07:49 s19 kernel: [249110.065547] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53999 DF PROTO=TCP SPT=61352 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  8 08:07:53 s19 kernel: [249114.090375] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=54001 DF PROTO=TCP SPT=61352 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
Oct  8 08:08:01 s19 kernel: [249122.092377] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=54021 DF PROTO=TCP SPT=61352 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0