使用 iptables 锁定公共服务器时遇到问题

使用 iptables 锁定公共服务器时遇到问题

我对 Ubuntu 还不太熟悉。我试图将它锁定,以便我可以通过我的 IP 地址完全访问它,而其他人只能访问端口 80 和 443。

为了更好地理解它,我将命令放在脚本中。另外,如果我搞砸了,它可以让我更轻松地重新运行。不用说,我已经运行了好几次,但都没有任何运气。

我可以通过 ssh 端口(不是默认的 22)顺利连接。我可以 ping 出服务器。

我为 Portainer 使用的端口(例如,我将使用 9999)可供所有人访问,无论 IP 地址如何。我只希望端口 80 和 443 可供公众访问。

我创建的脚本:

#!/bin/bash

# Flush (-F) existing rules
iptables -F

# Set default policies (-P)
# Accept all input to server
iptables -P INPUT ACCEPT
# Accept all forwarding from server
iptables -P FORWARD ACCEPT
# Accept all output from server
iptables -P OUTPUT ACCEPT

# Allow (-A) incoming traffic on loopback interface
iptables -A INPUT -i lo -j ACCEPT

# Allow all outgoing traffic
iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT
# Allow incoming traffic that has been established from an outgoing connection
iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow incoming traffic on port 80 (HTTP)
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

# Allow incoming traffic on port 443 (HTTPS)
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT

# Screw it, let me have full access dammit
iptables -A INPUT -s x.x.x.84 -j ACCEPT

# Drop all other incoming traffic
iptables -A INPUT -j DROP

# Save the rules to persist across reboots
iptables-save > /etc/iptables/rules.v4

# Force persistent rules
sh -c 'iptables-save > /etc/iptables/rules.v4'

运行上述程序后,我的防火墙规则如下:

table inet filter {
    chain input {
        type filter hook input priority filter; policy accept;
    }

    chain forward {
        type filter hook forward priority filter; policy accept;
    }

    chain output {
        type filter hook output priority filter; policy accept;
    }
}
table ip filter {
    chain INPUT {
        type filter hook input priority filter; policy accept;
        iifname "eth0" ct state related,established counter packets 51 bytes 4755 accept
        iifname "lo" counter packets 6 bytes 680 accept
        iifname "eth0" meta l4proto tcp tcp dport 80 counter packets 0 bytes 0 accept
        iifname "eth0" meta l4proto tcp tcp dport 443 counter packets 11 bytes 528 accept
        ip saddr xx.xx.xx.84 counter packets 0 bytes 0 accept
        counter packets 35 bytes 1688 drop
    }

    chain FORWARD {
        type filter hook forward priority filter; policy accept;
    }

    chain OUTPUT {
        type filter hook output priority filter; policy accept;
        oifname "eth0" counter packets 41 bytes 3721 accept
    }

    chain ufw-after-forward {
    }

    chain ufw-after-input {
    }

    chain ufw-after-logging-forward {
    }

    chain ufw-after-logging-input {
    }

    chain ufw-after-logging-output {
    }

    chain ufw-after-output {
    }

    chain ufw-before-forward {
    }

    chain ufw-before-input {
    }

    chain ufw-before-logging-forward {
    }

    chain ufw-before-logging-input {
    }

    chain ufw-before-logging-output {
    }

    chain ufw-before-output {
    }

    chain ufw-reject-forward {
    }

    chain ufw-reject-input {
    }

    chain ufw-reject-output {
    }

    chain ufw-track-forward {
    }

    chain ufw-track-input {
    }

    chain ufw-track-output {
    }

    chain DOCKER {
    }

    chain DOCKER-ISOLATION-STAGE-1 {
    }

    chain DOCKER-ISOLATION-STAGE-2 {
    }

    chain DOCKER-USER {
    }

    chain ufw-logging-deny {
    }

    chain ufw-logging-allow {
    }

    chain ufw-skip-to-policy-input {
    }

    chain ufw-skip-to-policy-output {
    }

    chain ufw-skip-to-policy-forward {
    }

    chain ufw-not-local {
    }

    chain ufw-user-input {
    }

    chain ufw-user-output {
    }

    chain ufw-user-forward {
    }

    chain ufw-user-logging-input {
    }

    chain ufw-user-logging-output {
    }

    chain ufw-user-logging-forward {
    }

    chain ufw-user-limit {
    }

    chain ufw-user-limit-accept {
    }
}
table ip6 filter {
    chain INPUT {
        type filter hook input priority filter; policy drop;
        counter packets 185 bytes 18491 jump ufw6-before-logging-input
        counter packets 185 bytes 18491 jump ufw6-before-input
        counter packets 1 bytes 76 jump ufw6-after-input
        counter packets 1 bytes 76 jump ufw6-after-logging-input
        counter packets 1 bytes 76 jump ufw6-reject-input
        counter packets 1 bytes 76 jump ufw6-track-input
    }

    chain FORWARD {
        type filter hook forward priority filter; policy drop;
        counter packets 0 bytes 0 jump ufw6-before-logging-forward
        counter packets 0 bytes 0 jump ufw6-before-forward
        counter packets 0 bytes 0 jump ufw6-after-forward
        counter packets 0 bytes 0 jump ufw6-after-logging-forward
        counter packets 0 bytes 0 jump ufw6-reject-forward
        counter packets 0 bytes 0 jump ufw6-track-forward
    }

    chain OUTPUT {
        type filter hook output priority filter; policy accept;
        counter packets 387 bytes 33586 jump ufw6-before-logging-output
        counter packets 387 bytes 33586 jump ufw6-before-output
        counter packets 190 bytes 19582 jump ufw6-after-output
        counter packets 190 bytes 19582 jump ufw6-after-logging-output
        counter packets 190 bytes 19582 jump ufw6-reject-output
        counter packets 190 bytes 19582 jump ufw6-track-output
    }

    chain ufw6-after-forward {
    }

    chain ufw6-after-input {
        meta l4proto udp udp dport 137 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
        meta l4proto udp udp dport 138 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
        meta l4proto tcp tcp dport 139 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
        meta l4proto tcp tcp dport 445 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
        meta l4proto udp udp dport 546 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
        meta l4proto udp udp dport 547 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
    }

    chain ufw6-after-logging-forward {
        limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW BLOCK] "
    }

    chain ufw6-after-logging-input {
        limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW BLOCK] "
    }

    chain ufw6-after-logging-output {
        limit rate 3/minute burst 10 packets counter packets 129 bytes 11997 log prefix "[UFW ALLOW] "
    }

    chain ufw6-after-output {
    }

    chain ufw6-before-forward {
        rt type 0 counter packets 0 bytes 0 drop
        ct state related,established counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type destination-unreachable counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type packet-too-big counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type time-exceeded counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type parameter-problem counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type echo-request counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type echo-reply counter packets 0 bytes 0 accept
        counter packets 0 bytes 0 jump ufw6-user-forward
    }

    chain ufw6-before-input {
        iifname "lo" counter packets 0 bytes 0 accept
        rt type 0 counter packets 0 bytes 0 drop
        ct state related,established counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type echo-reply counter packets 0 bytes 0 accept
        ct state invalid counter packets 0 bytes 0 jump ufw6-logging-deny
        ct state invalid counter packets 0 bytes 0 drop
        meta l4proto ipv6-icmp icmpv6 type destination-unreachable counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type packet-too-big counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type time-exceeded counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type parameter-problem counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type echo-request counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type nd-router-solicit ip6 hoplimit 255 counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type nd-router-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type  ip6 hoplimit 255 counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type  ip6 hoplimit 255 counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type  counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type  counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type  counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type  counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type  ip6 hoplimit 255 counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type  ip6 hoplimit 255 counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type  ip6 hoplimit 1 counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type  ip6 hoplimit 1 counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type  ip6 hoplimit 1 counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type  counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type  counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type  counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type  counter packets 0 bytes 0 accept
        meta l4proto udp ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 counter packets 0 bytes 0 accept
        meta l4proto udp ip6 daddr ff02::fb udp dport 5353 counter packets 129 bytes 11997 accept
        meta l4proto udp ip6 daddr ff02::f udp dport 1900 counter packets 0 bytes 0 accept
        counter packets 0 bytes 0 jump ufw6-user-input
    }

    chain ufw6-before-logging-forward {
        ct state new limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW AUDIT] "
    }

    chain ufw6-before-logging-input {
        ct state new limit rate 3/minute burst 10 packets counter packets 129 bytes 11997 log prefix "[UFW AUDIT] "
    }

    chain ufw6-before-logging-output {
        ct state new limit rate 3/minute burst 10 packets counter packets 129 bytes 11997 log prefix "[UFW AUDIT] "
    }

    chain ufw6-before-output {
        oifname "lo" counter packets 0 bytes 0 accept
        rt type 0 counter packets 0 bytes 0 drop
        ct state related,established counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type destination-unreachable counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type packet-too-big counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type time-exceeded counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type parameter-problem counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type echo-request counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type echo-reply counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type nd-router-solicit ip6 hoplimit 255 counter packets 86 bytes 4472 accept
        meta l4proto ipv6-icmp icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type nd-router-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type  ip6 hoplimit 255 counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type  ip6 hoplimit 255 counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type  counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type  counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type  counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type  counter packets 73 bytes 7008 accept
        meta l4proto ipv6-icmp icmpv6 type  ip6 hoplimit 255 counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp icmpv6 type  ip6 hoplimit 255 counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type  ip6 hoplimit 1 counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type  ip6 hoplimit 1 counter packets 0 bytes 0 accept
        meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type  ip6 hoplimit 1 counter packets 0 bytes 0 accept
        counter packets 129 bytes 11997 jump ufw6-user-output
    }

    chain ufw6-reject-forward {
    }

    chain ufw6-reject-input {
    }

    chain ufw6-reject-output {
    }

    chain ufw6-track-forward {
    }

    chain ufw6-track-input {
    }

    chain ufw6-track-output {
        meta l4proto tcp ct state new counter packets 0 bytes 0 accept
        meta l4proto udp ct state new counter packets 129 bytes 11997 accept
    }

    chain ufw6-logging-deny {
        ct state invalid limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW AUDIT INVALID] "
        limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW BLOCK] "
    }

    chain ufw6-logging-allow {
        limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW ALLOW] "
    }

    chain ufw6-skip-to-policy-input {
        counter packets 0 bytes 0 drop
    }

    chain ufw6-skip-to-policy-output {
        counter packets 0 bytes 0 accept
    }

    chain ufw6-skip-to-policy-forward {
        counter packets 0 bytes 0 drop
    }

    chain ufw6-user-input {
    }

    chain ufw6-user-output {
    }

    chain ufw6-user-forward {
    }

    chain ufw6-user-logging-input {
    }

    chain ufw6-user-logging-output {
    }

    chain ufw6-user-logging-forward {
    }

    chain ufw6-user-limit {
        limit rate 3/minute counter packets 0 bytes 0 log prefix "[UFW LIMIT BLOCK] "
        counter packets 0 bytes 0 reject
    }

    chain ufw6-user-limit-accept {
        counter packets 0 bytes 0 accept
    }
}
table ip nat {
    chain DOCKER {
        iifname "docker0" counter packets 0 bytes 0 return
        iifname != "docker0" meta l4proto tcp tcp dport 9443 counter packets 717 bytes 37060 dnat to 172.17.0.2:9443
        iifname != "docker0" meta l4proto tcp tcp dport 8000 counter packets 134 bytes 6120 dnat to 172.17.0.2:8000
    }

    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
        oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 18 bytes 1282 masquerade 
        meta l4proto tcp ip saddr 172.17.0.2 ip daddr 172.17.0.2 tcp dport 9443 counter packets 0 bytes 0 masquerade 
        meta l4proto tcp ip saddr 172.17.0.2 ip daddr 172.17.0.2 tcp dport 8000 counter packets 0 bytes 0 masquerade 
    }

    chain PREROUTING {
        type nat hook prerouting priority dstnat; policy accept;
        fib daddr type local counter packets 100762 bytes 4952330 jump DOCKER
    }

    chain OUTPUT {
        type nat hook output priority -100; policy accept;
        ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
    }
}

我犹豫了好久。要么完全把自己锁在 9999 端口之外,要么给所有人完全访问权限。我脑子里有些东西不明白,这有什么道理,我花了好几个小时在 iptables 上尝试让它与 Docker 和 Portainer 一起工作。

任何帮助都将不胜感激!

答案1

我会尽力帮助您。您的虚拟机在哪个云上?我认为您需要确保虚拟机获取正确的源 IP。如果您前面有网关/防火墙/代理,则可能无法正确转发源 IP。您还需要通过从浏览器访问 ifconfig.me 来确保您的源 IP 正确。关于 iptables,我帮不上什么忙,但我想说,如果我处于您的位置,我会使用 Azure、Google Cloud、Oracle 等云,仅发布端口 80 和 443,并且我会从云 shell 进行 SSH 访问,因为它比在端口 22 上直接使用 SSH 更安全,并且会在云帐户上放置 2FA。

答案2

允许来自某个 IP 的某个端口上的某个协议的传入连接,并拒绝来自其他 IP 的该协议和该端口的传入连接...

任何一个

按以下顺序将这两条规则附加到默认策略 INPUT 链:

iptables -A INPUT --protocol tcp --dport 9999 --source 10.10.10.10 -j ACCEPT

...从示例源 IPACCEPT tcp连接到示例端口...然后:999910.10.10.10

iptables -A INPUT --protocol tcp --dport 9999 -j DROP

...从任何其他 IPDROP tcp连接到示例端口。9999

注意您选择添加的非特定协议/端口 INPUT DROP 规则:

iptables -A INPUT -j DROP

... 虽然不限于 TCP/PORT,但也能够完成这项工作。

或者

插入 (作为第一条规则“默认”)到默认策略 INPUT 链:

iptables -I INPUT --protocol tcp --dport 9999 \! --source 10.10.10.10 -j DROP

...DROP tcp连接到示例端口,9999除非源 IP10.10.10.10例如。

注意

通常建议(为了可读性/可追溯性/维护以及有时是性能)避免使用用户添加的自定义规则的默认策略链...因此,强烈建议为此目的创建单独的新自定义链。

IPv4

您的源 IP 地址实际上可能不会像您期望的那样被您的服务器看到,而是另一个 IP 地址...这可能是由某些常见的网络程序(如 NAT、转发...等)造成的。...因此,请检查并确认您的服务器看到的客户端的 IP 地址。

IPv6

您的连接可能会被路由为 IP 版本 6,或者可能会被隧道化为 IP 版本 6,因此由ip6tables规则(检查ip6tables -L)处理,而不是iptables对 IP 版本 6 连接没有影响的规则...因此,请检查并确认采取相应措施。

答案3

我已附上我自己的防火墙配置,您可能会觉得有用。它适用于我的笔记本电脑,当我使用不受保护的网络(如公共 wifi)时,但由于受信任的子网配置,它也可以在本地工作。

/etc/iptables/rules.v4

#-------------------------------------------------------------------------------
# IPTABLES firewall configuration, to minimize attack surface while allowing
# relevant incoming traffic

# The strategy is as follows:
# a) Early DROP of incoming malicious traffic in PREROUTING channel, using 
#    tables "raw" and "mangle"
# b) Default policy for INPUT chain is "DROP" - ACCEPT select traffic only
# c) Default policy for OUTPUT chain is "ACCEPT" - drop select traffic only
# d) Expose local services to trusted networks only
# e) Minimize multi/broad cast announcements to LAN as much as possible
# f) Log potentially malicious traffic, in a way that support analysis
#-------------------------------------------------------------------------------

#-------------------------------------------------------------------------------
# Table "raw" : early drop of incoming malformed packets with potentially
# malicious purpose. Table "raw" can only handle packets that does not require
# connection tracking
#-------------------------------------------------------------------------------
*raw
:PREROUTING ACCEPT
:OUTPUT ACCEPT
:raw-xmastree - 
:raw-rpfilter - 
:raw-martian -

# Drop & log incoming malformed "Xmas tree" packets with conflicting TCP flags
-A PREROUTING -p tcp -m tcp --tcp-flags ALL FIN,PSH,URG -j raw-xmastree

# Drop & log incoming TCP  packets which fail reverse path test (unroutable source address)
-A PREROUTING -p tcp -m rpfilter --invert -j raw-rpfilter

# N.B. Use of rpfilter rule w. UDP traffic, was found to break Wireguard VPNs ?
#-A PREROUTING -p udp -m rpfilter --invert -j raw-rpfilter

# Drop & log incoming packets from 127.0.0.0/8, which are NOT from loopback interface
-A PREROUTING ! -i lo -s 127.0.0.0/8 -j raw-martian

# raw-xmastree log and drop chain definition
-A raw-xmastree -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "[MYFW RAW-XMASTREE] "
-A raw-xmastree -j DROP

# raw-rpfilter log and drop chain definition
-A raw-rpfilter -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "[MYFW RAW-RPFILTER] "
-A raw-rpfilter -j DROP

# raw-martian log and drop chain definition
-A raw-martian -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "[MYFW RAW-MARTIAN] "
-A raw-martian -j DROP

COMMIT

#-------------------------------------------------------------------------------
# Table "mangle" : early drop of incoming malformed packets with potentially
# malicious purpose. Table"mangle" can handle rules with connection tracking
#-------------------------------------------------------------------------------
*mangle
:PREROUTING ACCEPT
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
:mangle-invalid - 
:mangle-tcpmss - 
:mangle-synplus - 

# Drop & log incoming packets with INVALID connection state
-A PREROUTING -m conntrack --ctstate INVALID -j mangle-invalid

# Drop & log NEW incoming TCP packets with invalid TCP mss value
-A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j mangle-tcpmss

# Drop & log NEW incoming TCP packets with invalid TCP flag combination (SYN+)
-A PREROUTING -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j mangle-synplus

# Drop (no log) incoming UDP Service Discovery (SSDP) mulitcasts to port 1900 
# (not working in filter table for some reason)
-A PREROUTING -d 239.255.255.250/32 -p udp --dport 1900 -j DROP

# Drop (no log) incoming UDP mDNS/bonjour/zeroconf multicasts to port 5353 
# (prevent DNS cache poisoning)
-A PREROUTING -d 224.0.0.251/32 -p udp --dport 5353 -j DROP

# mangle-invalid log & drop chain definition
-A mangle-invalid -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "[MYFW MANGLE-INVALID] "
-A mangle-invalid -j DROP

# mangle-tcpmss log & drop chain definition
-A mangle-tcpmss -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "[MYFW MANGLE-TCPMSS] "
-A mangle-tcpmss -j DROP

# mangle-synplus log & drop chain definition
-A mangle-synplus -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "[MYFW MANGLE-SYNPLUS] "
-A mangle-synplus -j DROP

COMMIT

#-------------------------------------------------------------------------------
# Table "filter" : default INPUT chain policy is "DROP".  Consequently, all 
# desired incoming traffic must have an explicit ACCEPT rule.
#-------------------------------------------------------------------------------
*filter
:INPUT DROP
:FORWARD ACCEPT
:OUTPUT ACCEPT
:filter-drop - 
:filter-accept - 
:filter-log -
:filter-wgleak -

# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# INPUT chain ACCEPT rules - accept desired ingoing traffic only, and DROP rest
# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

# Troubleshooting rule.  To be disabled unless for troubleshooting
#-A INPUT -j filter-log

# Default rule : accept traffic from established (from inside -> outwards) 
# and related connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Accept all incominig traffic to loopback interface
-A INPUT -i lo -j ACCEPT

# Accept & log incoming ssh traffic from ipset "TrustedSubnets"
# N.B. sshd must use a hardened configuration

-A INPUT -p tcp -m set --match-set TrustedSubnets src -m multiport --dports 22,443 -j filter-accept

# Accept incoming SAMBA traffic from local IP addresses to local IPs on this host
-A INPUT -p tcp -m addrtype --src-type LOCAL --match multiport --dports 139,445 -j ACCEPT
-A INPUT -p udp -m addrtype --src-type LOCAL --match multiport --dports 137,138 -j ACCEPT

# Accept incoming Dropbox announcements from ipset "TrustedSubnets"
-A INPUT -p udp --sport 17500 --dport 17500 -m set --match-set TrustedSubnets src -j ACCEPT

# Accept incoming traffic from "all hosts" multicast IP address 224.0.0.1 (e.g. IGMP)
-A INPUT -d 224.0.0.1 -j ACCEPT

# Accept select subset of incoming icmp message types
-A INPUT -p icmp --icmp-type echo-request -m set --match-set TrustedSubnets src -j ACCEPT
-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
-A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT

# N.B. Fallthrough DROP & LOG rule - must ALWAYS be last rule of the INPUT chain
-A INPUT -j filter-drop

# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# OUTPUT chain DROP rules, to minimize "visibility" of host on the network
# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

# N.B. default policy for OUTPUT chain is ACCEPT !

# N.B. the next two rules block all outgoing SAMBA traffic that are not destined for a local 
# network interface IP address, including SAMBA multicasts to the default LAN

# Drop & log outgoing SAMBA traffic that is NOT destined for LOCAL IP addresses 
-A OUTPUT -p tcp -m addrtype ! --dst-type LOCAL --match multiport --dports 139,445 -j filter-drop
-A OUTPUT -p udp -m addrtype ! --dst-type LOCAL --match multiport --dports 137,138 -j filter-drop

# Drop & log outgoing Dropbox traffic not destined for ipset "TrustedSubnets",
-A OUTPUT -p udp --dport 17500 -m set ! --match-set TrustedSubnets dst -j filter-drop

# All other outgoing traffic is ACCEPTED due to OUTPUT chain default policy

# Here follow user-defined channel definitions
# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

# filter-accept chain definition : log, then accept
-A filter-accept -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "[MYFW FILTER-ACCEPT] "
-A filter-accept -j ACCEPT

# filter-drop chain definition : log, then drop
-A filter-drop -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "[MYFW FILTER-DROP] "
-A filter-drop -j DROP

# filter-wgleak chain definition : log, then drop
-A filter-wgleak -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "[MYFW FILTER-WGLEAK] "
-A filter-wgleak -j DROP

# filter-log chain definition : log, then accept
-A filter-log -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "[MYFW FILTER-LOG] "
-A filter-log -j RETURN

COMMIT


add your own trusted subnets as shown below.  I seem to recall you need to install some "persistent----" packages
if not already done


/etc/iptables/ipsets:


create TrustedSubnets hash:net family inet hashsize 1024 maxelem 65536 comment bucketsize 12 initval 0xef3022c4
add TrustedSubnets 10.192.168.0/24 comment "My home LAN"

防火墙的所有日志都标记为 [MYFW-........],我设置了 syslog 规则来将这些日志抓取到单独的日志文件,我将其用于 apache2 服务器上的一个小型 Web 应用程序来查看发生了什么。

我附上了在互联网上找到的 iptables 逻辑流程图,我发现它非常有用。

如果不需要,我会完全禁用 IPV6,以避免为此制定单独的规则,并且我选择禁用 UFW 以获得更好的控制。

Iptables 流程图

相关内容