这是一套合适的 IPTables 规则吗?

tag-icon tag-icon ubuntu security iptables
这是一套合适的 IPTables 规则吗?

有人能告诉我,假设给定 (Ubuntu 12.04) 服务器的需求仅为 SSH、NTP (客户端)、HTTP(S) 和系统更新 (apt-getaptitude),以下规则集是否合适?我的想法是默认丢弃所有流量,并仅在必要的状态和接口上打开必要的端口...

*filter

#------------------------------------------------------------------------------
# Defaults
#------------------------------------------------------------------------------

-P INPUT   DROP
-P OUTPUT  DROP
-P FORWARD DROP

#------------------------------------------------------------------------------
# Loopback
#------------------------------------------------------------------------------

-A INPUT  -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

#------------------------------------------------------------------------------
# SSH
#------------------------------------------------------------------------------

-A INPUT  -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED,RELATED     -j ACCEPT

#-------------------------------------------------------------------------------
# NTP
#-------------------------------------------------------------------------------

-A INPUT  -i eth0 -p udp --sport 123 -m state --state ESTABLISHED,RELATED     -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 123 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#------------------------------------------------------------------------------
# DNS
#------------------------------------------------------------------------------

-A INPUT  -i eth0 -p udp --sport 53 -m state --state ESTABLISHED,RELATED     -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#------------------------------------------------------------------------------
# Updates
#------------------------------------------------------------------------------

-A INPUT  -i eth0 -p tcp --sport 80  --dport 32768:61000 -m state --state ESTABLISHED,RELATED     -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 80  --sport 32768:61000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT  -i eth0 -p tcp --sport 443 --dport 32768:61000 -m state --state ESTABLISHED,RELATED     -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 443 --sport 32768:61000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#------------------------------------------------------------------------------
# Logging
#------------------------------------------------------------------------------

-A INPUT -m limit --limit 125/min -j LOG --log-prefix "IPTABLES DENIED " --log-level 7

COMMIT

我是不是忽略了什么?非常感谢。

答案1

请注意,使用此规则集,您还可以将出站流量限制为仅特定端口。您可能会在某些时候因此遇到问题(例如克隆 git 存储库)。您可能希望删除规则,-A OUTPUT而是在之前添加以下内容COMMIT

## Allow inbound established and related outside communication
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

## Allow initiating outbound communications
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT

您可能还想允许 ICMP 流量(ping 等):

## Allow ICMP traffic
-A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

最后,下面的操作将丢弃外部以本地主机身份发送数据包的数据包(在环回规则之前添加):

## Drop outside packets with localhost address - anti-spoofing measure
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP

相关内容