有人能告诉我,假设给定 (Ubuntu 12.04) 服务器的需求仅为 SSH、NTP (客户端)、HTTP(S) 和系统更新 (apt-get
或aptitude
),以下规则集是否合适?我的想法是默认丢弃所有流量,并仅在必要的状态和接口上打开必要的端口...
*filter
#------------------------------------------------------------------------------
# Defaults
#------------------------------------------------------------------------------
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP
#------------------------------------------------------------------------------
# Loopback
#------------------------------------------------------------------------------
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
#------------------------------------------------------------------------------
# SSH
#------------------------------------------------------------------------------
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
#-------------------------------------------------------------------------------
# NTP
#-------------------------------------------------------------------------------
-A INPUT -i eth0 -p udp --sport 123 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 123 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#------------------------------------------------------------------------------
# DNS
#------------------------------------------------------------------------------
-A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#------------------------------------------------------------------------------
# Updates
#------------------------------------------------------------------------------
-A INPUT -i eth0 -p tcp --sport 80 --dport 32768:61000 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 80 --sport 32768:61000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 443 --dport 32768:61000 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 443 --sport 32768:61000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#------------------------------------------------------------------------------
# Logging
#------------------------------------------------------------------------------
-A INPUT -m limit --limit 125/min -j LOG --log-prefix "IPTABLES DENIED " --log-level 7
COMMIT
我是不是忽略了什么?非常感谢。
答案1
请注意,使用此规则集,您还可以将出站流量限制为仅特定端口。您可能会在某些时候因此遇到问题(例如克隆 git 存储库)。您可能希望删除规则,-A OUTPUT
而是在之前添加以下内容COMMIT
:
## Allow inbound established and related outside communication
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
## Allow initiating outbound communications
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
您可能还想允许 ICMP 流量(ping 等):
## Allow ICMP traffic
-A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
最后,下面的操作将丢弃外部以本地主机身份发送数据包的数据包(在环回规则之前添加):
## Drop outside packets with localhost address - anti-spoofing measure
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP