我有一个 vps,它的界面是venet0:0
。
我想阻止来自该接口的所有传入流量并仅允许某些端口:
- TCP 22223-29
- UDP 33330
- TCP 33332
我还想允许所有从服务器到互联网的已建立连接。
还有第二个虚拟接口tun1
,我想阻止该接口上除端口之外的所有内容:
- TCP 44430
- UDP44431
我现在还不知道该如何阻止这一切。
下面是我已经拥有的一个例子,但是 apache 仍然可以在公共 IP 上运行,而它不应该如此。
# Flushing all rules iptables --flush iptables --delete-chain iptables -F iptables -X
### interface section use public Internet (venet0:0) ### iptables -A INPUT -i venet0:0 -j DROP
# Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP
#################################################
# allow loopback
#################################################
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
#################################################
# drop all ICMP
#################################################
iptables -A INPUT -p icmp --icmp-type any -j DROP iptables -A OUTPUT
-p icmp -j DROP
#################################################
# allow established connections
#################################################
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#################################################
# allow public per port
#################################################
# 22223 iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22223 -j ACCEPT
# 1194 OpenVPN iptables -A INPUT -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT
答案1
任何未经明确允许的内容(包括 icmp)都会被删除。
#allow related,established
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#Don't mess with loopback
iptables -A INPUT -i lo -j ACCEPT
#accept 2 port for tun1
iptables -A INPUT -i tun1 -p tcp --dport 44430 -j ACCEPT
iptables -A INPUT -i tun1 -p udp --dport 44431 -j ACCEPT
#accept venet0:0 stuff
iptables -A INPUT -i venet0:0 -p tcp -m multiport --dports 22223:22229,33332 -j ACCEPT
iptables -A INPUT -i venet0:0 -p udp --dport 33330 -j ACCEPT
#literally drop everything else on every adapter
#then default policy doesn't matter
#seen default policy fail to block, maybe it required a reboot
iptables -A INPUT -j DROP
向前
#allow related,established
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#Don't mess with loopback
iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -i venet0:0 -p tcp -m multiport --dports 22223:22229,33332 -j ACCEPT
iptables -A FORWARD -i venet0:0 -p udp --dport 33330 -j ACCEPT
#accept 2 port for tun1
iptables -A FORWARD -i tun1 -p tcp --dport 44430 -j ACCEPT
iptables -A FORWARD -i tun1 -p udp --dport 44431 -j ACCEPT
#Add before DROP rule
#If venet0:0 and tun1 are supposed to talk to each other
#Add next 2 lines (or leave them out and they can't)
iptables -A FORWARD -i venet0:0 -o tun1 -j ACCEPT
iptables -A FORWARD -i tun1 -o venet0:0 -j ACCEPT
#anything not allowed anywhere dropped.
iptables -A FORWARD -j DROP