当我设置这些 IPTables 规则时,我无法通过 SSH 访问服务器。IPTables 规则不是持久的,因此我重新启动服务器才能再次访问。
当我尝试登录时,根据这些规则出现此错误:
ssh_exchange_identification: read: Connection timed out
我的设置有什么问题?也许还有其他问题,而不仅仅是 SSH?
这里是:
#!/bin/sh
IPT="/sbin/iptables"
# Delete all existing rules
$IPT -F
# Set default chain policies
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
### 1: Drop invalid packets ###
$IPT -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
### 2: Drop TCP packets that are new and are not SYN ###
$IPT -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
### 3: Drop SYN packets with suspicious MSS value ###
$IPT -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
### 4: Block packets with bogus TCP flags ###
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
### 5: Block spoofed packets ###
$IPT -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
$IPT -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
$IPT -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
$IPT -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
$IPT -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
$IPT -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
$IPT -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
$IPT -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
$IPT -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
### 6: Drop ICMP (you usually don't need this protocol) ###
$IPT -t mangle -A PREROUTING -p icmp -j DROP
### 7: Drop fragments in all chains ###
$IPT -t mangle -A PREROUTING -f -j DROP
### 8: Limit connections per source IP ###
$IPT -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
### 9: Limit RST packets ###
$IPT -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
$IPT -A INPUT -p tcp --tcp-flags RST RST -j DROP
### 10: Limit new TCP connections per second per source IP ###
$IPT -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
$IPT -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
### 11: Use SYNPROXY on all ports (disables connection limiting rule) ###
$IPT -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
$IPT -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP
### 12: SSH brute-force protection
$IPT -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
$IPT -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
### 13: Protection against port scanning ###
$IPT -N port-scanning
$IPT -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
$IPT -A port-scanning -j DROP
### 14. Log dropped packets
$IPT -N LOGGING
$IPT -A INPUT -j LOGGING
$IPT -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
$IPT -A LOGGING -j DROP
### 15. Drop all NULL packets
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
### 16. Set some default rules
$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp --sport 123 -j ACCEPT #NTP time server port
$IPT -A INPUT -i lo -j ACCEPT #Allow localhost connections e.g. between webserver and database
$IPT -A INPUT -p tcp --dport ssh -j ACCEPT #Allow SSH on given port
$IPT -A INPUT -p tcp --dport http -j ACCEPT #Allow HTTP
$IPT -A INPUT -p tcp --dport https -j ACCEPT #Allow HTTPS
$IPT -A INPUT -p udp --sport 53 -j ACCEPT #Allow DNS Connection
### 17. Forward Rules
$IPT -A FORWARD -i eth1 -o eth0 -j ACCEPT
### 18. Ping
$IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
### 19. DEFAULT DROP RULES
$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP #Drop invalid traffic
答案1
您正在 shell 脚本中按顺序设置每个规则,其中DROP值位于ACCEPT值之前。
当您像这样设置 IPTables 规则时(实际上是通过 shell 脚本逐个设置),每条规则都会立即执行。因此,DROP在到达ACCEPT目标之前,目标会断开您的连接。
除非有真正特定的原因需要按顺序添加 IPTable 规则,否则您实际上会让设置/更新规则的过程变得比需要的复杂得多。而且,您还可能将自己锁定在自己的服务器之外;这实际上就是您现在正在发生的事情。
你应该只使用iptables-save和iptables-restore。当你使用这些工具时,规则直到全部规则是一次性加载的,并且只能一次性执行,而不是DROP然后再执行ACCEPT。
使用iptables-save如下方法保存你的 IP 表内容:
sudo iptables-save > ~/rules.v4
然后使用iptables-restore如下恢复规则:
sudo iptables-restore < ~/rules.v4
该rules.v4文件是应该编辑规则的地方。
话虽如此,或许你可以像这样运行该脚本:
nohup [scriptname].sh & exit
这样做的目的是在后台运行脚本(&行末的),并且不会挂断(nohup行首的),这样如果断开与服务器的连接,脚本就会停止运行。这exit就是它的本质:它简单而优雅地从服务器注销。
但是因为 - 如果您使用此nohup方法&- 您正在运行该脚本,nohup然后&执行后台任务,shell 脚本仍将运行,设置所有规则,并且当它达到规则时ACCEPT您应该能够再次进入服务器。
更新:由于原始海报似乎认为设置 IPTables 规则的唯一方法是通过他们在 Bash 脚本中使用的命令行方法,因此这里有一个我喜欢与 IPTables 一起使用的基本、可靠且相对简单的规则集。
这些规则看起来与您的规则相似,因此只需进行少量调整,就可以适合您。
唯一需要注意的调整是,应调整123.456.789.0端口22行以匹配您希望允许通过标准 SSH 规则的任何 IP 地址。端口80和443在此配置中是开放的,因为它们是标准 Web 端口;根据服务器需求添加或删除它们。
# NAT stuff.
*nat
:PREROUTING ACCEPT [2:80]
:INPUT ACCEPT [2:80]
:OUTPUT ACCEPT [3:198]
:POSTROUTING ACCEPT [3:198]
COMMIT
# Mangle stuff.
*mangle
:PREROUTING ACCEPT [87:6395]
:INPUT ACCEPT [87:6395]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [50:4502]
:POSTROUTING ACCEPT [50:4502]
COMMIT
# Filter stuff.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [50:4502]
:BANNED_ACTIONS - [0:0]
:DDOS_ACTIONS - [0:0]
:DDOS_DETECT - [0:0]
:SPOOF_ACTIONS - [0:0]
:SPOOF_DETECT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j DDOS_DETECT
-A INPUT -j SPOOF_DETECT
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
# Define the banned actions.
-A BANNED_ACTIONS -j REJECT --reject-with icmp-host-prohibited
# Define the DDoS actions.
-A DDOS_ACTIONS -p tcp -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "IPTABLES_DENIED_TCP: "
-A DDOS_ACTIONS -p udp -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "IPTABLES_DENIED_UDP: "
-A DDOS_ACTIONS -p icmp -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "IPTABLES_DENIED_ICMP: "
-A DDOS_ACTIONS -j REJECT --reject-with icmp-host-prohibited
# Drop invalid SYN packets.
-A DDOS_DETECT -p tcp -m tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DDOS_ACTIONS
-A DDOS_DETECT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DDOS_ACTIONS
-A DDOS_DETECT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DDOS_ACTIONS
# The combination of these TCP flags is not defined.
-A DDOS_DETECT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DDOS_ACTIONS
-A DDOS_DETECT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DDOS_ACTIONS
-A DDOS_DETECT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DDOS_ACTIONS
-A DDOS_DETECT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DDOS_ACTIONS
-A DDOS_DETECT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DDOS_ACTIONS
-A DDOS_DETECT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DDOS_ACTIONS
-A DDOS_DETECT -p tcp -m tcp --tcp-flags ACK,URG URG -j DDOS_ACTIONS
# Drop new incoming TCP connections are not SYN packets.
-A DDOS_DETECT -p tcp -m tcp ! --syn -m state --state NEW -j DDOS_ACTIONS
# Drop packets with incoming fragments.
-A DDOS_DETECT -p tcp -m tcp --tcp-flags ALL ALL -j DDOS_ACTIONS
# Define the spoof actions.
-A SPOOF_ACTIONS -j ACCEPT
# -A SPOOF_ACTIONS -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "IPTABLES_DENIED_SPOOF: "
# -A SPOOF_ACTIONS -j REJECT --reject-with icmp-host-prohibited
# One batch of spoof detection addresses.
-A SPOOF_DETECT -s 10.0.0.0/8 -j SPOOF_ACTIONS
# -A SPOOF_DETECT -s 169.254.0.0/16 -j SPOOF_ACTIONS
# -A SPOOF_DETECT -s 172.16.0.0/12 -j SPOOF_ACTIONS
-A SPOOF_DETECT -s 127.0.0.0/8 -j SPOOF_ACTIONS
# Another batch of spoof detection addresses.
-A SPOOF_DETECT -s 224.0.0.0/4 -j SPOOF_ACTIONS
-A SPOOF_DETECT -d 224.0.0.0/4 -j SPOOF_ACTIONS
-A SPOOF_DETECT -s 240.0.0.0/5 -j SPOOF_ACTIONS
-A SPOOF_DETECT -d 240.0.0.0/5 -j SPOOF_ACTIONS
-A SPOOF_DETECT -s 0.0.0.0/8 -j SPOOF_ACTIONS
-A SPOOF_DETECT -d 0.0.0.0/8 -j SPOOF_ACTIONS
-A SPOOF_DETECT -d 239.255.255.0/24 -j SPOOF_ACTIONS
-A SPOOF_DETECT -d 255.255.255.255/32 -j SPOOF_ACTIONS
# Commit it.
COMMIT
只需将这些 IPTables 规则保存到名为的文件中rules.mp4,然后运行 IPTables 恢复命令,如下所示:
sudo iptables-restore < ~/rules.v4
然后运行此命令列出 IPTables 规则,如下所示查看已设置的所有规则:
sudo iptables -L -n
rules.ip4该列表应该看起来像我上面发布的示例。