我在这里遵循本指南:http://isalazyadmin.net/2009/07/02/configuring-a-basic-firewall-for-debian-linux/
我列出了显示的 iptables,但我的服务器似乎仍然接受所有传入连接(即:bittorrent 对等点仍在连接,即使我不允许这些端口)。
/etc/iptables.rules
*filter
# This will allow all loopback (lo0) traffic and drop all traffic to 127/8
# that does not use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# This accepts all already established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# This allows all outbound traffic
-A OUTPUT -j ACCEPT
# This will allow HTTP and HTTPS connections from anywhere, this are the normal
# ports used for a web server
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow bittorrent/rtorrent ports, from ~/.rtorrent.rc
## -A INPUT -p tcp --dport 8071:8079 -j ACCEPT
# Allow ICMP ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Reject all other inbound traffic
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
当我重新启动后运行 iptables -L 时,我仍然将其作为我的第一条规则:
iptables-L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
不确定这是从哪里来的。
以下是完整列表:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
这是 iptables-save 的输出:
# Generated by iptables-save v1.4.8 on Fri Jan 11 09:54:19 2013
*raw
:PREROUTING ACCEPT [6701:942626]
:OUTPUT ACCEPT [8927:989420]
COMMIT
# Completed on Fri Jan 11 09:54:19 2013
# Generated by iptables-save v1.4.8 on Fri Jan 11 09:54:19 2013
*nat
:PREROUTING ACCEPT [3281:284415]
:INPUT ACCEPT [9:720]
:OUTPUT ACCEPT [1758:148908]
:POSTROUTING ACCEPT [1758:148908]
COMMIT
# Completed on Fri Jan 11 09:54:19 2013
# Generated by iptables-save v1.4.8 on Fri Jan 11 09:54:19 2013
*mangle
:PREROUTING ACCEPT [6701:942626]
:INPUT ACCEPT [6701:942626]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8928:989684]
:POSTROUTING ACCEPT [8928:989684]
COMMIT
# Completed on Fri Jan 11 09:54:19 2013
# Generated by iptables-save v1.4.8 on Fri Jan 11 09:54:19 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Fri Jan 11 09:54:19 2013
这是 iptables -vL 输出:
$ sudo iptables -vL
[sudo] password for ettinger:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8303 1206K ACCEPT all -- lo any anywhere anywhere
0 0 REJECT all -- !lo any anywhere loopback/8 reject-with icmp-port-unreachable
12M 7191M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
18 980 ACCEPT tcp -- any any anywhere anywhere tcp dpt:www
7 344 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
379 22728 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
18316 1110K ACCEPT tcp -- any any anywhere anywhere tcp dpts:8071:8079
120K 15M ACCEPT udp -- any any anywhere anywhere udp dpt:6881
24809 1489K ACCEPT tcp -- any any anywhere anywhere tcp dpt:9001
688 35244 ACCEPT tcp -- any any anywhere anywhere tcp dpt:9030
874 73072 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
12705 871K REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
14M 12G ACCEPT all -- any any anywhere anywhere
答案1
您担心的线路:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
实际上是因为你的规则:
-A INPUT -i lo -j ACCEPT
请注意,该接口在规则中是明确的,但在-L输出中却不是。将该规则移动到列表的中间,使用iptables-restore并注意“接受所有 - 任何地方”也已向下移动。现在尝试稍微改变一下规则:
-A INPUT -i lo -s 127.0.0.1 -j ACCEPT
输出-L将变为:
target prot opt source destination
ACCEPT all -- localhost.localdomain anywhere
“localhost.localdomain”将是您的 127.0.0.1 主机名/etc/hosts。这至少让我们更清楚该规则的来源。
您还可以查看更详细的信息,包括与 的接口iptables -vL。
顺便说一句,你可能想开始你的规则:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
为了安全起见,默认情况下会放弃所有内容。然而,这被认为是不礼貌的行为(请参阅下面 Gilles 评论中的链接),因此您可能希望为每个使用-j REJECT --reject-with icmp-net-prohibited.
答案2
出于完整性考虑,为了避免将来出现此问题,请-v在显示表时使用详细命令行选项。如下:
iptables -Lv
输出现在应该在“in”和“out”列中包含它影响的接口:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
151 13073 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
126 33414 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
答案3
问题出在 INPUT 链的这一部分:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
特别是在最后一行。此行之后的所有内容都是不必要的,因为此行接受一切想法。
您必须通过以下命令从规则中删除此行:
iptables -D INPUT 1
您必须检查您的防火墙规则,规则在哪里,添加了这一行。