iptables 在应用规则时挂起

tag-icon tag-icon centos iptables
iptables 在应用规则时挂起

我有一套规则,应该可以在诸如fail2ban 之类的东西添加到混合中之前为我提供最大程度的保护。问题是,虽然一切都在测试中检查完毕,但当我service iptables restart 它会正确关闭时,但当它应用规则时它会挂起。这是集合

# Allow all traffic.
#---------------------------------------------------------
*filter
:INPUT ACCEPT [81:5076]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [44:3868]

#---------------------------------------------------------
# protection based on http://thelowedown.wordpress.com/2008/07/03/iptables-how-to-use-the-limits-module/
# and https://gist.github.com/virtualstaticvoid/1024546
# and http://www.cyberciti.biz/tips/howto-limit-linux-syn-attacks.html
#---------------------------------------------------------

#---------------------------------------------------------
# General rules
#---------------------------------------------------------
# it is gerenally view as best practice to drop all and add
# just what is needed.  Drop and reject to prevent abuse 
# of the system and sour the milk
#---------------------------------------------------------
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP


# Allow incoming HTTP
#---------------------------------------------------------
-A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# Allow incoming HTTPS
#---------------------------------------------------------
-A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT



# Allow loopback access
#---------------------------------------------------------
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Allow packets from internal network to reach external network.
# if eth1 is connected to external network (internet)
# if eth0 is connected to internal network (192.168.1.x)
#---------------------------------------------------------
-A FORWARD -i eth0 -o eth1 -j ACCEPT

# Allow outbound DNS
#---------------------------------------------------------
-A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
-A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

#---------------------------------------------------------
# DATABASE Connections
#---------------------------------------------------------
# Allow MySQL connection only from a specific network
#---------------------------------------------------------
-A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT



#---------------------------------------------------------
# SSH
#---------------------------------------------------------
# Allow ALL incoming SSH
#---------------------------------------------------------
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# Allow outgoing SSH
#---------------------------------------------------------
-A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# limit ssh to 10 connections in 10mins
    # note 198.255.255.255 is fake for this post
#---------------------------------------------------------
-I INPUT -p tcp -s 0/0 -d 198.255.255.255 --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
-I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 11 -j DROP
-A OUTPUT -p tcp -s 198.255.255.255 -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT


#---------------------------------------------------------
# DoS
#---------------------------------------------------------
# Prevent general DoS attack
#---------------------------------------------------------
-A INPUT -p tcp --dport 22 -m limit --limit 5/minute --limit-burst 10 -j ACCEPT
-A INPUT -p tcp --dport 80 -m limit --limit 5/minute --limit-burst 100 -j ACCEPT
-A INPUT -p tcp --dport 443 -m limit --limit 5/minute --limit-burst 100 -j ACCEPT

# Syn-flood protection
#---------------------------------------------------------
-A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

# Interface 0 incoming syn-flood protection
#---------------------------------------------------------
-N syn_flood
-A INPUT -p tcp --syn -j syn_flood
-A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
-A syn_flood -j DROP

# Furtive port scanner
#---------------------------------------------------------
#-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
#-A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
#-A port-scan -j DROP


# Ping of death
#---------------------------------------------------------
#-A FORWARD -p icmp --icmp-type echo-request -m limit \ --limit 1/s -j ACCEPT

# Limiting the incoming icmp ping request
#---------------------------------------------------------
-A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
-A INPUT -p icmp -j DROP
-A OUTPUT -p icmp -j ACCEPT


#---------------------------------------------------------
# Logging
#---------------------------------------------------------
# Log dropped packets
#---------------------------------------------------------
-N LOGGING
-A INPUT -j LOGGING
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
-A LOGGING -j DROP



COMMIT
# End

我必须删除 pingport-scan和死亡规则,因为它无法通过测试。我也想纠正这一点。

有什么想法为什么它会通过测试但永远坚持应用规则吗?

更新

到目前为止,评论了所有内容,除了

# Allow all traffic.
#---------------------------------------------------------
*filter
:INPUT ACCEPT [81:5076]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [44:3868]

我仍然得到奇怪的结果,例如iptables在启动备份时挂起,无法启动yum install *。在这一点上,我只需要重新开始修复规则!

相关内容