如果我省略了这一行
$IPT -I INPUT -i $WAN_NIC -j ACCEPT
从下面的防火墙脚本,那么我无法通过 SSH 连接到服务器。
我的理解
$IPT -I INPUT -i $WAN_NIC -j ACCEPT
它将允许来自 $WAN_NIC 的所有流量,并使
$IPT -A INPUT -i $WAN_NIC -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A INPUT -i $WAN_NIC -p tcp --dport ssh -j ACCEPT
$IPT -A INPUT -i $WAN_NIC -p tcp --dport www -j ACCEPT
$IPT -A INPUT -j REJECT
已经过时了,这不是我想要的。
我的目标是只允许 SSH、WWW 和 ping WAN_NIC。
问题
如果我只想使用 SSH、WWW 和 ping,规则应该是什么样子WAN_NIC?
脚本
$IPT -F
$IPT -X
# Allow all outgoing
$IPT -P OUTPUT ACCEPT
# Filter rules
$IPT -A INPUT -i lo -j ACCEPT
$IPT -I INPUT -i $WAN_NIC -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i $WAN_NIC -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A INPUT -i $WAN_NIC -p tcp --dport ssh -j ACCEPT
$IPT -A INPUT -i $WAN_NIC -p tcp --dport www -j ACCEPT
$IPT -A INPUT -j REJECT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P INPUT ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
# Masquerade 192.168.245.8 - 192.168.245.255
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -A POSTROUTING -s $CLIENT_NET1 -o $WAN_NIC -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $CLIENT_NET2 -o $WAN_NIC -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $CLIENT_NET3 -o $WAN_NIC -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $CLIENT_NET4 -o $WAN_NIC -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $CLIENT_NET5 -o $WAN_NIC -j MASQUERADE
# Allow only IPs from LAN_NET to connect to LAN_NIC
$IPT -A FORWARD -i $LAN_NIC ! -s $LAN_NET -j DROP
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Forward 192.168.245.8 - 192.168.245.255. The first 7 IPs are reserved for failover etc
$IPT -A FORWARD -i $LAN_NIC -o $WAN_NIC -s $CLIENT_NET1 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $LAN_NIC -o $WAN_NIC -s $CLIENT_NET2 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $LAN_NIC -o $WAN_NIC -s $CLIENT_NET3 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $LAN_NIC -o $WAN_NIC -s $CLIENT_NET4 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $LAN_NIC -o $WAN_NIC -s $CLIENT_NET5 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -j REJECT
更新
当我无法 SSH 时,添加我的 nat 规则和来自 iptables 的以下输出。
root@ts:~# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 192.168.245.0/24 anywhere
ACCEPT all -- linuxterm2.local anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:www
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- !192.168.245.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 192.168.245.128/25 anywhere state NEW
ACCEPT all -- 192.168.245.64/26 anywhere state NEW
ACCEPT all -- 192.168.245.32/27 anywhere state NEW
ACCEPT all -- 192.168.245.16/28 anywhere state NEW
ACCEPT all -- 192.168.245.8/29 anywhere state NEW
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@ts:~#
答案1
您的规则顺序可能不正确;如果您没有使用默认策略(为什么不呢?),那么顺序就很重要。
显示
iptables -L输出。
如果您在 WAN 接口上设置了默认策略 REJECT,那么您只需要这 3 种协议的规则和 ESTABLISHED 规则来允许对传出流量的响应。
当然,如果您有 NAT 规则,那么大部分内容都会被忽略。
答案2
发现问题。
$IPT -A INPUT -j REJECT
应该
$IPT -i $WAN_NIC -A INPUT -j ACCEPT
或者完全忽略,因为我一开始就放弃了一切,所以REJECT没有影响。