这是我的 /etc/iptables/rules.v4
*filter
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow ftp
-A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
# Allow Active FTP Connections
-A INPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT
# Allow Passive FTP Connections
-A INPUT -p tcp --sport 1024: --dport 1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows SSH connections
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Now you should read up on iptables rules and consider whether ssh access
# for everyone is really desired. Most likely you will only allow access from certain IPs.
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
没什么深奥的,直接复制粘贴即可http://wiki.debian.org/iptables问题是当我最终使用 iptables 恢复它时,“ACCEPT all anywhere/anywhere”规则被插入到每个链的开头:
root@host:/etc/iptables# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
我知道,iptables-restore 在加载已保存的规则之前会刷新所有先前的表。不知道那些“全部接受”在哪里。请帮忙。
答案1
正如凯瑟琳提到的,你需要确保事先冲洗掉所有的链条。
iptables -F OUTPUT
iptables -F INPUT
iptables -F FORWARD
我还选择清除策略:
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT DROP
答案2
没有刷新问题。这是因为您添加了一条规则以允许环回接口中的所有流量。如果您使用“iptables -L -v”,您将看到“允许所有”规则仅适用于本地环回接口。
答案3
您的文件缺少以下内容:
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
在列出的规则之前,您似乎已经使用以下命令将策略设置为默认策略:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
因此,如果您设置默认策略,然后运行iptables-save,您应该会看到上面的行。将其保存到您的文件中,然后使用 进行恢复iptables-restore即可。
答案4
这是因为您有一条允许从任何地方到任何地方的流量的规则:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
当然,它只允许已建立会话的数据包,但iptables -L并未显示出来。请尝试iptables -L -v获取更完整的输出。