我一直在尝试使用 iptables 在我的 debian 网关上设置防火墙。网关连接到 NAT 后面的 eth0 上的网络 12.120.0.0/24,其后面的子网是 12.120.4.0/24 eth1。我做了大量研究,我读过的大多数文章都是将网关设置为 NAT,其余的对我来说不起作用。网关不必充当子网的 NAT,因为如果防火墙被刷新,它可以使用 ping 和 ssh 找到网络上的每台其他计算机,因此接口之间的转发正在运行。
首先,我希望 eth1 子网内部的任何人都可以向任何人开放 ssh,但外部任何人都无法在网络内部和网关上的 eth0 接口上进行 ssh 操作。
这是我的 sh 文件,首先刷新防火墙并应用新的规则集
#Flush prevous rules
iptables -F
iptables -X
iptables -Z
#Default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#Enable loopback
#iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT
#Enable statefull rules
iptables -A INPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
#SSH
iptables -I INPUT -p tcp -j ACCEPT
iptables -I INPUT -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -p tcp --dport 22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -p tcp -j ACCEPT
iptables -A OUTPUT -o eth0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
###LOGGING
iptables -N LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 60/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP
命令 iptables -L -v 给出以下输出
root@gateway:~# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
801 99796 ACCEPT tcp -- any any anywhere anywhere ctstate NEW,RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere
5331 853K ACCEPT all -- any any anywhere anywhere ctstate NEW,RELATED,ESTABLISHED
Chain FORWARD (policy DROP 5 packets, 200 bytes)
pkts bytes target prot opt in out source destination
688 122K ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh ctstate NEW,RELATED,ESTABLISHED
7219 1989K ACCEPT all -- any any anywhere anywhere ctstate NEW,RELATED,ESTABLISHED
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1175 125K ACCEPT tcp -- any any anywhere anywhere
1378 105K ACCEPT all -- any any anywhere anywhere ctstate NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- any eth0 anywhere anywhere ctstate NEW,RELATED,ESTABLISHED
0 0 LOGGING all -- any any anywhere anywhere
Chain LOGGING (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix "IPTables-Dropped: "
0 0 DROP all -- any any anywhere anywhere
甚至尝试使用此文件来测试我是否可以从外部启用网关后面的子网的 ssh 来查看是否有效。
#Flush firewall rules and chains
iptables -F
iptables -X
iptables -Z
#Set policy table
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#Rules
iptables -I INPUT -p tcp -j ACCEPT
这应该可以工作但它不允许 ssh 流量通过。
我希望你们能帮助我,谢谢。