我的 iptables 配置中似乎有一个错误 - 当我注释掉最后一行(删除)时,它工作正常 - 当我取消注释时,我无法 ssh 进入我的服务器 - 有人能发现我做错了什么吗?我有点菜鸟。
*filter
:INPUT ACCEPT [5:9090]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3:372]
-A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m limit --limit 30/minute --limit-burst 200 -j ACCEPT -m comment --comment "Protection DDoS attacks"
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP -m comment --comment "Deny all null packets"
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP -m comment --comment "Deny all recon packets"
-A INPUT -p tcp --tcp-flags ALL FIN -j DROP -m comment --comment "nmap FIN stealth scan"
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -m comment --comment "SYN + FIN"
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP -m comment --comment "SYN + RST"
-A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP -m comment --comment "FIN + RST"
-A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP -m comment --comment "FIN + URG + PSH"
-A INPUT -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP -m comment --comment "XMAS"
-A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP -m comment --comment "FIN without ACK"
-A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP -m comment --comment "PSH without ACK"
-A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP -m comment --comment "URG without ACK"
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP -m comment --comment "Deny SYN flood attack"
-A INPUT -m state --state ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT -m comment --comment "Accept traffic with ESTABLISHED flag set (limit - DDo$
-A INPUT -m state --state RELATED -m limit --limit 50/second --limit-burst 50 -j ACCEPT -m comment --comment "Accept traffic with RELATED flag set (limit - DDoS prev$
-A INPUT -m state --state INVALID -j DROP -m comment --comment "Deny traffic with the INVALID flag set"
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10050 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10051 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 10051 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 10050 -j ACCEPT
-A INPUT -m recent --update --name SSH --seconds 60 --hitcount 5 --rttl -j DROP
-A INPUT -i venet0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -m comment --comment " ssh port"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -m comment --comment " ftp"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -m comment --comment " ssh"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -m comment --comment " email"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -m comment --comment " DNS large queries"
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT -m comment --comment " DNS small queries"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -m comment --comment " Apache"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT -m comment --comment " POP"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -m comment --comment " Apache ssl"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 953 -j ACCEPT -m comment --comment " DNS Internal"