哪种 iptables 配置最适合保护暴露给 www 的 xenserver 管理接口?
这是我的实际配置:
> :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -s MY-FIXED-IP-ADDRESS -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -s MY-FIXED-IP-ADDRESS -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -s MY-FIXED-IP-ADDRESS -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -s MY-FIXED-IP-ADDRESS -p tcp -m tcp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -s MY-FIXED-IP-ADDRESS -m tcp -p tcp --dport 22 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -s MY-FIXED-IP-ADDRESS -m tcp -p tcp --dport 443 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -s MY-SECOND-FIXED-IP-ADDRESS -m tcp -p tcp --dport 22 -j ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
答案1
什么才是最好的?不要让它可用。就这样。
配置VPN,然后要求人们先连接到VPN,然后才能访问管理界面。