我配置防火墙已经很久了,现在我发现可能有一个错误,这是 iptables -L 的输入部分
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
你看到那条线了吗?
ACCEPT all -- anywhere anywhere
没有任何参数,这是否意味着所有端口都打开了?我该如何更改此行?
答案1
如果您是手动管理iptables,则需要使用将规则写入文件iptables-save(8):
# iptables-save > /tmp/iptables.txt
根据需要编辑规则,然后使用iptables-restore(8):
# iptables-restore /tmp/iptables.txt
查看iptables文档 ( apropos iptables) 和在线博客文章,了解如何使用 配置状态防火墙iptables。例如“迈向完美规则”,作者:Jan Engelhardt。
答案2
如果你运行:
iptables -L --line-numbers
您将获得一个行号参考:
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
2 fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
3 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
4 DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
5 DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
6 DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
7 ACCEPT all -- anywhere anywhere
8 ACCEPT tcp -- anywhere anywhere tcp dpt:http
9 ACCEPT tcp -- anywhere anywhere tcp dpt:https
[...]
然后你可以运行
iptables -D INPUT 7