我有一个 Web 服务器:Debian 9 + Postgres 9.6 + Apache 2.4.25
我已经创建了一个包含 iptables 配置的 bash 脚本:
!/bin/bash
# IP Server
IP="192.168.0.18"
# Restart default config
iptables -F
iptables -X
iptables -Z
# Enable different protections to kernel
#
# Ignore broadcast icmp
echo -n '1' > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routing
echo -n '0' > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirects
echo -n '0' > /proc/sys/net/ipv4/conf/all/accept_redirects
# Protection to "bad error messages"
echo -n '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Disable ip forwarding
echo -n '0' > /proc/sys/net/ipv4/ip_forward
# Login "source routed" and redirects
echo -n '1' >/proc/sys/net/ipv4/conf/all/log_martians
# Default, deny INPUT y FORWARD
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Allow outgoing traffic
iptables -P OUTPUT ACCEPT
# Deny new TCP connections not started with SYN
iptables -A INPUT -i ens192 -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "TCP RST,ACK,FIN"
iptables -A INPUT -i ens192 -p tcp ! --syn -m state --state NEW -j DROP
# Deny fragments
iptables -A INPUT -i ens192 -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragment Packets"
iptables -A INPUT -i ens192 -f -j DROP
# Deny souspicius packages
iptables -A INPUT -i ens192 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -i ens192 -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -i ens192 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Deny NULL packets
iptables -A INPUT -i ens192 -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
iptables -A INPUT -i ens192 -p tcp --tcp-flags ALL NONE -j DROP
# Deny packages "Christmas tree"
iptables -A INPUT -i ens192 -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
iptables -A INPUT -i ens192 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# Deny attacks Fin Scan
iptables -A INPUT -i ens192 -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
iptables -A INPUT -i ens192 -p tcp --tcp-flags FIN,ACK FIN -j DROP
# Validate flags TCP
iptables -A INPUT -i ens192 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Deny invalids packages
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
# Allow all lo interface
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections
iptables -A INPUT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow ping
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
# Allow port 22 (SSH)
iptables -A INPUT -p tcp -d $IP --sport 1024:65535 --dport 22 -m state --state NEW -j ACCEPT
# Allow port 443 (HTTPS)
iptables -A INPUT -p tcp -d $IP --sport 1024:65535 --dport 443 -m state --state NEW -j ACCEPT
# Allow 80 (HTTP)
#iptables -A INPUT -p tcp -d $IP --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow POSTGRES remote console from IP
iptables -A INPUT -m state --state NEW -p tcp -s 192.168.0.4/32 --dport 5432 -j ACCEPT
# Allow connections POSTGRES from localhost
#iptables -A INPUT -p tcp -d $IP --sport 1024:65535 --dport 5432 -m state --state NEW -j ACCEPT
# Log and deny
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
iptables -A INPUT -j DROP
# Deny all outgoing traffic except established connections
iptables -P OUTPUT DROP
iptables -A OUTPUT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow outgoing traffic HTTPS
iptables -A OUTPUT -s $IP -p tcp --sport 1024:65535 --dport 443 -m state --state NEW -j ACCEPT
# Allow outgoing traffic 80
iptables -A OUTPUT -s $IP -p tcp --sport 1024:65535 --dport 80 -m state --state NEW -j ACCEPT
# Allow outgoing traffic ping
iptables -A OUTPUT -p icmp --icmp-type 8 -s $IP -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing traffic DNS
iptables -A OUTPUT -s $IP -p tcp --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -s $IP -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
我无法从托管在此服务器上的我的网站登录 :(
Web服务器日志的错误信息是:
[Tue Mar 27 12:53:30.690759 2018] [:error] [pid 1853] [client 192.168.0.4:58098] PHP Warning: pg_connect(): Unable to connect to PostgreSQL server: could not connect to server: Connection timed out\n\tIs the server running on host "localhost" (127.0.0.1) and accepting\n\tTCP/IP connections on port 5432?\ncould not connect to server: Cannot assign requested address\n\tIs the server running on host "localhost" (::1) and accepting\n\tTCP/IP connections on port 5432?
问题肯定是 iptables 配置,因为我禁用 iptables,登录仍然正常。
请问你能帮帮我吗?
答案1
在输出链上,您允许服务器启动与 HTTP、HTTPS、ICMP、DNS 的连接 - 但不允许与 postgres 端口(tcp/5432)或本地主机的连接。
iptables -A OUTPUT -i lo -j ACCEPT