我有一个 IPtables.sh 文件,它允许我快速修改我的 IPtables 并使用变量。
一切都进行得很顺利,直到我注意到我家里的私人网络(混合了 Nix 和 Win 盒以及 Android 设备)有很多到我的 Ubuntu 服务器的连接。
在我的 IPtables 中我设置了以下变量。
THIS_HOST="192.168.1.116"
WORK="XX.XX.XX.XX"
HOME_NETWORK="192.168.1.0/24"
然后我有一个条目允许我的 Home_Network 连接到端口 1900
#Accept Some UPN Discovery Connections
$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 1900 -j ACCEPT
此条目不起作用,因为我的系统日志中出现以下内容:
4 月 4 日 15:54:39 zues 内核:[331454.549383] 防火墙数据包:IN=eth0 OUT=MAC=01:00:5e:7f:ff:fa:cc:52:af:41:64:68:08:00 SRC=192.168.1.248 DST=239.255.255.250 LEN=188 TOS=0x00 PREC=0x00 TTL=2 ID=22168 PROTO=UDP SPT=1823 DPT=1900 LEN=168
我知道变量起作用了,因为这个条目运行正常:
#accept some ssh connections
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $WORK -d $THIS_HOST --dport 22 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 22 -j ACCEPT
当我做
sudo iptables -L
我明白了:
ACCEPT udp -- 192.168.1.0/24 Zeus*(THIS_HOST)* state NEW udp dpt:1900
根据要求,这里是完整的 iptables.sh 文件
#!/bin/bash
################################################################
#Insert modules- should be done automatically if needed
dmesg -n 1 #Kill copyright display on module load
#/sbin/modprobe ip_tables
#/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_ftp #for PASV ftp
IPTABLES="/sbin/iptables"
THIS_HOST="192.168.1.116"
LOCAL_HOST="127.0.0.1"
WORK="XX.XX.XXX.18"
HOME_NETWORK="192.168.1.0/24"
#EXTRA_IP_FOR_SSH="$Work"
#EXTRA_IP_FOR_SSH=""
#EXTRA_IP_FOR_MYSQL=""
$IPTABLES -F
#Kill ANY stupid packets, including
#-Packets that are too short to have a full ICMP/UDP/TCP header
#- TCP and UDP packets with zero (illegal) source and destination ports
#-Illegal combinations of TCP flags
#-Zero-length (illegal) or over-length TCP and IP options,
# or options after the END-OF-OPTIONS option
#-Fragments of illegal length or offset (e.g., Ping of Death).
#Above list ripped from
#http://www.linux-mag.com/2000-01/bestdefense_02.html
#$IPTABLES -A INPUT -m unclean -j DROP
#$IPTABLES -A FORWARD -m unclean -j DROP
#Allow Loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Allow Outgoing DNS
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
#Kill invalid packets (illegal combinations of flags)
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
#block enemies
$IPTABLES -A INPUT -s "91.65.221.109" -j DROP
#Block Port Hammers
$IPTABLES -A INPUT -s "58.218.201.189" -j DROP
$IPTABLES -A INPUT -s "185.222.211.44" -j DROP
#$IPTABLES -A INPUT -s "61.78.245.0/24" -j DROP
#$IPTABLES -A INPUT -s "218.146.209.182" -j DROP
#$IPTABLES -A INPUT -s "220.77.44.229" -j DROP
#$IPTABLES -A INPUT -s "61.75.224.41" -j DROP
#Accept Some UPN Discovery Connections
$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 1900 -j ACCEPT
#ICMP
#ping flood protection
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP
#Allow all other icmp
$IPTABLES -A INPUT -p icmp -j ACCEPT
#allow established and related connections to continue
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -d 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -d $THIS_HOST -j ACCEPT
#this is "bif"
#procmail sends a biff/comsat message via udp on port 512 every time it deliveres a message to a users mailbox
#$IPTABLES -A INPUT -p UDP -s 127.0.0.1 -d 127.0.0.1 --dport 512 -j REJECT
#allow spamassassin to talk to spamd
#$IPTABLES -A INPUT -p TCP -s 127.0.0.1 -d 127.0.0.1 --dport 783 -j ACCEPT
#$IPTABLES -A INPUT -p TCP -s 127.0.0.1 -d 127.0.0.1 --sport 783 -j ACCEPT
#accept some httpd connections
$IPTABLES -A INPUT -p TCP -d $THIS_HOST --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
#accept some httpsd connections
$IPTABLES -A INPUT -p TCP -d $THIS_HOST --dport 443 -j ACCEPT
#accept some ssh connections
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $WORK -d $THIS_HOST --dport 22 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 22 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME -d $THIS_HOST --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#if [ "$EXTRA_IP_FOR_SSH" != "" ]; then
# $IPTABLES -A INPUT -m state --state NEW -p TCP -s $EXTRA_IP_FOR_SSH -d $THIS_HOST --dport 22 -j ACCEPT
#fi
#accept some ftp connections
#$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 21 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -p TCP -s $WORK -d $THIS_HOST --dport 21 -j ACCEPT
#Accept Some Vino/VNC Connections
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 5900 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 5900 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $WORK -d $THIS_HOST --dport 5900 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p UDP -s $WORK -d $THIS_HOST --dport 5900 -j ACCEPT
#Accept Some Samba Connections
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 139 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 445 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 137 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 138 -j ACCEPT
#Accept Some MYTHTV Connections
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 6543 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 6544 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 3306 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -p TCP -s $LOCAL_HOST -d $THIS_HOST --dport 6543 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -p TCP -s $LOCAL_HOST -d $THIS_HOST --dport 6544 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -p TCP -s $LOCAL_HOST -d $THIS_HOST --dport 3306 -j ACCEPT
#Accept Some UPN Discovery Connections
#$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 1900 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 1900 -j ACCEPT
#Accept Some Mosquitto Connections
$IPTABLES -A INPUT -p TCP -d $THIS_HOST --dport 1883 -j ACCEPT
$IPTABLES -A INPUT -p UDP -d $THIS_HOST --dport 1883 -j ACCEPT
$IPTABLES -A INPUT -p TCP -d $THIS_HOST --dport 8883 -j ACCEPT
$IPTABLES -A INPUT -p UDP -d $THIS_HOST --dport 8883 -j ACCEPT
$IPTABLES -A INPUT -p TCP -d $THIS_HOST --dport 8083 -j ACCEPT
$IPTABLES -A INPUT -p UDP -d $THIS_HOST --dport 8083 -j ACCEPT
#Accept Some Test Connections
$IPTABLES -A INPUT -p TCP -d $THIS_HOST --dport 56665 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 1823 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 1823 -j ACCEPT
#Accept Some Minecraft Connections
#Accept Some UT2K4 Connections
#accept some mysql connections
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $THIS_HOST -d $THIS_HOST --dport 3306 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 3306 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -p TCP -s $OFFICE2 -d $THIS_HOST --dport 3306 -j ACCEPT
#if [ "$EXTRA_IP_FOR_MYSQL" != "" ]; then
# $IPTABLES -A INPUT -m state --state NEW -p TCP -s $EXTRA_IP_FOR_MYSQL -d $THIS_HOST --dport 3306 -j ACCEPT
#fi
#SMTP server
#accept connections from the world
#smtp One per second limt -burst rate of ten
#$IPTABLES -A INPUT -p tcp --dport 25 --syn -m limit --limit 1/s --limit-burst 10 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 25 --syn -j DROP
#$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
#pop server
#$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT
#$IPTABLES -A INPUT -p tcp -d 127.0.0.1 --dport 110 -j ACCEPT
#snmp
#$IPTABLES -A INPUT -p udp -s 205.189.48.232 --dport 161 -j ACCEPT
####################################################################3
# that's it for specific port opennings
# now we just log everythign and drop it
####################################################################3
#Drop all packets from Private IP Address space
## Class A Reserved
$IPTABLES -A OUTPUT -d 10.0.0.0/8 -j DROP
## Class B Reserved
$IPTABLES -A OUTPUT -d 172.16.0.0/12 -j DROP
## Class C Reserved
$IPTABLES -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
## Class D Reserved
$IPTABLES -A OUTPUT -d 224.0.0.0/4 -j DROP
## Class E Reserved
$IPTABLES -A OUTPUT -d 240.0.0.0/5 -j DROP
##Some ports should be denied and logged.
$IPTABLES -A INPUT -p tcp --dport 515 -m limit -j LOG \
--log-prefix "L1on attack"
$IPTABLES -A INPUT -p tcp --dport 515 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6670 -m limit -j LOG \
--log-prefix "Deepthroat scan"
$IPTABLES -A INPUT -p tcp --dport 6670 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6711 -m limit -j LOG \
--log-prefix "Subseven scan"
$IPTABLES -A INPUT -p tcp --dport 6711 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6712 -m limit -j LOG \
--log-prefix "Subseven scan"
$IPTABLES -A INPUT -p tcp --dport 6712 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6713 -m limit -j LOG \
--log-prefix "Subseven scan"
$IPTABLES -A INPUT -p tcp --dport 6713 -j DROP
$IPTABLES -A INPUT -p tcp --dport 12345 -m limit -j LOG \
--log-prefix "Netbus scan"
$IPTABLES -A INPUT -p tcp --dport 12345 -j DROP
$IPTABLES -A INPUT -p tcp --dport 12346 -m limit -j LOG \
--log-prefix "Netbus scan"
$IPTABLES -A INPUT -p tcp --dport 12346 -j DROP
$IPTABLES -A INPUT -p tcp --dport 20034 -m limit -j LOG \
--log-prefix "Netbus scan"
$IPTABLES -A INPUT -p tcp --dport 20034 -j DROP
$IPTABLES -A INPUT -p tcp --dport 31337 -m limit -j LOG \
--log-prefix "Back orifice scan"
$IPTABLES -A INPUT -p tcp --dport 31337 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6000 -m limit -j LOG \
--log-prefix "X-Windows Port"
$IPTABLES -A INPUT -p tcp --dport 6000 -j DROP
$IPTABLES -A INPUT -p tcp --dport 9704 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "rpc.statd(9704) Shell:"
$IPTABLES -A INPUT -p tcp --dport 9704 -j DROP
$IPTABLES -A INPUT -p tcp --sport 9704 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "rpc.statd(9704) Shell:"
$IPTABLES -A INPUT -p tcp --sport 9704 -j DROP
## NetBus and NetBus Pro
$IPTABLES -A INPUT -p tcp --dport 20034 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "NetBus Pro:"
$IPTABLES -A INPUT -p tcp --dport 20034 -j DROP
$IPTABLES -A INPUT -p tcp --dport 12345:12346 -j DROP
$IPTABLES -A INPUT -p tcp --dport 12345:12346 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "NetBus:"
## Trinoo
$IPTABLES -A INPUT -p tcp --sport 27665 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A INPUT -p tcp --dport 27665 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A INPUT -p tcp --sport 27665 -j DROP
$IPTABLES -A INPUT -p tcp --dport 27665 -j DROP
$IPTABLES -A INPUT -p udp --sport 27444 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A INPUT -p udp --dport 27444 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A INPUT -p udp --sport 27444 -j DROP
$IPTABLES -A INPUT -p udp --dport 27444 -j DROP
$IPTABLES -A INPUT -p udp --sport 31335 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A INPUT -p udp --dport 31335 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A INPUT -p udp --sport 31335 -j DROP
$IPTABLES -A INPUT -p udp --dport 31335 -j DROP
## Back Orifice
$IPTABLES -A INPUT -p tcp --dport 31337 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "BackOrifice-TCP:"
$IPTABLES -A INPUT -p udp --dport 31337 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "BackOrifice-UDP:"
$IPTABLES -A INPUT -p tcp --dport 31337 -j DROP
$IPTABLES -A INPUT -p udp --dport 31337 -j DROP
$IPTABLES -A INPUT -p tcp --sport 31337 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "BackOrifice-TCP:"
$IPTABLES -A INPUT -p udp --sport 31337 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "BackOrifice-UDP:"
$IPTABLES -A INPUT -p tcp --sport 31337 -j DROP
$IPTABLES -A INPUT -p udp --sport 31337 -j DROP
#Traceroutes depend on finding a rejected port. DROP the ones it uses
$IPTABLES -A INPUT -p udp --dport 33434:33523 -j DROP
#Don't log ident because it gets hit all the time eg connecting to an irc server
$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT
#drop netbios lookups
#don't bother logging them, since they're innocent and frequent
$IPTABLES -A INPUT -p tcp --dport 137 -j DROP
$IPTABLES -A INPUT -p udp --dport 137 -j DROP
##i don't want these logged - there's just too many of them
$IPTABLES -A INPUT -p UDP --dport 67 -j DROP
$IPTABLES -A INPUT -p UDP --dport 138 -j DROP
##Catch all rules.
#iptables reverts to these if it hasn't matched any of the previous rules.
$IPTABLES -A INPUT -m limit --limit 5/minute -j LOG \
--log-prefix "Firewalled packet:"
$IPTABLES -A FORWARD -m limit --limit 5/minute -j LOG \
--log-prefix "Firewalled packet:"
#Reject
$IPTABLES -A INPUT -p all -j DROP
$IPTABLES -A FORWARD -p all -j REJECT
#Accept it anyway if it's only output
$IPTABLES -A OUTPUT -j ACCEPT
答案1
这些规则看起来不错,过去我遇到过一些问题,可能这里就出现了问题。当您附加规则 (-A INPUT) 时,它们将被添加到链的末尾。检查您那里是否已经有了某些东西,会在数据包到达您的规则之前将其丢弃。相反,请尝试插入规则...
iptables -I INPUT ......