更新

更新

我正在尝试配置新服务器的 iptable。以下是我执行的 Firewall.sh 脚本中的规则:

#!/bin/bash

# Ports recap:
# ---- web: 80, 443
# ---- mail: 25 (smtp), 465 (smtps), 143 (imap), 993 (imaps), 110 (pop), 995 (pops)
# ---- ssh: 22
# ---- ftp: 20


# Allowed tcp ports
ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
ALLOWED_TCP="80 443 22"





# Flush the filter table from INPUT or OUTPUT
iptables -F


# Permit loopback interface traffic (because our host is not a router)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


# Drop invalid traffic (good idea since we use the connexion track module)
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP


# Allow icmp traffic (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT



for port in $ALLOWED_TCP
do
    iptables -A INPUT -p tcp --dport $port -j ACCEPT
done


# Allow DNS traffic
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT


# Permit no more than 50 concurrent connections from the same ip address to our web server
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m connlimit --connlimit-above 50 -j DROP


# Allow all outgoing valid traffic 
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


# Set the default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP

这些规则的问题在于,当我尝试这样做时:

apt-get install iptables-persistent

然后按 Y 确认,下载冻结。我做了一些测试,我知道没有这些规则,apt-get 命令也能正常工作,所以我知道我的 iptables 规则有问题,但我不知道是什么问题。有什么想法吗?(基本上我有和apt-get 无法与 iptables 配合使用

更新

我做了一些测试,并且它有效(我最后删除了 INPUT DROP 策略),但是,我仍然不明白 INPUT 中的什么导致了问题。

@Ryan Gibbons,是的,我的第一行 ALLOWED_TCP 只是一个模板,以防我想激活更多端口(只考虑第二行

#!/bin/bash

# Ports recap:
# ---- web: 80, 443
# ---- mail: 25 (smtp), 465 (smtps), 143 (imap), 993 (imaps), 110 (pop), 995 (pops)
# ---- ssh: 22
# ---- ftp: 20


# Allowed tcp ports
ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
ALLOWED_TCP="80 443 22 53"





# Flush the filter table from INPUT or OUTPUT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F


# Permit loopback interface traffic (because our host is not a router)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


# Drop invalid traffic (good idea since we use the connexion track module)
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP


# Allow icmp traffic (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT



for port in $ALLOWED_TCP
do
    iptables -A INPUT -p tcp --dport $port -j ACCEPT
done




# Permit no more than 50 concurrent connections from the same ip address to our web server
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m connlimit --connlimit-above 50 -j DROP


# Allow all outgoing valid traffic 
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


# Set the default policy to drop
#iptables -P INPUT DROP
iptables -P OUTPUT DROP

答案1

首先,ALLOWED_TCP 块只会是 80 443 和 22,因为它覆盖了第一个定义。

# Allowed tcp ports
ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
ALLOWED_TCP="80 443 22"

接下来你只在允许输入时使用这些,这意味着传入到服务器

for port in $ALLOWED_TCP
do
    iptables -A INPUT -p tcp --dport $port -j ACCEPT
done

那么你永远无法定义除了 DNS 和相关流量之外,服务器在 OUTPUT 中允许输出什么,

iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

然后将默认策略设置为丢弃出站

iptables -P OUTPUT DROP

这可能很简单,只需在for循环中添加另一行以将那些 ALLOWED_TCP 添加到 OUTPUT 同时保持出站过滤即可。

答案2

实际上我有一个打字错误,我唯一的错误是使用 tcp 作为 DNS(而不是 udp)。

因此,下面的脚本可以正常工作(对于那些感兴趣的人,我在这里了解了语法:https://www.udemy.com/linux-security-the-complete-iptables-firewall-guide/):

@Ryan Gibbons,是的,我的第一行 ALLOWED_TCP 只是一个模板,以防我想激活更多端口(只考虑第二行)

更新:修复拼写错误 UPDATE2:修复 apt install fail2ban 的问题

#!/bin/bash

# Ports recap:
# ---- web: 80, 443
# ---- mail: 25 (smtp), 465 (smtps), 143 (imap), 993 (imaps), 110 (pop), 995 (pops)
# ---- ssh: 22
# ---- ftp: 20


# Allowed tcp ports
ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
ALLOWED_TCP="80 443 22"





# Flush the filter table from INPUT or OUTPUT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F


# Permit loopback interface traffic (because our host is not a router)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


# Drop invalid traffic (good idea since we use the connexion track module)
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP


# Allow icmp traffic (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT



for port in $ALLOWED_TCP
do
    iptables -A INPUT -p tcp --dport $port -j ACCEPT
done



# https://ubuntuforums.org/showthread.php?t=1441483
# DNS
iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT

# apt-get
iptables -A INPUT -p tcp --sport 80 -j ACCEPT




# Permit no more than 50 concurrent connections from the same ip address to our web server
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m connlimit --connlimit-above 50 -j DROP


# Allow all outgoing valid traffic 
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


# Set the default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP

相关内容