我正在尝试配置新服务器的 iptable。以下是我执行的 Firewall.sh 脚本中的规则:
#!/bin/bash
# Ports recap:
# ---- web: 80, 443
# ---- mail: 25 (smtp), 465 (smtps), 143 (imap), 993 (imaps), 110 (pop), 995 (pops)
# ---- ssh: 22
# ---- ftp: 20
# Allowed tcp ports
ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
ALLOWED_TCP="80 443 22"
# Flush the filter table from INPUT or OUTPUT
iptables -F
# Permit loopback interface traffic (because our host is not a router)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Drop invalid traffic (good idea since we use the connexion track module)
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
# Allow icmp traffic (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
for port in $ALLOWED_TCP
do
iptables -A INPUT -p tcp --dport $port -j ACCEPT
done
# Allow DNS traffic
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
# Permit no more than 50 concurrent connections from the same ip address to our web server
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m connlimit --connlimit-above 50 -j DROP
# Allow all outgoing valid traffic
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Set the default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
这些规则的问题在于,当我尝试这样做时:
apt-get install iptables-persistent
然后按 Y 确认,下载冻结。我做了一些测试,我知道没有这些规则,apt-get 命令也能正常工作,所以我知道我的 iptables 规则有问题,但我不知道是什么问题。有什么想法吗?(基本上我有和apt-get 无法与 iptables 配合使用)
更新
我做了一些测试,并且它有效(我最后删除了 INPUT DROP 策略),但是,我仍然不明白 INPUT 中的什么导致了问题。
@Ryan Gibbons,是的,我的第一行 ALLOWED_TCP 只是一个模板,以防我想激活更多端口(只考虑第二行
#!/bin/bash
# Ports recap:
# ---- web: 80, 443
# ---- mail: 25 (smtp), 465 (smtps), 143 (imap), 993 (imaps), 110 (pop), 995 (pops)
# ---- ssh: 22
# ---- ftp: 20
# Allowed tcp ports
ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
ALLOWED_TCP="80 443 22 53"
# Flush the filter table from INPUT or OUTPUT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
# Permit loopback interface traffic (because our host is not a router)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Drop invalid traffic (good idea since we use the connexion track module)
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
# Allow icmp traffic (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
for port in $ALLOWED_TCP
do
iptables -A INPUT -p tcp --dport $port -j ACCEPT
done
# Permit no more than 50 concurrent connections from the same ip address to our web server
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m connlimit --connlimit-above 50 -j DROP
# Allow all outgoing valid traffic
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Set the default policy to drop
#iptables -P INPUT DROP
iptables -P OUTPUT DROP
答案1
首先,ALLOWED_TCP 块只会是 80 443 和 22,因为它覆盖了第一个定义。
# Allowed tcp ports
ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
ALLOWED_TCP="80 443 22"
接下来你只在允许输入时使用这些,这意味着传入到服务器
for port in $ALLOWED_TCP
do
iptables -A INPUT -p tcp --dport $port -j ACCEPT
done
那么你永远无法定义除了 DNS 和相关流量之外,服务器在 OUTPUT 中允许输出什么,
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
和
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
然后将默认策略设置为丢弃出站
iptables -P OUTPUT DROP
这可能很简单,只需在for循环中添加另一行以将那些 ALLOWED_TCP 添加到 OUTPUT 同时保持出站过滤即可。
答案2
实际上我有一个打字错误,我唯一的错误是使用 tcp 作为 DNS(而不是 udp)。
因此,下面的脚本可以正常工作(对于那些感兴趣的人,我在这里了解了语法:https://www.udemy.com/linux-security-the-complete-iptables-firewall-guide/):
@Ryan Gibbons,是的,我的第一行 ALLOWED_TCP 只是一个模板,以防我想激活更多端口(只考虑第二行)
更新:修复拼写错误 UPDATE2:修复 apt install fail2ban 的问题
#!/bin/bash
# Ports recap:
# ---- web: 80, 443
# ---- mail: 25 (smtp), 465 (smtps), 143 (imap), 993 (imaps), 110 (pop), 995 (pops)
# ---- ssh: 22
# ---- ftp: 20
# Allowed tcp ports
ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
ALLOWED_TCP="80 443 22"
# Flush the filter table from INPUT or OUTPUT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
# Permit loopback interface traffic (because our host is not a router)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Drop invalid traffic (good idea since we use the connexion track module)
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
# Allow icmp traffic (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
for port in $ALLOWED_TCP
do
iptables -A INPUT -p tcp --dport $port -j ACCEPT
done
# https://ubuntuforums.org/showthread.php?t=1441483
# DNS
iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
# apt-get
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
# Permit no more than 50 concurrent connections from the same ip address to our web server
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m connlimit --connlimit-above 50 -j DROP
# Allow all outgoing valid traffic
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Set the default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP