使用 iptables 限制 httpd、ssh 和 icmp

tag-icon tag-icon linux centos iptables unix
使用 iptables 限制 httpd、ssh 和 icmp

我想阻止 ICMP 并将 SSH 和 HTTPD 流量限制到 eth0 我原来的 iptables 如下所示

筛选

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# Start Custom Rules
-A INPUT -p tcp --dport 6000 -j ACCEPT -m comment --comment "New application
# End Custom Rules
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT

曼格尔

:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -p tcp --sport 22 -j MARK --set-mark 0x2
-A POSTROUTING -p tcp --sport 443 -j MARK --set-mark 0x2
COMMIT

我已修改规则,将“Accept”改为“DROP”,以丢弃 ICMP 流量

-A INPUT -p icmp -j DROP (this works fine)

然后修改SSH规则

-I INPUT 3 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT to included -i eth0 to limit SSH connections to eth0 only.

但它不会阻止与其他接口的 SSH 连接

I have changed the iptables to following but it accepting SSH connectin on all interfaces:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:6000 /*New Application */
DROP all -- anywhere anywhere
DROP icmp -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@CentoOS]# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6000 -m comment --comment "New Application" -j ACCEPT
-A INPUT -j DROP
-A INPUT -p icmp -j DROP
-A FORWARD -j DROP

有人能告诉我规则有什么问题吗,以及如何将流量限制到 eth0。我是 iptables 新手,所以任何帮助都将不胜感激。

相关内容