Debian系统基本的iptables防火墙文件

本文发布时间: 2019-Mar-21
防火墙配置是基本的服务器防护措施下面就分享一年我的服务器基本配置(开放http、https、ftp、ssh、ping一些基本点端口开放)1、创建一个基本的防火墙文件(开放部分端口80-http、443-https、20/21-ftp、22-ssh、ping等)[email protected]:~# cat /etc/iptables.basic.rule*filter# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0-A INPUT -i lo -j ACCEPT-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT# Accepts all established inbound connections-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT# Allows all outbound traffic# You could modify this to only allow certain traffic-A OUTPUT -j ACCEPT# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)-A INPUT -p tcp --dport 80 -j ACCEPT-A INPUT -p tcp --dport 443 -j ACCEPT-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT# Allows SSH connections# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT# Now you should read up on iptables rules and consider whether ssh access# for everyone is really desired. Most likely you will only allow access from certain IPs.# Allow ping-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT# log iptables denied calls (access via 'dmesg' command)-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7# Reject all other inbound - default deny unless explicitly allowed policy:-A INPUT -j REJECT-A FORWARD -j [email protected]:~#2、使配置文件生效 [email protected]:~# iptables-restore </etc/iptables.basic.rule3、查看生效的配置文件[email protected]:~# iptables -LChain INPUT (policy ACCEPT)target prot opt source destinationACCEPT all -- anywhere anywhereREJECT all -- anywhere loopback/8 reject-with icmp-port-unreachableACCEPT all -- anywhere anywhere state RELATED,ESTABLISHEDACCEPT tcp -- anywhere anywhere tcp dpt:wwwACCEPT tcp -- anywhere anywhere tcp dpt:httpsACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp state NEW,ESTABLISHEDACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp-data state NEW,ESTABLISHEDACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sshACCEPT icmp -- anywhere anywhere icmp echo-requestLOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: 'REJECT all -- anywhere anywhere reject-with icmp-port-unreachableChain FORWARD (policy ACCEPT)target prot opt source destinationREJECT all -- anywhere anywhere reject-with icmp-port-unreachableChain OUTPUT (policy ACCEPT)target prot opt source destinationACCEPT all -- anywhere [email protected]:~#4、备份生效的配置文件[email protected]:~# iptables-save >/etc/iptables.up.rules


(以上内容不代表本站观点。)
---------------------------------
本网站以及域名有仲裁协议。
本網站以及域名有仲裁協議。

2020-Jul-13 01:11am
栏目列表