|
防火墙配置是基本的服务器防护措施下面就分享一年我的服务器基本配置(开放http、https、ftp、ssh、ping一些基本点端口开放)1、创建一个基本的防火墙文件(开放部分端口80-http、443-https、20/21-ftp、22-ssh、ping等)root@aliyun:~# cat /etc/iptables.basic.rule*filter# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0-A INPUT -i lo -j ACCEPT-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT# Accepts all established inbound connections-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT# Allows all outbound traffic# You could modify this to only allow certain traffic-A OUTPUT -j ACCEPT# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)-A INPUT -p tcp --dport 80 -j ACCEPT-A INPUT -p tcp --dport 443 -j ACCEPT-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT-A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT# Allows SSH connections# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT# Now you should read up on iptables rules and consider whether ssh access# for everyone is really desired. Most likely you will only allow access from certain IPs.# Allow ping-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT# log iptables denied calls (access via 'dmesg' command)-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7# Reject all other inbound - default deny unless explicitly allowed policy:-A INPUT -j REJECT-A FORWARD -j REJECTCOMMITroot@aliyun:~#2、使配置文件生效 root@aliyun:~# iptables-restore </etc/iptables.basic.rule3、查看生效的配置文件root@aliyun:~# iptables -LChain INPUT (policy ACCEPT)target prot opt source destinationACCEPT all -- anywhere anywhereREJECT all -- anywhere loopback/8 reject-with icmp-port-unreachableACCEPT all -- anywhere anywhere state RELATED,ESTABLISHEDACCEPT tcp -- anywhere anywhere tcp dpt:wwwACCEPT tcp -- anywhere anywhere tcp dpt:httpsACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp state NEW,ESTABLISHEDACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp-data state NEW,ESTABLISHEDACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sshACCEPT icmp -- anywhere anywhere icmp echo-requestLOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: 'REJECT all -- anywhere anywhere reject-with icmp-port-unreachableChain FORWARD (policy ACCEPT)target prot opt source destinationREJECT all -- anywhere anywhere reject-with icmp-port-unreachableChain OUTPUT (policy ACCEPT)target prot opt source destinationACCEPT all -- anywhere anywhereroot@aliyun:~#4、备份生效的配置文件root@aliyun:~# iptables-save >/etc/iptables.up.rules
(以上内容不代表本站观点。) --------------------------------- |
本網站是"非商業"(non-commercial)。
