Debian系统基本的iptables防火墙文件 iptables 添加规则
防火墙配置是基本的服务器防护措施
创建一个基本的防火墙文件(开放部分端口80-http、443-https、20/21-ftp、22-ssh、ping等)
cat /etc/iptables.basic.rule
- *filter
- # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
- -A INPUT -i lo -j ACCEPT
- -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
- # Accepts all established inbound connections
- -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
- # Allows all outbound traffic
- # You could modify this to only allow certain traffic
- -A OUTPUT -j ACCEPT
- # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
- -A INPUT -p tcp –dport 80 -j ACCEPT
- -A INPUT -p tcp –dport 443 -j ACCEPT
- -A INPUT -p tcp -s 0/0 –sport 1024:65535 –dport 21 -m state –state NEW,ESTABLISHED -j ACCEPT
- -A INPUT -p tcp -s 0/0 –sport 1024:65535 –dport 20 -m state –state NEW,ESTABLISHED -j ACCEPT
- # Allows SSH connections
- # THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
- -A INPUT -p tcp -m state –state NEW –dport 22 -j ACCEPT
- # Now you should read up on iptables rules and consider whether ssh access
- # for everyone is really desired. Most likely you will only allow access from certain IPs.
- # Allow ping
- -A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
- # log iptables denied calls (access via 'dmesg' command)
- -A INPUT -m limit –limit 5/min -j LOG –log-prefix "iptables denied: " –log-level 7
- # Reject all other inbound – default deny unless explicitly allowed policy:
- -A INPUT -j REJECT
- -A FORWARD -j REJECT
- COMMIT
Or (示例)
- # Generated by iptables-save v1.4.14 on Wed Nov 11 17:22:03 2015
- *filter
- :INPUT DROP [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- :syn-flood – [0:0]
- -A INPUT -i lo -j ACCEPT
- -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
- -A INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
- -A INPUT -p tcp -m state –state NEW -m tcp –dport 21 -j ACCEPT
- -A INPUT -s 221.226.186.102 -p tcp -m state –state NEW -m tcp –dport 873 -j ACCEPT
- -A INPUT -p tcp -m state –state NEW -m tcp –dport 10050 -j ACCEPT
- -A INPUT -p tcp -m state –state NEW -m tcp –dport 20000:30000 -j ACCEPT
- -A INPUT -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT
- -A INPUT -p icmp -m limit –limit 100/sec –limit-burst 100 -j ACCEPT
- -A INPUT -p icmp -m limit –limit 1/sec –limit-burst 10 -j ACCEPT
- -A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood
- -A INPUT -j REJECT –reject-with icmp-host-prohibited
- -A syn-flood -p tcp -m limit –limit 3/sec –limit-burst 6 -j RETURN
- -A syn-flood -j REJECT –reject-with icmp-port-unreachable
- COMMIT
- # Completed on Wed Nov 11 17:22:03 2015
2、使配置文件生效
root@Debain:~# iptables-restore < /etc/iptables.basic.rule
3、查看生效的配置文件
root@Debain:~# iptables -L
- Chain INPUT (policy ACCEPT)
- target prot opt source destination
- ACCEPT all — anywhere anywhere
- REJECT all — anywhere loopback/8 reject-with icmp-port-unreachable
- ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
- ACCEPT tcp — anywhere anywhere tcp dpt:www
- ACCEPT tcp — anywhere anywhere tcp dpt:https
- ACCEPT tcp — anywhere anywhere tcp spts:1024:65535 dpt:ftp state NEW,ESTABLISHED
- ACCEPT tcp — anywhere anywhere tcp spts:1024:65535 dpt:ftp-data state NEW,ESTABLISHED
- ACCEPT tcp — anywhere anywhere state NEW tcp dpt:ssh
- ACCEPT icmp — anywhere anywhere icmp echo-request
- LOG all — anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: '
- REJECT all — anywhere anywhere reject-with icmp-port-unreachable
- Chain FORWARD (policy ACCEPT)
- target prot opt source destination
- REJECT all — anywhere anywhere reject-with icmp-port-unreachable
- Chain OUTPUT (policy ACCEPT)
- target prot opt source destination
- ACCEPT all — anywhere anywhere
