这是对
previous question的跟进,我询问我的iptables配置是否正确.
CentOS 5.3系统.
预期结果:阻止除ping,ssh,Apache和SSL之外的所有内容.
基于xenoterracide’s advice和其他问题的回答(谢谢你们),我创建了这个脚本:
# Establish a clean slate iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -F # Flush all rules iptables -X # Delete all chains # Disable routing. Drop packets if they reach the end of the chain. iptables -P FORWARD DROP # Drop all packets with a bad state iptables -A INPUT -m state --state INVALID -j DROP # Accept any packets that have something to do with ones we've sent on outbound iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Accept any packets coming or going on localhost (this can be very important) iptables -A INPUT -i lo -j ACCEPT # Accept ICMP iptables -A INPUT -p icmp -j ACCEPT # Allow ssh iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Allow httpd iptables -A INPUT -p tcp --dport 80 -j ACCEPT # Allow SSL iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Block all other traffic iptables -A INPUT -j DROP
现在当我列出我得到的规则时……
# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets,0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere state INVALID
9 612 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
0 0 DROP all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets,0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets,644 bytes)
pkts bytes target prot opt in out source destination
我跑了它,我仍然可以登录,所以这很好.有没有人注意到任何重大事件?
解决方法
在大多数情况下看起来不错.主要的是你应该使用iptables-save和iptables-restore而不是重复运行iptables. iptables-save / restore方法为您提供原子批量更新(如数据库事务),因此您知道没有任何东西可以进入(或者没有进入),因为当网络数据包到达时,您的iptables更改已完成一半.进行此更改还可以转储初始ACCEPT策略,因此它只设置首选策略(最好是DENY),然后设置单个规则(ACCEPTed的例外).
除此之外,您可能希望更多地关注ICMP(而不仅仅是允许所有内容).我听说ICMP的某些方面现在非常狡猾.就个人而言,我认为这不值得,因为如此多的诊断和流量管理都依赖于ICMP.
关于womble的“不要使用iptables”评论:我不会说你不应该直接使用iptables(或iptables-save / restore),但我建议你改用FERM.它本质上只是iptables,具有更具表现力和更少重复的语言,以及可变支持.例如,你的iptables命令:
iptables -P INPUT ACCEPT ... # Allow ssh iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Allow httpd iptables -A INPUT -p tcp --dport 80 -j ACCEPT # Allow SSL iptables -A INPUT -p tcp --dport 443 -j ACCEPT
在ferm看起来更像这样:
# allow some incoming TCP
chain INPUT {
policy ACCEPT;
proto tcp dport (ssh httpd https) ACCEPT;
}
好多了,对吧? 原文链接:https://www.f2er.com/linux/397421.html
