我是iptables的新手,我一直在尝试组建一个防火墙,其目的是保护Web服务器.以下规则是我到目前为止所组建的规则,我想听听这些规则是否有意义 – 而且我已经遗漏了任何必要的东西?
除了端口80,我还需要为外部连接打开端口3306(mysql)和22(ssh).
任何反馈都非常感谢!
#!/bin/sh # Clear all existing rules. iptables -F # ACCEPT connections for loopback network connection,127.0.0.1. iptables -A INPUT -i lo -j ACCEPT # ALLOW established traffic iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # DROP packets that are NEW but does not have the SYN but set. iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # DROP fragmented packets,as there is no way to tell the source and destination ports of such a packet. iptables -A INPUT -f -j DROP # DROP packets with all tcp flags set (XMAS packets). iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # DROP packets with no tcp flags set (NULL packets). iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # ALLOW ssh traffic (and prevent against DoS attacks) iptables -A INPUT -p tcp --dport ssh -m limit --limit 1/s -j ACCEPT # ALLOW http traffic (and prevent against DoS attacks) iptables -A INPUT -p tcp --dport http -m limit --limit 5/s -j ACCEPT # ALLOW MysqL traffic (and prevent against DoS attacks) iptables -A INPUT -p tcp --dport MysqL -m limit --limit 25/s -j ACCEPT # DROP any other traffic. iptables -A INPUT -j DROP
