linux – iptables – 好的,**现在**我做得对吗?

前端之家收集整理的这篇文章主要介绍了linux – iptables – 好的,**现在**我做得对吗?前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
这是对 previous question的跟进,我询问我的iptables配置是否正确. @H_404_2@CentOS 5.3系统.

@H_404_2@预期结果:阻止除ping,ssh,Apache和SSL之外的所有内容.

@H_404_2@基于xenoterracide’s advice和其他问题的回答(谢谢你们),我创建了这个脚本:

# Establish a clean slate
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F # Flush all rules
iptables -X # Delete all chains

# Disable routing. Drop packets if they reach the end of the chain.
iptables -P FORWARD DROP

# Drop all packets with a bad state
iptables -A INPUT -m state --state INVALID -j DROP
# Accept any packets that have something to do with ones we've sent on outbound
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Accept any packets coming or going on localhost (this can be very important)
iptables -A INPUT -i lo -j ACCEPT
# Accept ICMP
iptables -A INPUT -p icmp -j ACCEPT

# Allow ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow httpd
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Allow SSL
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Block all other traffic 
iptables -A INPUT -j DROP
@H_404_2@现在当我列出我得到的规则时……

# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets,0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
    9   612 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:https 
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy DROP 0 packets,0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 5 packets,644 bytes)
 pkts bytes target     prot opt in     out     source               destination
@H_404_2@我跑了它,我仍然可以登录,所以这很好.有没有人注意到任何重大事件?

解决方法

在大多数情况下看起来不错.主要的是你应该使用iptables-save和iptables-restore而不是重复运行iptables. iptables-save / restore方法为您提供原子批量更新(如数据库事务),因此您知道没有任何东西可以进入(或者没有进入),因为当网络数据包到达时,您的iptables更改已完成一半.进行此更改还可以转储初始ACCEPT策略,因此它只设置首选策略(最好是DENY),然后设置单个规则(ACCEPTed的例外). @H_404_2@除此之外,您可能希望更多地关注ICMP(而不仅仅是允许所有内容).我听说ICMP的某些方面现在非常狡猾.就个人而言,我认为这不值得,因为如此多的诊断和流量管理都依赖于ICMP.

@H_404_2@关于womble的“不要使用iptables”评论:我不会说你不应该直接使用iptables(或iptables-save / restore),但我建议你改用FERM.它本质上只是iptables,具有更具表现力和更少重复的语言,以及可变支持.例如,你的iptables命令:

iptables -P INPUT ACCEPT
...
# Allow ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow httpd
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Allow SSL
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
@H_404_2@在ferm看起来更像这样:

# allow some incoming TCP
chain INPUT {
    policy ACCEPT;
    proto tcp dport (ssh httpd https) ACCEPT;
}
@H_404_2@好多了,对吧?

猜你在找的Linux相关文章