这是对
previous question的跟进,我询问我的iptables配置是否正确.
@H_404_2@CentOS 5.3系统.
@H_404_2@预期结果:阻止除ping,ssh,Apache和SSL之外的所有内容.
@H_404_2@基于xenoterracide’s advice和其他问题的回答(谢谢你们),我创建了这个脚本:
# Establish a clean slate iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -F # Flush all rules iptables -X # Delete all chains # Disable routing. Drop packets if they reach the end of the chain. iptables -P FORWARD DROP # Drop all packets with a bad state iptables -A INPUT -m state --state INVALID -j DROP # Accept any packets that have something to do with ones we've sent on outbound iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Accept any packets coming or going on localhost (this can be very important) iptables -A INPUT -i lo -j ACCEPT # Accept ICMP iptables -A INPUT -p icmp -j ACCEPT # Allow ssh iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Allow httpd iptables -A INPUT -p tcp --dport 80 -j ACCEPT # Allow SSL iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Block all other traffic iptables -A INPUT -j DROP@H_404_2@现在当我列出我得到的规则时……
# iptables -L -v Chain INPUT (policy ACCEPT 0 packets,0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- any any anywhere anywhere state INVALID 9 612 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT icmp -- any any anywhere anywhere 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https 0 0 DROP all -- any any anywhere anywhere Chain FORWARD (policy DROP 0 packets,0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 5 packets,644 bytes) pkts bytes target prot opt in out source destination@H_404_2@我跑了它,我仍然可以登录,所以这很好.有没有人注意到任何重大事件?
解决方法
在大多数情况下看起来不错.主要的是你应该使用iptables-save和iptables-restore而不是重复运行iptables. iptables-save / restore方法为您提供原子批量更新(如数据库事务),因此您知道没有任何东西可以进入(或者没有进入),因为当网络数据包到达时,您的iptables更改已完成一半.进行此更改还可以转储初始ACCEPT策略,因此它只设置首选策略(最好是DENY),然后设置单个规则(ACCEPTed的例外).
@H_404_2@除此之外,您可能希望更多地关注ICMP(而不仅仅是允许所有内容).我听说ICMP的某些方面现在非常狡猾.就个人而言,我认为这不值得,因为如此多的诊断和流量管理都依赖于ICMP.
@H_404_2@关于womble的“不要使用iptables”评论:我不会说你不应该直接使用iptables(或iptables-save / restore),但我建议你改用FERM.它本质上只是iptables,具有更具表现力和更少重复的语言,以及可变支持.例如,你的iptables命令:
iptables -P INPUT ACCEPT ... # Allow ssh iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Allow httpd iptables -A INPUT -p tcp --dport 80 -j ACCEPT # Allow SSL iptables -A INPUT -p tcp --dport 443 -j ACCEPT@H_404_2@在ferm看起来更像这样:
# allow some incoming TCP chain INPUT { policy ACCEPT; proto tcp dport (ssh httpd https) ACCEPT; }@H_404_2@好多了,对吧?