Linux
管理特定 ips 和埠的 iptables
我像這樣禁用防火牆:
#!/bin/bash iptables -F iptables -X iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT更新
我還啟用了我的防火牆:
#!/bin/bash ssh=x.x.x.x http='x.x.x.x y.y.y.y' # Clear any previous rules. iptables -F # Default drop policy. iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # Allow anything over loopback. iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT iptables -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT # Drop any tcp packet that does not start a connection with a syn flag. iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # Drop any invalid packet that could not be identified. iptables -A INPUT -m state --state INVALID -j DROP # Drop invalid packets. iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP # Allow TCP/UDP connections out. Keep state so conns out are allowed back in. iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT # Allow only ICMP echo requests (ping) in. Limit rate in. Uncomment if needed. iptables -A INPUT -p icmp -m state --state NEW,ESTABLISHED --icmp-type echo-reply -j ACCEPT iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED --icmp-type echo-request -j ACCEPT iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED --source $ssh -p tcp --dport 22 -j ACCEPT iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -j DROP for web in $http; do iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED --source $web -p tcp -m multiport --dports 80,443 -j ACCEPT iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -p tcp -m multiport --dports 80,443 -j DROP done # or block ICMP allow only ping out iptables -A INPUT -p icmp -m state --state NEW -j DROP iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT所以我希望
x.x.x.x能夠ssh給我。而且我希望以下 ips 看到我的80,443埠:x.x.x.x y.y.y.y我怎樣才能改變它?
我認為您將規則按錯誤的順序排列。在 iptables 中,
-A追加到鏈中,而不是在它之前插入它。通常,你有…iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT進而
# Drop any tcp packet that does not start a connection with a syn flag. iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP您可以用 重寫它而不是更改順序,
-I INPUT 1以便將每個規則插入到前一個規則之前,即在頂部。但在這種情況下,必須移動尾 ping/icmp 規則。現在,回到你的問題:
iptables -N SSH_CHECK iptables -N HTTP_CHECK iptables -A INPUT -p tcp --dport 22 -j SSH_CHECK iptables -A INPUT -p tcp --dport 80 -j HTTP_CHECK iptables -A INPUT -p tcp --dport 443 -j HTTP_CHECK iptables -A SSH_CHECK -s x.x.x.x -j ACCEPT -m comment --comment "allow joe to ssh from his IP" iptables -A HTTP_CHECK -s y.y.y.y -j ACCEPT -m comment --comment "allow mary to visit my HTTP/S server"您的預設丟棄策略會處理不合格的 IP。