实验环境: 210.45.155.0/255.255.255.0
服务器 Debian(lenny)5.0 IP:210.45.155.96
iptables以顺序方式执行,从上到下!
常用iptables维护命令:
#iptables -L -n 显示当前iptables规则
#iptables-save > /etc/iptables.test.rules 保存规则
#iptables-restore < /etc/iptables.test.rules 恢复保存的规则
设置iptables开机自动加载规则,添加以下内容至/etc/rc.local文件中即可
/sbin/modprobe ip_nat_ftp (为开放ftp功能加载的模块,可选)
/sbin/iptables-restore /etc/iptables.test.rules
需要注意的是,必须写完全路径,要不然系统找不到命令与规则及脚本
# This file is in iptables-restore format. See the man pages for iptables-restore(8) and iptables-save(8).
# The following is a set of firewall rules that should be applicable to Linux servers running within departments.
# It is intended to provide a useful starting point from which to devise a comprehensive firewall policy for a host.
#
# Parts 1 and 3 of these rules are the same for each host, whilst part 2 can be populated with rules specific to particular hosts.
#
# Aside:
# In Network Services we use a template system for distribution of firewall rules to each managed host.
# If a templating system is used (whether cfengine or bespoke scripts) then the process updating of firewall policy en-mass is greatly simplified.
# For some protocols it is necessary to track incoming connections that are related to already established connections.
# With a modular kernel it will be necessary to load specific kernel modules to add this functionality:
#
# modprobe -a ip_conntrack_ftp ip_conntrack_amanda ip_conntrack_sip ip_conntrack_h323 ip_conntrack_irc ...
#
# You should load these modules at system startup, e.g. by amending /etc/modules (Debian) or rc.modules (RedHat)
# If you have any question relating to the application of this information then please contact:
#
# Terry Burton - [email protected] - ext: 3474
####################
# 1. Common header #
####################
# This static section is a generic header that should be suitable for most hosts
*filter
:INPUT DROP [0:0]
# Don't attempt to firewall internal traffic on the loopback device
-A INPUT -i lo -j ACCEPT
# Continue connections that are already established or related to an established connection
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Drop non-conforming packets, such as malformed headers, etc.
-A INPUT -m state --state INVALID -j DROP
# Block remote packets claiming to be from a loopback address
-A INPUT -s 127.0.0.0/255.0.0.0 ! -i lo -j DROP
# Chain for preventing SSH brute-force attacks from off-campus.
# Permits 10 new connections within 5 minutes from a single host then drops incomming connections from that host
# Note: Beyond a burst of 100 connections we log at up 1 attempt per second to prevent filling of logs
-N SSHBRUTE
-A SSHBRUTE -m recent --name SSH --set
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "SSHBRUTE: "
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
-A SSHBRUTE -j ACCEPT
# Chain for preventing ping flooding - up to 6 pings per second from a single source, again with log limiting
# Also prevents us from ICMP REPLY flooding some victim when replying to ICMP ECHO from a spoofed source
-N ICMPFLOOD
-A ICMPFLOOD -m recent --set --name ICMP --rsource
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "ICMPFLOOD: "
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP
-A ICMPFLOOD -j ACCEPT
##########################
# 2. Host specific rules #
##########################
# This dynamic section is a good place to enable host-specific services such as HTTP or MySQL
# This is often a blank part of the template that is filled in with per-host data.
# For example:
# Accept worldwide access to http and https
-A INPUT -p tcp -m tcp --dport 80 --syn -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 --syn -m state --state NEW -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 8080 --syn -m state --state NEW -j ACCEPT
## FTP
# Allow ftp outbound.
-A INPUT -p tcp --sport 21 -j ACCEPT
-A INPUT -p tcp --dport 21 -j ACCEPT
# Wherever possible, it is advised to restrict access to a service based on the source of the traffic
# For example:
#
# Restrict access to MySQL from "subnet 123"
-A INPUT -s 210.45.246.0/255.255.255.0 -p tcp -m tcp --dport 3306 --syn -m state --state NEW -j ACCEPT
# You many also want to consider using source-based rate limiting
# For example:
#
# Restrict access to SSH from "on-campus" hosts and rate limit
#-A INPUT -s 210.45.0.0/255.255.0.0 -p tcp -m tcp --dport 22 --syn -m state --state NEW -j SSHBRUTE
####################
# 3. General rules #
####################
# This static section is a good place to put rules that apply to all of your services
# Permit communication with any NTP server on campus
#-A INPUT -s 210.45.0.0/255.255.0.0 -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
# If the host receives mail then accept SMTP from the mailhubs
#
# These will need infrequently updating upon announcements from Network Services
#
# These mailhubs are due to be decommissioned - required until further notice
#-A INPUT -s 210.45.4.129 -p tcp -m tcp --dport 25 --syn -m state --state NEW -j ACCEPT
#-A INPUT -s 210.45.16.125 -p tcp -m tcp --dport 25 --syn -m state --state NEW -j ACCEPT
#-A INPUT -s 210.45.16.127 -p tcp -m tcp --dport 25 --syn -m state --state NEW -j ACCEPT
# These mailhubs are due to be commissioned
# -A INPUT -s 210.45.16.36 -p tcp -m tcp --dport 25 --syn -m state --state NEW -j ACCEPT
# -A INPUT -s 210.45.16.37 -p tcp -m tcp --dport 25 --syn -m state --state NEW -j ACCEPT
# -A INPUT -s 210.45.16.38 -p tcp -m tcp --dport 25 --syn -m state --state NEW -j ACCEPT
# -A INPUT -s 210.45.4.39 -p tcp -m tcp --dport 25 --syn -m state --state NEW -j ACCEPT
# Permit useful icmp packet types
# Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests.
# Blocking these can make diagnosing of even simple faults much more tricky.
# Real security lies in locking down and hardening all services, not by hiding.
# -A INPUT -p icmp -m icmp --icmp-type 0 -m state --state NEW -j ACCEPT
# -A INPUT -p icmp -m icmp --icmp-type 3 -m state --state NEW -j ACCEPT
# -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ICMPFLOOD
# -A INPUT -p icmp -m icmp --icmp-type 11 -m state --state NEW -j ACCEPT
# Good practise is to explicately reject AUTH traffic so that it fails fast
#-A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset
# If you are routing using a RIP daemon then accept RIP-2 multicasts
#-A INPUT -p udp -m udp --sport 520 --dport 520 -m state --state NEW -j ACCEPT
# May not want to log late replies from campus nameservers
#-A INPUT -s 210.45.4.11 -p udp -m udp --sport 53 -j DROP
#-A INPUT -s 210.45.12.152 -p udp -m udp --sport 53 -j DROP
#-A INPUT -s 210.45.12.154 -p udp -m udp --sport 53 -j DROP
# For noisy subnets you may want to
drop broadcast traffic to avoid cluttering your logs
#-A INPUT -d 210.45.123.255 -j DROP
#-A INPUT -d 255.255.255.255 -j DROP
# Prevent DOS by filling log files
-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG
COMMIT
#####end
另一则,来源于网络,供参考
1,缺省策略,让信息毫无限制地流出,但不允许信息流入
#iptables -P INPUT DROP
#iptables -P FORWARD DROP
#iptables -P OUTPUT ACCEPT
2,允许172.28.156.90无限制连接至172.28.156.96服务器(便于维护与测试服务器)
#iptables -A INPUT -s 172.28.156.90 -d 172.28.156.96 -j ACCEPT
3,允许127.0.0.1环路
#iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
#iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
4,允许局域网172.28.156.0内的所有机器能访问172.28.156.96服务器的80端口
#iptables -A INPUT -p tcp -s 172.28.156.0/24 -d 172.28.156.96 --dport 80 -j ACCEPT
5,拒绝172.28.156.92 Ping 172.28.156.96
#iptables -A INPUT -p icmp -s 172.28.156.92 -d 172.28.156.96 -j DROP
6,拒绝所有Ping
#iptables -A INPUT -p icmp -j DROP
7,拒绝172.28.156.96 Ping 172.28.156.8
#iptables -A OUTPUT -p icmp -s 172.28.156.96 -d 172.28.156.8 -j DROP
8,拒绝172.28.156.234连接172.28.156.96的80端口
#iptables -A INPUT -p tcp -s 172.28.156.234 -d 172.28.156.96 --dport 80 -j DROP
9,允许192.168.1.96服务器使用Ping
#iptables -A INPUT -p icmp -d 172.28.156.96 -j ACCEPT
10,允许DNS查询
#iptables -A INPUT -p udp --sport 53 -j ACCEPT
#iptables -A INPUT -p tcp --sport 80 -j ACCEPT (注:上网好像需要开这个端口???)
11,允许来自172.28.156.234的电脑Ping服务器172.28.156.96
#iptables -A INPUT -p icmp -s 172.28.156.234 -j ACCEPT
12,如果要自己能ping人家,而人家不能ping你,可以:
#iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -j DROP
#iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -j ACCEPT
#iptables -A OUTPUT -p icmp --icmp-type 0 -s 172.28.156.96 -j DROP
#iptables -A OUTPUT -p icmp --icmp-type 8 -s 172.28.156.96 -j DROP
注:icmp的type 0为回显应答(Ping应答),8为请求回显(Ping请求).Tcpip第6章ICMP:Internet控制报文协议
13,无法使用apt-get update解决方法
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
14,使用FTP问题
#modprobe ip_nat_ftp 加载模块
#modprobe ip_conntrack
#modprobe ip_conntrack_ftp
#iptables -A INPUT -p tcp --sport 21 -j ACCEPT
#iptables -A INPUT -P tcp --dport 21 -j ACCEPT
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
15,查看某一条规则序号并删除
#iptables -L -n --line-numbers
iptables -D INPUT 8
16,拒绝172.28.156.90连接服务器的80端口(注意,必须放在允许规则前面)
#iptables -I INPUT 1 -p tcp -s 172.28.156.90 -d 172.28.156.96 --dport 80 -j DROP