基于服务器的安全考虑,我们需要在Ubuntu 18.04环境中进行配置iptables防火墙,这里老蒋简单的记录iptables的常规用法。一般我们都是在需要服务器的ROOT权限下进行的,有些服务器环境默认是安装过的,我们需要检查到底是否有安装,如果有安装过,直接就添加防火墙规则。
第一、检查是否安装iptables
# 检查 # which iptables /sbin/iptables # whereis iptables iptables: /sbin/iptables /etc/iptables /usr/share/iptables /usr/share/man/man8/iptables.8.gz
第二、安装iptables
如果没有安装的话,我们则需要安装。
# 进行安装 sudo apt-get install iptables
第三、如果安装过我们创建规则
vi /etc/iptables
我们添加规则。
*filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :syn-flood - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 7070 -j ACCEPT -A INPUT -p icmp -m limit --limit 100/sec --limit-burst 100 -j ACCEPT -A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood -A INPUT -j REJECT --reject-with icmp-host-prohibited -A syn-flood -p tcp -m limit --limit 3/sec --limit-burst 6 -j RETURN -A syn-flood -j REJECT --reject-with icmp-port-unreachable COMMIT
然后保存规则
iptables-save > /etc/iptables
第四、创建规则确保重启也执行iptable规则
vi /etc/network/if-pre-up.d/iptables
添加:
iptables-restore < /etc/iptables
保存退出。
第五、查看防火墙规则
iptables -L
这里我们可以看到所有的防火墙设置。
Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:mysql ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http-alt ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7070 ACCEPT icmp -- anywhere anywhere limit: avg 100/sec burst 100 ACCEPT icmp -- anywhere anywhere limit: avg 1/sec burst 10 syn-flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain syn-flood (1 references) target prot opt source destination RETURN tcp -- anywhere anywhere limit: avg 3/sec burst 6 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
一般情况下,就这么用的。具体的iptables的配置,我们可以根据需要进行端口设置。参考:
http://www.fyluo.com/?post=233
发表评论