Debian下配置防火墙iptables
<p>debian下iptables输入命令后即时生效,但重启之后配置就会消失,可用iptables-save快速保存配置,因为Debian上iptables是不会保存规则的,然后在开机自动的时候让iptables自动加载刚刚导出的配置文件,方法如下:<br>若要停止iptables,iptables -F清空所有配置效果等同于停止。<br>whereis iptables 查找iptables 所在的路径。</p><p><br>1、将iptables配置保存到/etc/iptables,这个文件名可以自己定义,与下面的配置一致即可<br>iptables-save > /etc/iptables</p>
<p><br>2、创建自启动配置文件,并授于可执行权限<br>vi <span class="token operator">/etc<span class="token operator">/iptables</span></span></p>
<p> </p>
<div class="cnblogs_code">
<pre># Generated by iptables-<span style="color: rgba(0, 0, 0, 1)">save
</span>*<span style="color: rgba(0, 0, 0, 1)">filter
:INPUT ACCEPT [</span><span style="color: rgba(128, 0, 128, 1)">0</span>:<span style="color: rgba(128, 0, 128, 1)">0</span><span style="color: rgba(0, 0, 0, 1)">]
:FORWARD ACCEPT [</span><span style="color: rgba(128, 0, 128, 1)">0</span>:<span style="color: rgba(128, 0, 128, 1)">0</span><span style="color: rgba(0, 0, 0, 1)">]
:OUTPUT ACCEPT [</span><span style="color: rgba(128, 0, 128, 1)">0</span>:<span style="color: rgba(128, 0, 128, 1)">0</span><span style="color: rgba(0, 0, 0, 1)">]
</span>-I INPUT -p tcp --dport <span style="color: rgba(128, 0, 128, 1)">8080</span> -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
</span>-I INPUT -p udp --dport <span style="color: rgba(128, 0, 128, 1)">8080</span> -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
</span>-A INPUT -m state --state RELATED,ESTABLISHED -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
</span>-A INPUT -p icmp -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
</span>-A INPUT -i lo -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
</span>-A INPUT -p tcp -m state --state NEW -m tcp --dport <span style="color: rgba(128, 0, 128, 1)">22</span> -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
</span>-A INPUT -j REJECT --reject-with icmp-host-<span style="color: rgba(0, 0, 0, 1)">prohibited
</span>-A FORWARD -j REJECT --reject-with icmp-host-<span style="color: rgba(0, 0, 0, 1)">prohibited
COMMIT
# Completed</span></pre>
</div>
<p><span class="token operator"><span class="token operator"><span class="token operator"><span class="token operator">/sbin/iptables-restore < /etc/iptables</span></span></span></span></p>
<p><span class="token operator"><span class="token operator"><span class="token operator"><span class="token operator">iptables <span class="token operator">-<span class="token constant">L</span></span></span></span></span></span></p>
<p><br>3、编辑该自启动配置文件,内容为启动网络时恢复iptables配置<br>vi /etc/network/if-pre-up.d/iptables<br>内容为:</p>
<div class="cnblogs_code">
<pre>#!/bin/sh
/sbin/iptables-restore < /etc/iptables</pre>
</div>
<p>保存并退出。这样重启之后iptables就自动加载规则了。</p>
<p><br>##注意:在下次修改iptables规则之后要重新导出配置文件。<br>#清空配置<br>iptables -F<br>iptables -X<br>iptables -Z<br>#配置,禁止进,允许出,允许回环网卡<br>iptables -P INPUT DROP<br>iptables -A OUTPUT -j ACCEPT<br>iptables -A INPUT -i lo -j ACCEPT<br>#允许ping<br>iptables -A INPUT -p icmp -j ACCEPT<br>#允许ssh<br>iptables -A INPUT -p tcp --dport 22 -j ACCEPT<br>#允许ftp<br>iptables -A INPUT -p tcp --dport 21 -j ACCEPT<br>iptables -A INPUT -p tcp --dport 20 -j ACCEPT<br>#允许ftp被动接口范围,在ftp配置文件里可以设置<br>iptables -A INPUT -p tcp --dport 20000:30000 -j ACCEPT<br>#学习felix,把smtp设成本地<br>iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -s 127.0.0.1<br>iptables -A INPUT -p tcp -m tcp --dport 25 -j REJECT<br>#允许DNS<br>iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT<br>iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT<br>#允许http和https<br>iptables -A INPUT -p tcp --dport 80 -j ACCEPT<br>iptables -A INPUT -p tcp --dport 443 -j ACCEPT<br># 允许已建立的或相关连的通行<br>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br>#禁止其他未允许的规则访问<br>iptables -A INPUT -j REJECT #(注意:如果22端口未加入允许规则,SSH链接会直接断开。)<br>iptables -A FORWARD -j REJECT</p>
<p><br>#保存配置<br>iptables-save > /etc/iptables</p>
<p><br><strong>由于Debian安装iptables后默认不是服务,</strong>service iptables会提示unrecognized service,需要添加脚本到/etc/init.d/,脚本如下<br>建议将其保存为/etc/init.d/iptables,然后chmod +x /etc/init.d/iptables 添加运行权限。</p>
<div class="cnblogs_code">
<pre>#!/bin/<span style="color: rgba(0, 0, 255, 1)">sh</span> -<span style="color: rgba(0, 0, 0, 1)">e
### BEGIN INIT INFO
# Provides: iptables
# Required</span>-<span style="color: rgba(0, 0, 0, 1)">Start:
# Required</span>-<span style="color: rgba(0, 0, 0, 1)">Stop:
# Default</span>-Start: <span style="color: rgba(128, 0, 128, 1)">2</span> <span style="color: rgba(128, 0, 128, 1)">3</span> <span style="color: rgba(128, 0, 128, 1)">4</span> <span style="color: rgba(128, 0, 128, 1)">5</span><span style="color: rgba(0, 0, 0, 1)">
# Default</span>-Stop: <span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">1</span> <span style="color: rgba(128, 0, 128, 1)">6</span><span style="color: rgba(0, 0, 0, 1)">
# Short</span>-<span style="color: rgba(0, 0, 0, 1)">Description: start and stop iptables firewall
# Description: Start, stop and save iptables firewall
### END INIT INFO
PATH</span>=<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">
IPTABLES</span>=/sbin/<span style="color: rgba(0, 0, 0, 1)">iptables
IPTABLES_SAVE</span>=/sbin/iptables-<span style="color: rgba(0, 0, 0, 1)">save
IPTABLES_RESTORE</span>=/sbin/iptables-<span style="color: rgba(0, 0, 0, 1)">restore
IPTABLES_CONFIG</span>=/etc/<span style="color: rgba(0, 0, 0, 1)">iptables.conf
[ </span>-x $IPTABLES ] || exit <span style="color: rgba(128, 0, 128, 1)">0</span><span style="color: rgba(0, 0, 0, 1)">
. </span>/lib/lsb/init-<span style="color: rgba(0, 0, 0, 1)">functions
</span><span style="color: rgba(0, 0, 255, 1)">case</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">$1</span><span style="color: rgba(128, 0, 0, 1)">"</span> <span style="color: rgba(0, 0, 255, 1)">in</span><span style="color: rgba(0, 0, 0, 1)">
start)
log_action_begin_msg </span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">Starting firewall</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">
type usplash_write </span>>/dev/<span style="color: rgba(0, 0, 255, 1)">null</span> <span style="color: rgba(128, 0, 128, 1)">2</span>>/dev/<span style="color: rgba(0, 0, 255, 1)">null</span> && usplash_write <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">TIMEOUT 120</span><span style="color: rgba(128, 0, 0, 1)">"</span> || <span style="color: rgba(0, 0, 255, 1)">true</span>
<span style="color: rgba(0, 0, 255, 1)">if</span> $IPTABLES_RESTORE < $IPTABLES_CONFIG ; <span style="color: rgba(0, 0, 255, 1)">then</span><span style="color: rgba(0, 0, 0, 1)">
log_action_end_msg $</span>?
<span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)">
log_action_end_msg $</span>?
<span style="color: rgba(0, 0, 255, 1)">fi</span><span style="color: rgba(0, 0, 0, 1)">
type usplash_write </span>>/dev/<span style="color: rgba(0, 0, 255, 1)">null</span> <span style="color: rgba(128, 0, 128, 1)">2</span>>/dev/<span style="color: rgba(0, 0, 255, 1)">null</span> && usplash_write <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">TIMEOUT 15</span><span style="color: rgba(128, 0, 0, 1)">"</span> || <span style="color: rgba(0, 0, 255, 1)">true</span><span style="color: rgba(0, 0, 0, 1)">
;;
stop)
log_action_begin_msg </span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">Saving current firewall configuration</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 0, 255, 1)">if</span> $IPTABLES_SAVE > $IPTABLES_CONFIG ; <span style="color: rgba(0, 0, 255, 1)">then</span><span style="color: rgba(0, 0, 0, 1)">
log_action_end_msg $</span>?
<span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)">
log_action_end_msg $</span>?
<span style="color: rgba(0, 0, 255, 1)">fi</span><span style="color: rgba(0, 0, 0, 1)">
log_action_begin_msg </span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">Flushing ALL firewall rules from chains!</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 0, 255, 1)">if</span> $IPTABLES -F ; <span style="color: rgba(0, 0, 255, 1)">then</span><span style="color: rgba(0, 0, 0, 1)">
log_action_end_msg $</span>?
<span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)">
log_action_end_msg $</span>?
<span style="color: rgba(0, 0, 255, 1)">fi</span><span style="color: rgba(0, 0, 0, 1)">
log_action_begin_msg </span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">Deleting ALL firewall chains </span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 0, 255, 1)">if</span> $IPTABLES -X ; <span style="color: rgba(0, 0, 255, 1)">then</span><span style="color: rgba(0, 0, 0, 1)">
$IPTABLES </span>-<span style="color: rgba(0, 0, 0, 1)">P INPUT ACCEPT
$IPTABLES </span>-<span style="color: rgba(0, 0, 0, 1)">P FORWARD ACCEPT
$IPTABLES </span>-<span style="color: rgba(0, 0, 0, 1)">P OUTPUT ACCEPT
log_action_end_msg $</span>?
<span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)">
log_action_end_msg $</span>?
<span style="color: rgba(0, 0, 255, 1)">fi</span><span style="color: rgba(0, 0, 0, 1)">
;;
save)
log_action_begin_msg </span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">Saving current firewall configuration</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 0, 255, 1)">if</span> $IPTABLES_SAVE > $IPTABLES_CONFIG ; <span style="color: rgba(0, 0, 255, 1)">then</span><span style="color: rgba(0, 0, 0, 1)">
log_action_end_msg $</span>?
<span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)">
log_action_end_msg $</span>?
<span style="color: rgba(0, 0, 255, 1)">fi</span><span style="color: rgba(0, 0, 0, 1)">
;;
force</span>-reload|<span style="color: rgba(0, 0, 0, 1)">restart)
log_action_begin_msg </span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">Reloading firewall configuration </span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">
$IPTABLES </span>-<span style="color: rgba(0, 0, 0, 1)">F
$IPTABLES </span>-<span style="color: rgba(0, 0, 0, 1)">X
</span><span style="color: rgba(0, 0, 255, 1)">if</span> $IPTABLES_RESTORE < $IPTABLES_CONFIG ; <span style="color: rgba(0, 0, 255, 1)">then</span><span style="color: rgba(0, 0, 0, 1)">
log_action_end_msg $</span>?
<span style="color: rgba(0, 0, 255, 1)">else</span><span style="color: rgba(0, 0, 0, 1)">
log_action_end_msg $</span>?
<span style="color: rgba(0, 0, 255, 1)">fi</span><span style="color: rgba(0, 0, 0, 1)">
;;
</span>*<span style="color: rgba(0, 0, 0, 1)">)
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">Usage: /etc/init.d/iptables {start|stop|save|restart|force-reload}</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">
exit </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">
;;
</span><span style="color: rgba(0, 0, 255, 1)">esac</span><span style="color: rgba(0, 0, 0, 1)">
exit </span><span style="color: rgba(128, 0, 128, 1)">0</span></pre>
</div>
<p> </p><br><br>
来源:https://www.cnblogs.com/H4ck3rX/p/16492521.html
頁:
[1]