話說一直維護者某Ubuntu Linux服務器,以前都是隻用hosts.allow就行了。但是偏偏前些天被要求寫iptables。。。。無奈一點點試吧。
找了個大牛http://jiayeah.com/指導着我。。。。總體思路就是放行需要的訪問,其他的訪問一概幹掉。。。。。是不是太嚴了?反正這樣安全。。。不過。。。。
服務器不在身邊啊,我都是遠程管理。如果稍有不慎就會把自己幹掉了。。。。。。。
最終還是弄好了。幸好沒把自己幹掉了,呵呵。寫下來做個記錄
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:22
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere state NEW,RELATED,E STABLISHED
DROP all -- anywhere anywhere state INVALID
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
對應的腳本是
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW,RELATE,ESTABLISH -j ACCEPT
iptables -A INPUT -i eth0 -m state --state INVALID -j DROP