在Debian PC上配置Iptables防火墙
时间:2020-03-21 11:42:58 来源:igfitidea点击:
为Debian PC上的入站和出站IPv4流量设置iptables防火墙规则(无路由)。
显示IPv4的当前配置
# iptables -t filter -nL
将当前的IPv4规则保存到备份文件
# iptables-save > /root/iptables.rules.backup
刷新并删除IPv4的任何现有链配置
# iptables -F # iptables -X # iptables -t nat -F # iptables -t nat -X # iptables -t mangle -F # iptables -t mangle -X
为IPv4设置新配置并应用新规则
创建一个文件来存储配置:
# touch /etc/iptables.up.rules
将iptables规则添加到'/etc/iptables.up.rules'中。
下面以我的Debian PC规则为例。
*filter# FLUSH EXISTING CHAIN RULES #-F INPUT -F OUTPUT -F FORWARD# SET DEFAULT CHAIN POLICIES #### Default INPUT and OUTPUT are set to ACCEPT because I sometimes ### have to do "iptables -F" and need all traffic to come and leave ### uninterrupted for troubleshooting. Do iptables-restore afterwards. -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT# INPUT CHAIN RULES #### My LAN is on 10.10.1.0/24 ### My vboxnet is on 10.8.8.0/24 ### My eth0 and wlan0 interfaces are bonded (bond0) ### Allow inbound loopback -A INPUT -i lo -j ACCEPT -m comment --comment "local" -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT ### Allow inbound SSH (from LAN and VPN) -A INPUT -s 10.0.0.0/8 -p tcp -m state --state NEW --dport 22 -j ACCEPT ### Allow inbound Echo ICMP -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 20/second -j ACCEPT ### Allow inbound NetFlow for Ntop -A INPUT -s 10.10.1.1/32 -p udp --dport 2055 -j ACCEPT ### Allow inbound Zabbix -A INPUT -s 10.10.1.17/32 -p tcp --dport 10050 -j ACCEPT ### Stop filling logs -A INPUT -p udp -m multiport --dport 137,138,139,445 -j DROP -A INPUT -p udp -d 255.255.255.255 -j DROP ### Allow established and related traffic -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ### Log and reject everything else -A INPUT -j LOG --log-level 4 --log-prefix "iptables_input " -A INPUT -j REJECT --reject-with icmp-port-unreachable# FORWARD CHAIN RULES #-A FORWARD -j LOG --log-level 4 --log-prefix "iptables_forward " -A FORWARD -j REJECT --reject-with icmp-port-unreachable# OUTPUT CHAIN RULES #### Allow outbound loopback -A OUTPUT -o lo -d 127.0.0.0/8 -j ACCEPT -m comment --comment "local" ### Allow outbound any ICMP -A OUTPUT -p icmp -m icmp --icmp-type any -j ACCEPT ### Basically, we want only encrypted VPN traffic to be allowed to leave (via tun0). ### However, before that, we need to connect to a VPN gateway. ### Allow outbound to VPN gateway -A OUTPUT -d vpn.example.com -p udp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -m comment --comment "VPN GW" ### Access to LAN should be allowed via any interface really. ### Allow outbout to LAN and vboxnet -A OUTPUT -o bond0 -d 10.10.1.0/24 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -d 10.10.1.0/24 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o wlan0 -d 10.10.1.0/24 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o vboxnet0 -d 10.8.8.0/24 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT ### Multiports allow outbound traceroute via VPN -A OUTPUT -o tun0 -p udp -m multiport --dport 33434:33523 -j ACCEPT ### Allow outbound WHOIS via VPN -A OUTPUT -o tun0 -p tcp --dport 43 -j ACCEPT ### Allow outbound DNS via VPN -A OUTPUT -o tun0 -p udp --dport 53 -j ACCEPT -A OUTPUT -o tun0 -p tcp --dport 53 -j ACCEPT ### Allow outbound NTP via VPN -A OUTPUT -o tun0 -p udp --dport 123 -j ACCEPT ### Allow outbound rsync via VPN -A OUTPUT -o tun0 -p tcp --dport 873 -j ACCEPT ### Multiports allow non-encrypted outbound POP3 and IMAP via VPN -A OUTPUT -o tun0 -p tcp -m multiport --dport 110,143 -j ACCEPT ### Multiports allow outbound SMTP(S), IMAPS and POP3S via VPN -A OUTPUT -o tun0 -p tcp -m multiport --dport 25,465,587,993,995 -j ACCEPT ### Multiports allow outbound OpenLDAP(S) via VPN -A OUTPUT -o tun0 -p tcp -m multiport --dport 389,636 -j ACCEPT ### Multiports allow outbound NFS and RPCBIND via VPN -A OUTPUT -o tun0 -p tcp -m multiport --dport 111,2049 -j ACCEPT -A OUTPUT -o tun0 -p udp -m multiport --dport 111,2049 -j ACCEPT ### Allow outbound Squid proxy via VPN -A OUTPUT -o tun0 -p tcp --dport 3128 -j ACCEPT ### Multiports allow outbound various HTTP(S) via VPN -A OUTPUT -o tun0 -p tcp -m multiport --dport 80,443 -j ACCEPT -A OUTPUT -p tun0 -p tcp -m multiport --dport 3000,3001 -j ACCEPT -A OUTPUT -p tun0 -p tcp -m multiport --dport 8080,8443 -j ACCEPT -A OUTPUT -o tun0 -p tcp -m multiport --dport 943,1080,8140,8834 -j ACCEPT ### Multiports allow outbound SSH via VPN -A OUTPUT -o tun0 -p tcp -m multiport --dport 22,2212 -j ACCEPT ### Multiports allow outbound RDP via VPN -A OUTPUT -o tun0 -p tcp -m multiport --dport 3389 -j ACCEPT ### Multiports allow outbound Zabbix via VPN -A OUTPUT -o tun0 -p tcp -m multiport --dport 10051,38088 -j ACCEPT ### Multiports allow outbound P2P (custom ports) via VPN -A OUTPUT -o tun0 -p udp -m multiport --sport 63001:64000 -j ACCEPT -A OUTPUT -o tun0 -p tcp -m multiport --sport 63001:64000 -j ACCEPT ### Allow established and related VPN traffic -A OUTPUT -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT ### Log if required and reject everything per interface #-A OUTPUT -j LOG --log-level 4 --log-prefix "iptables_output " -A OUTPUT -o bond0 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o eth0 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o wlan0 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o tun0 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o vboxnet0 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -j REJECT --reject-with icmp-port-unreachable COMMIT
应用更改:
# iptables-restore < /etc/iptables.up.rules
制定Iptables规则以使IPv4在启动时启动
创建一个启动文件:
# cat > /etc/network/if-pre-up.d/iptables << EOL #!/bin/bash /sbin/iptables-restore < /etc/iptables.up.rules EOL
使它可执行:
# chmod 0755 /etc/network/if-pre-up.d/iptables
IPv6的Iptables规则
这些是我的IPv6规则(我的ISP当前未使用)。
简单地阻止 一切。
# cat /etc/ip6tables.up.rules *filter# FLUSH EXISTING CHAIN RULES #-F INPUT -F OUTPUT -F FORWARD# SET DEFAULT CHAIN POLICIES #-P INPUT DROP -P FORWARD DROP -P OUTPUT DROP COMMIT
在这种情况下,也有必要在'/etc/sysctl.conf'中禁用IPv6:
net.ipv6.conf.lo.disable_ipv6 = 0 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1
但是,我建议保留IPv6以便进行环回。
使Iptables IPv6规则在启动时启动
创建一个启动文件:
# cat > /etc/network/if-pre-up.d/ip6tables << EOL #!/bin/bash /sbin/ip6tables-restore < /etc/ip6tables.up.rules EOL
使它可执行:
# chmod 0755 /etc/network/if-pre-up.d/ip6tables
