美文网首页
ubuntu中防火墙iptables配置

ubuntu中防火墙iptables配置

作者: yangyangrenren | 来源:发表于2018-05-14 16:27 被阅读0次

    特别说明:此文章完全转载于https://www.cnblogs.com/EasonJim/p/6851007.html

    1.查看系统是否安装防火墙

    root@localhost:/usr# which iptables
    /sbin/iptables
    root@localhost:/usr# whereis iptables
    iptables: /sbin/iptables /etc/iptables /usr/share/iptables /usr/share/man/man8/iptables.8.gz
    

    如果是这样的信息,那么表明iptables就是安装了的。
    如果没有安装,那么使用sudo apt-get install iptables 安装。

    2.查看防火墙的配置信息

    配置好了的,是这个样子。

    root@localhost:/usr# sudo iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt: 22
    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
    ACCEPT     icmp --  anywhere             anywhere             limit: avg 100/sec burst 100
    ACCEPT     icmp --  anywhere             anywhere             limit: avg 1/sec burst 10
    syn-flood  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN
    REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain syn-flood (1 references)
    target     prot opt source               destination
    RETURN     tcp  --  anywhere             anywhere             limit: avg 3/sec burst 6
    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
    

    3.新建规则文件

    mkdir /etc/iptables #先新建目录,本身无此目录
    vim /etc/iptables/rules.v4
    

    /etc/iptables/rules.v4 中的内容是

    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :syn-flood - [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
    -A INPUT -p icmp -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
    -A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A syn-flood -p tcp -m limit --limit 3/sec --limit-burst 6 -j RETURN
    -A syn-flood -j REJECT --reject-with icmp-port-unreachable
    COMMIT
    

    4.使防火墙生效

    iptables-restore < /etc/iptables/rules.v4
    

    5.创建文件,添加以下内容,使防火墙开机启动

    vim /etc/network/if-pre-up.d/iptables
    
    #!/bin/bash
    iptables-restore < /etc/iptables/rules.v4
    

    6.添加执行权限

    chmod +x /etc/network/if-pre-up.d/iptables
    

    7.查看规则是否生效

    iptables -L -n
    

    Ubuntu中没有直接停止关闭iptables的命令,像service iptables stop这类命令,是centos才有的。关闭的话,可以暂时开放所有端口作为替代方案

    iptables -P INPUT ACCEPT  
    iptables -P OUTPUT ACCEPT  
    

    还可以参考https://blog.csdn.net/langsim/article/details/42644451

    相关文章

      网友评论

          本文标题:ubuntu中防火墙iptables配置

          本文链接:https://www.haomeiwen.com/subject/lcdjdftx.html