话说一直维护者某Ubuntu Linux服务器,以前都是只用hosts.allow就行了。但是偏偏前些天被要求写iptables。。。。无奈一点点试吧。
找了个大牛http://jiayeah.com/指导着我。。。。总体思路就是放行需要的访问,其他的访问一概干掉。。。。。是不是太严了?反正这样安全。。。不过。。。。
服务器不在身边啊,我都是远程管理。如果稍有不慎就会把自己干掉了。。。。。。。
最终还是弄好了。幸好没把自己干掉了,呵呵。写下来做个记录
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:22
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere state NEW,RELATED,E STABLISHED
DROP all -- anywhere anywhere state INVALID
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
对应的脚本是
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW,RELATE,ESTABLISH -j ACCEPT
iptables -A INPUT -i eth0 -m state --state INVALID -j DROP