Debian iptables防火墙基础

来自linux中国网wiki
(重定向自Debian上的iptables
跳到导航 跳到搜索

Notice

建议这个 firewalld 能安装 但是使用有点问题 放弃 2020 Ufw on debian

install

apt install iptables

Debian已有firewalld 放弃iptables

好像系统是自带的呢


Debian配置iptables

来几个小例子

#这个多端口应该是不行的 
iptables -A INPUT -p tcp -m muliport --dports 21,22,25,80,110 -j ACCEPT

iptables -A INPUT -p tcp -m muliport --dports 21,22,25,80,110 -j DROP 

iptables -L -n --line-number

查看设置的规则: sudo iptables -nvL --line-numbers
插入一条规则到INPUT链第6的位置: sudo iptables -I INPUT 6 -j DROP 
修改INPUT链的第6条规则: sudo iptables -R INPUT 6 -j ACCEPT 
删除INPUT链第6条规则: sudo iptables -D INPUT 6

#保存配置  但是这个保存 机器重启就没了
iptables-save

官方例子

*filter
 
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
 
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
 
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
 
# Allows SSH connections for script kiddies
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
 
# Now you should read up on iptables rules and consider whether ssh access
# for everyone is really desired. Most likely you will only allow access from certain IPs.
 
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
 
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
 
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
 
COMMIT


开机自启动 自动加载实现

iptables-persistent

apt  install iptables-persistent

Save your firewall rules with this command:
      
debain9  or  Ubuntu 16.04 Server
netfilter-persistent save #这个为保存 
netfilter-persistent reload

用iptables 删除的 好像不生效  只能在 配置 文件 /etc/iptables/rules.v4 删除 

写入文件

1、将iptables配置保存到/etc/iptables,这个文件名可以自己定义,与下面的配置一致即可

 iptables-save > /etc/iptables

2、创建自启动配置文件,并授于可执行权限
 touch /etc/network/if-pre-up.d/iptables
 chmod +x /etc/network/if-pre-up.d/iptables

3、编辑该自启动配置文件,内容为启动网络时恢复iptables配置
 vim /etc/network/if-pre-up.d/iptables

文件内容如下:
 #!/bin/sh
 /sbin/iptables-restore < /etc/iptables
 
4、:wq保存配置文件并退出即可,以后在修改完iptables配置之后只要再次执行下面的命令保存即可
 iptables-save > /etc/iptables


https://packages.debian.org/search?keywords=iptables-persistent

参考

https://wiki.debian.org/iptables

https://wiki.debian.org/DebianFirewall


VPS安全之iptables基本配置(Debian)

myblog Ubuntu使用ufw或iptables配置防火墙

Saving Iptables Firewall Rules Permanently

Debian/Ubuntu下使用iptables-persistent持久化iptables规则

How to install missing ifconfig command on Debian

保存iptable规则并开机自动加载

Debian VPS下使用iptables防火墙