Debian iptables防火墙基础
(重定向自Debian上的iptables)
跳到导航
跳到搜索
Notice
建议这个 firewalld 能安装 但是使用有点问题 放弃 2020 Ufw on debian
install
apt install iptables
Debian已有firewalld 放弃iptables
好像系统是自带的呢
来几个小例子
#这个多端口应该是不行的 iptables -A INPUT -p tcp -m muliport --dports 21,22,25,80,110 -j ACCEPT iptables -A INPUT -p tcp -m muliport --dports 21,22,25,80,110 -j DROP iptables -L -n --line-number 查看设置的规则: sudo iptables -nvL --line-numbers 插入一条规则到INPUT链第6的位置: sudo iptables -I INPUT 6 -j DROP 修改INPUT链的第6条规则: sudo iptables -R INPUT 6 -j ACCEPT 删除INPUT链第6条规则: sudo iptables -D INPUT 6 #保存配置 但是这个保存 机器重启就没了 iptables-save
官方例子
*filter # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic # You could modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allows SSH connections for script kiddies # THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Now you should read up on iptables rules and consider whether ssh access # for everyone is really desired. Most likely you will only allow access from certain IPs. # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls (access via 'dmesg' command) -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy: -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
开机自启动 自动加载实现
iptables-persistent
apt install iptables-persistent Save your firewall rules with this command: debain9 or Ubuntu 16.04 Server netfilter-persistent save #这个为保存 netfilter-persistent reload 用iptables 删除的 好像不生效 只能在 配置 文件 /etc/iptables/rules.v4 删除
写入文件
1、将iptables配置保存到/etc/iptables,这个文件名可以自己定义,与下面的配置一致即可 iptables-save > /etc/iptables 2、创建自启动配置文件,并授于可执行权限 touch /etc/network/if-pre-up.d/iptables chmod +x /etc/network/if-pre-up.d/iptables 3、编辑该自启动配置文件,内容为启动网络时恢复iptables配置 vim /etc/network/if-pre-up.d/iptables 文件内容如下: #!/bin/sh /sbin/iptables-restore < /etc/iptables 4、:wq保存配置文件并退出即可,以后在修改完iptables配置之后只要再次执行下面的命令保存即可 iptables-save > /etc/iptables
https://packages.debian.org/search?keywords=iptables-persistent
参考
https://wiki.debian.org/iptables
https://wiki.debian.org/DebianFirewall
myblog Ubuntu使用ufw或iptables配置防火墙
Saving Iptables Firewall Rules Permanently
Debian/Ubuntu下使用iptables-persistent持久化iptables规则