“Debian iptables防火墙基础”与“Debian rc.local 开机启动问题”:页面之间的差异

来自linuxsa wiki
(页面间差异)
跳转到导航 跳转到搜索
Evan留言 | 贡献
无编辑摘要
 
Evan留言 | 贡献
无编辑摘要
 
第1行: 第1行:
=Notice=
=debian10=
建议这个 firewalld 能安装 但是使用有点问题 放弃 2020
[[Ufw on debian]]
=install =
apt install iptables
Debian已有firewalld 放弃iptables
 
好像系统是自带的呢
 
 
[[Debian配置iptables]]
 
=来几个小例子=
<pre>
<pre>
#这个多端口应该是不行的
cat <<EOF >/etc/rc.local
iptables -A INPUT -p tcp -m muliport --dports 21,22,25,80,110 -j ACCEPT
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.


iptables -A INPUT -p tcp -m muliport --dports 21,22,25,80,110 -j DROP
exit 0
 
EOF
iptables -L -n --line-number
chmod +x /etc/rc.local
 
systemctl daemon-reload
查看设置的规则: sudo iptables -nvL --line-numbers
systemctl start rc-local
插入一条规则到INPUT链第6的位置: sudo iptables -I INPUT 6 -j DROP
systemctl status rc-local
修改INPUT链的第6条规则: sudo iptables -R INPUT 6 -j ACCEPT
删除INPUT链第6条规则: sudo iptables -D INPUT 6
 
#保存配置  但是这个保存 机器重启就没了
iptables-save
</pre>
</pre>
https://stackoverflow.com/questions/44797694/where-is-rc-local-in-debian-9-debian-stretch#44801337
=Question=
leanote 没有做成规范的启动脚本 所以 得加到开机自启动 于是想到 rc.local


==官方例子==
=Solution=
<pre>
<pre>
*filter
#一定得加这个启动文件 不然是不行的
cat > /etc/systemd/system/rc-local.service <<EOF
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
[Unit]
-A INPUT -i lo -j ACCEPT
Description=/etc/rc.local
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
ConditionPathExists=/etc/rc.local
   
   
# Accepts all established inbound connections
[Service]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes
SysVStartPriority=99
   
   
# Allows all outbound traffic
[Install]
# You could modify this to only allow certain traffic
WantedBy=multi-user.target
-A OUTPUT -j ACCEPT
EOF
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allows SSH connections for script kiddies
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Now you should read up on iptables rules and consider whether ssh access
# for everyone is really desired. Most likely you will only allow access from certain IPs.
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
</pre>


cat <<EOF >/etc/rc.local
#!/bin/bash
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.


=开机自启动 自动加载实现=
exit 0
EOF


== iptables-persistent==
chmod +x /etc/rc.local
<pre>
systemctl  enable rc-local
apt install iptables-persistent


Save your firewall rules with this command:
systemctl start rc-local
     
debain9 or  Ubuntu 16.04 Server
netfilter-persistent save #这个为保存
netfilter-persistent reload


用iptables 删除的 好像不生效  只能在 配置 文件 /etc/iptables/rules.v4 删除
</pre>
</pre>


== 写入文件 ==
=trouble shooting=
<pre>
<pre>
1、将iptables配置保存到/etc/iptables,这个文件名可以自己定义,与下面的配置一致即可
#cat /etc/rc.local


iptables-save > /etc/iptables
#这个会导致ssh起不来 可能是因为 有交互内容吧
 
/data/apps/leanote/bin/run.sh
2、创建自启动配置文件,并授于可执行权限
touch /etc/network/if-pre-up.d/iptables
chmod +x /etc/network/if-pre-up.d/iptables
 
3、编辑该自启动配置文件,内容为启动网络时恢复iptables配置
vim /etc/network/if-pre-up.d/iptables
 
文件内容如下:
#!/bin/sh
/sbin/iptables-restore < /etc/iptables
4、:wq保存配置文件并退出即可,以后在修改完iptables配置之后只要再次执行下面的命令保存即可
iptables-save > /etc/iptables


#这个就可以正常启动了哦
/usr/bin/nohup  /data/apps/leanote/bin/run.sh  &
</pre>
</pre>


https://packages.debian.org/search?keywords=iptables-persistent
=参考=
https://wiki.debian.org/iptables
https://wiki.debian.org/DebianFirewall
[http://www.slyar.com/blog/vps-debian-iptables.html VPS安全之iptables基本配置(Debian)]
[http://blog.linuxchina.net/?p=2813 myblog Ubuntu使用ufw或iptables配置防火墙]
[https://www.thomas-krenn.com/en/wiki/Saving_Iptables_Firewall_Rules_Permanently Saving Iptables Firewall Rules Permanently]
[http://chuansong.me/n/1490519851248 Debian/Ubuntu下使用iptables-persistent持久化iptables规则]
[https://linuxconfig.org/how-to-install-missing-ifconfig-command-on-debian-linux How to install missing ifconfig command on Debian ]
[http://salogs.com/news/2015/08/20/iptables-save/ 保存iptable规则并开机自动加载]
[https://www.tennfy.com/2552.html Debian VPS下使用iptables防火墙]




[[category:ops]]  [[category:Security]]
[[category:debian]]

2021年8月17日 (二) 12:32的最新版本

debian10

cat <<EOF >/etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

exit 0
EOF
chmod +x /etc/rc.local
systemctl daemon-reload
systemctl start rc-local
systemctl status rc-local

https://stackoverflow.com/questions/44797694/where-is-rc-local-in-debian-9-debian-stretch#44801337

Question

leanote 没有做成规范的启动脚本 所以 得加到开机自启动 于是想到 rc.local

Solution

#一定得加这个启动文件 不然是不行的
cat > /etc/systemd/system/rc-local.service <<EOF
[Unit]
Description=/etc/rc.local
ConditionPathExists=/etc/rc.local
 
[Service]
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes
SysVStartPriority=99
 
[Install]
WantedBy=multi-user.target
EOF

cat <<EOF >/etc/rc.local
#!/bin/bash 
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

exit 0
EOF

chmod +x /etc/rc.local
systemctl  enable  rc-local

systemctl start  rc-local

trouble shooting

#cat /etc/rc.local 

#这个会导致ssh起不来 可能是因为 有交互内容吧 
/data/apps/leanote/bin/run.sh

#这个就可以正常启动了哦
/usr/bin/nohup  /data/apps/leanote/bin/run.sh  &