页面“Debian iptables防火墙基础”与“Ufw on debian”之间的差异

来自linux中国网wiki
(页面间的差异)
跳到导航 跳到搜索
 
 
第1行: 第1行:
=Notice=
+
[[category:ops]]  [[category:debian]]   
建议这个 firewalld 能安装 但是使用有点问题 放弃 2020
 
[[Ufw on debian]]
 
=install =
 
  apt install iptables
 
Debian已有firewalld 放弃iptables
 
  
好像系统是自带的呢
+
=*  install=
  
 +
apt  install ufw
  
[[Debian配置iptables]]
+
=* Configuration=
 +
<pre>
 +
ufw enable
 +
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
 +
Firewall is active and enabled on system startup
  
=来几个小例子=
 
<pre>
 
#这个多端口应该是不行的
 
iptables -A INPUT -p tcp -m muliport --dports 21,22,25,80,110 -j ACCEPT
 
  
iptables -A INPUT -p tcp -m muliport --dports 21,22,25,80,110 -j DROP
 
  
iptables -L -n --line-number
+
ufw default deny incoming
 +
ufw default allow outgoing
  
查看设置的规则: sudo iptables -nvL --line-numbers
+
ufw status verbose
插入一条规则到INPUT链第6的位置: sudo iptables -I INPUT 6 -j DROP
+
</pre>
修改INPUT链的第6条规则: sudo iptables -R INPUT 6 -j ACCEPT
 
删除INPUT链第6条规则: sudo iptables -D INPUT 6
 
  
#保存配置  但是这个保存 机器重启就没了
 
iptables-save
 
</pre>
 
  
==官方例子==
+
=* Firewall Rules=
 
<pre>
 
<pre>
*filter
+
ufw app list
 
   
 
   
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
+
 
-A INPUT -i lo -j ACCEPT
+
ufw  allow 'SSH'
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
+
  ufw allow WWW #其实就是80
   
+
 
# Accepts all established inbound connections
 
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
   
 
# Allows all outbound traffic
 
# You could modify this to only allow certain traffic
 
-A OUTPUT -j ACCEPT
 
 
   
 
   
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
 
-A INPUT -p tcp --dport 80 -j ACCEPT
 
-A INPUT -p tcp --dport 443 -j ACCEPT
 
 
   
 
   
# Allows SSH connections for script kiddies
+
  ufw allow 'Nginx HTTP'
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
 
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
 
   
 
# Now you should read up on iptables rules and consider whether ssh access
 
# for everyone is really desired. Most likely you will only allow access from certain IPs.
 
 
# Allow ping
 
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
 
 
# log iptables denied calls (access via 'dmesg' command)
 
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
 
 
# Reject all other inbound - default deny unless explicitly allowed policy:
 
-A INPUT -j REJECT
 
-A FORWARD -j REJECT
 
 
COMMIT
 
</pre>
 
  
  
=开机自启动 自动加载实现=
+
ufw allow 53/tcp </pre>
 
 
== iptables-persistent==
 
<pre>
 
apt  install iptables-persistent
 
  
Save your firewall rules with this command:
 
     
 
debain9  or  Ubuntu 16.04 Server
 
netfilter-persistent save #这个为保存
 
netfilter-persistent reload
 
  
用iptables 删除的 好像不生效  只能在 配置 文件 /etc/iptables/rules.v4 删除
 
</pre>
 
  
== 写入文件 ==
+
==** Port Ranges ==
 
<pre>
 
<pre>
1、将iptables配置保存到/etc/iptables,这个文件名可以自己定义,与下面的配置一致即可
+
Port ranges may also be specified, a simple example for tcp would be:
  
iptables-save > /etc/iptables
+
  ufw allow 1000:2000/tcp
  
2、创建自启动配置文件,并授于可执行权限
+
and for udp:
touch /etc/network/if-pre-up.d/iptables
 
chmod +x /etc/network/if-pre-up.d/iptables
 
  
3、编辑该自启动配置文件,内容为启动网络时恢复iptables配置
+
  ufw allow 1000:2000/udp</pre>
vim /etc/network/if-pre-up.d/iptables
 
  
文件内容如下:
+
==** IP address==
#!/bin/sh
+
<pre>An IP address may also be used:
/sbin/iptables-restore < /etc/iptables
 
 
4、:wq保存配置文件并退出即可,以后在修改完iptables配置之后只要再次执行下面的命令保存即可
 
iptables-save > /etc/iptables
 
  
</pre>
+
ufw allow from 111.222.333.444</pre>
  
 +
=* Deleting Rules=
 +
<pre>
 +
Rules may be deleted with the following command:
  
https://packages.debian.org/search?keywords=iptables-persistent
+
ufw delete allow ssh</pre>
 
+
=参考=
+
 
+
=* see also=
https://wiki.debian.org/iptables
+
https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29
 
 
https://wiki.debian.org/DebianFirewall
 
 
 
 
 
[http://www.slyar.com/blog/vps-debian-iptables.html VPS安全之iptables基本配置(Debian)]
 
 
 
[http://blog.linuxchina.net/?p=2813 myblog Ubuntu使用ufw或iptables配置防火墙]
 
 
 
[https://www.thomas-krenn.com/en/wiki/Saving_Iptables_Firewall_Rules_Permanently Saving Iptables Firewall Rules Permanently]
 
 
 
[http://chuansong.me/n/1490519851248 Debian/Ubuntu下使用iptables-persistent持久化iptables规则]
 
 
 
[https://linuxconfig.org/how-to-install-missing-ifconfig-command-on-debian-linux How to install missing ifconfig command on Debian ]
 
  
[http://salogs.com/news/2015/08/20/iptables-save/ 保存iptable规则并开机自动加载]
 
  
[https://www.tennfy.com/2552.html Debian VPS下使用iptables防火墙]
+
https://help.ubuntu.com/community/UFW
  
 +
https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server
  
[[category:ops]]  [[category:Security]]
+
[https://zhuanlan.zhihu.com/p/36646621 ubuntu ufw 防火墙]

2020年2月27日 (四) 09:04的版本


* install

apt  install ufw

* Configuration

 ufw enable 
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup



ufw default deny incoming
ufw default allow outgoing

ufw status verbose


* Firewall Rules

 ufw app list
 

 ufw  allow 'SSH'
 ufw  allow WWW #其实就是80

 
 
 ufw allow 'Nginx HTTP'


ufw allow 53/tcp 


** Port Ranges

Port ranges may also be specified, a simple example for tcp would be:

  ufw allow 1000:2000/tcp

and for udp:

  ufw allow 1000:2000/udp

** IP address

An IP address may also be used:

 ufw allow from 111.222.333.444

* Deleting Rules

Rules may be deleted with the following command:

 ufw delete allow ssh


* see also

https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29


https://help.ubuntu.com/community/UFW

https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server

ubuntu ufw 防火墙