服务器之家

专注于服务器技术!
当前位置:首页 > 服务器系统 > Linux

iptables防火墙配置经验介绍

发布时间:2013-09-19 来源:服务器之家

iptables 注意后面的"s" iptables 的参数(-L,-F,-P)、chain(INPUT,OUTPUT)、target(ACCEPT,DROP)都要大写
   最简单最常见的INPUT RULE :打开telnet和ssh

##########INPUT CHAIN##############
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i $WAN_INT -m state --state NEW -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -i $WAN_INT -m state --state NEW -p tcp --dport 23 -j ACCEPT
/sbin/iptables -A INPUT -i $LAN_INT -m state --state NEW -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -i $LAN_INT -m state --state NEW -p tcp --dport 23 -j ACCEPT
  最简单的FW接受PING (加了防DoS ICMP FLOOD)

/sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second --limit-burst 10 -j ACCEPT
上面没加接口-i,就是从所有接口都可ping 防火墙     常见的针对穿过(FORWARD)防火墙的ICMP包的规则

#################################Define icmp rule####### /sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second --limit-burst 10 -j ACCEPT
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT

    -m limit --limit会引起普通的PING丢包

/sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second --limit-burst 10 -j ACCEPT
D:>ping 10.4.3.117 -t Pinging 10.4.3.117 with 32 bytes of data:
Request timed out.
Reply from 10.4.3.117: bytes=32 time<10ms TTL=64
Request timed out.
Request timed out.
Reply from 10.4.3.117: bytes=32 time=1ms TTL=64
Request timed out.
Reply from 10.4.3.117: bytes=32 time=3ms TTL=64
Request timed out.

去掉limit
/sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 8  -j ACCEPT 
D:>ping 10.4.3.117 -t Pinging 10.4.3.117 with 32 bytes of data:
Reply from 10.4.3.117: bytes=32 time=20ms TTL=64
Reply from 10.4.3.117: bytes=32 time=10ms TTL=64
Reply from 10.4.3.117: bytes=32 time=6ms TTL=64
Reply from 10.4.3.117: bytes=32 time=3ms TTL=64
Reply from 10.4.3.117: bytes=32 time=1ms TTL=64
Reply from 10.4.3.117: bytes=32 time=4ms TTL=64
Reply from 10.4.3.117: bytes=32 time<10ms TTL=64
Reply from 10.4.3.117: bytes=32 time<10ms TTL=64

   最简单的FORWARD RULE:内向外全允许,外向内只允许DNAT SERVER的操作(22,9000,9001) ,PING(内向外)加了防DoS

##########FORWARD CHAIN###########
/sbin/iptables -A FORWARD -i $LAN_INT -p all -j ACCEPT /sbin/iptables -A FORWARD -i $WAN_INT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i $WAN_INT -m state --state NEW -p tcp --dport 9000 -j ACCEPT
/sbin/iptables -A FORWARD -i $WAN_INT -m state --state NEW -p tcp --dport 9001 -j ACCEPT
/sbin/iptables -A FORWARD -i $WAN_INT -m state --state NEW -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT

    最简单的内部SERVER,外部DNAT

##########FORWARD CHAIN###########
/sbin/iptables -A FORWARD -i $WAN_INT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i $WAN_INT -m state --state NEW -p tcp --dport 9000 -j ACCEPT
/sbin/iptables -A FORWARD -i $WAN_INT -m state --state NEW -p tcp --dport 9001 -j ACCEPT
/sbin/iptables -A FORWARD -i $WAN_INT -m state --state NEW -p tcp --dport 22 -j ACCEPT ##########NAT CHAIN###############
/sbin/iptables -t nat -A POSTROUTING -s 10.4.0.0/16 -o $WAN_INT -j SNAT --to 124.126.86.137
/sbin/iptables -t nat -A PREROUTING -d 124.126.86.138 -p tcp --dport 2022 -j DNAT --to-destination 10.4.3.150:22
/sbin/iptables -t nat -A PREROUTING -d 124.126.86.138 -p tcp --dport 9001 -j DNAT --to-destination 10.4.3.150:9001
/sbin/iptables -t nat -A PREROUTING -d 124.126.86.138 -p tcp --dport 9000 -j DNAT --to-destination 10.4.3.150:9000

  简单的OPENVPN rule

VPN_LFC_INT="tun0"
VPN_ZHAO_INT="tun1" ##########INPUT CHAIN##############
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i $WAN_INT -m state --state NEW -p udp --dport 1194 -j ACCEPT
/sbin/iptables -A INPUT -i $WAN_INT -m state --state NEW -p udp --dport 1195 -j ACCEPT
/sbin/iptables -A INPUT -i $VPN_LFC_INT -m state --state NEW -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -i $VPN_ZHAO_INT -m state --state NEW -p tcp --dport 22 -j ACCEPT
##########FORWARD CHAIN###########
/sbin/iptables -A FORWARD -i $WAN_INT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i $LAN_INT -p all -j ACCEPT
/sbin/iptables -A FORWARD -i $VPN_LFC_INT -p all -j ACCEPT
/sbin/iptables -A FORWARD -i $VPN_ZHAO_INT -p all -j ACCEPT

   在iptables脚本里打开转发
echo "1" > /proc/sys/net/ipv4/ip_forward
  如何解决linux 下iptables防火墙对主动FTP的禁止 ?
主动FTP:FTP传输的时候建立一条TCP连接,采用固定端口
被动FTP:FTP传输的时候建立一条TCP临界,采用随机端口

iptables 对主动FTP 会禁掉(即使ACCEPT