내 컴퓨터를 보호하기 위해 스크립트를 작성했습니다.
#!/bin/bash
ssh=1.1.1.1
http='1.1.1.1 2.2.2.2'
# Clear any previous rules.
iptables -F
# Default drop policy.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -N SSH_CHECK
iptables -N HTTP_CHECK
iptables -A INPUT -p tcp --dport 22 -j SSH_CHECK
iptables -A INPUT -p tcp --dport 80 -j HTTP_CHECK
iptables -A INPUT -p tcp --dport 443 -j HTTP_CHECK
iptables -A SSH_CHECK -s $ssh -j ACCEPT -m comment --comment "Allowing $ssh to ssh from his IP"
for web in $http; do
iptables -A HTTP_CHECK -s $web -j ACCEPT -m comment --comment "Allowing $web to visit my HTTP/S server"
done
#Allowing http[s] from inside to outside
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --sport 80,443 -m state --state ESTABLISHED -j ACCEPT
#Allow ssh from inside to outside
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
#Allow working on localhost
iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
#Allow ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
출력은 iptables -L -v다음과 같습니다
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SSH_CHECK tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 HTTP_CHECK tcp -- any any anywhere anywhere tcp dpt:http
0 0 HTTP_CHECK tcp -- any any anywhere anywhere tcp dpt:https
0 0 ACCEPT tcp -- eth0 any anywhere anywhere multiport sports http,https state ESTABLISHED
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp spt:ssh state ESTABLISHED
0 0 ACCEPT all -- lo any localhost localhost
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any eth0 anywhere anywhere multiport dports http,https state NEW,ESTABLISHED
0 0 ACCEPT tcp -- any eth0 anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
0 0 ACCEPT all -- any lo localhost localhost
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
Chain HTTP_CHECK (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any 1.1.1.1 anywhere /* Allowing 1.1.1.1 to visit my HTTP/S server */
0 0 ACCEPT all -- any any 2.2.2.2 anywhere /* Allowing 2.2.2.2 to visit my HTTP/S server */
Chain SSH_CHECK (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any 1.1.1.1 anywhere /* Allowing 1.1.1.1 to ssh from his IP */
1) 이 전략을 사용하여 웹사이트를 열고 싶은데 열 수 없습니다. 왜? 어떻게 해결할 수 있나요? 2) 스크립트에서 주석 처리를 해제할 때 이러한 규칙은 무엇입니까?
#iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
답변1
이름 확인을 사용하여 웹에 액세스하는 데 필요한 DNS에 액세스할 수 없습니다.
나는 다음과 같은 방법으로 규칙을 변경하겠습니다.
#!/bin/bash
ssh=1.1.1.1
http='1.1.1.1 2.2.2.2'
if=eth0
# Clear any previous rules.
iptables -F
# Default drop policy.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow all related and established packets
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -N SSH_CHECK
iptables -N HTTP_CHECK
iptables -A INPUT -p tcp --dport 22 -j SSH_CHECK
iptables -A INPUT -p tcp --dport 80 -j HTTP_CHECK
iptables -A INPUT -p tcp --dport 443 -j HTTP_CHECK
iptables -A SSH_CHECK -s $ssh -j ACCEPT -m comment --comment "Allowing $ssh to ssh from his IP"
for web in $http; do
iptables -A HTTP_CHECK -s $web -j ACCEPT -m comment --comment "Allowing $web to visit my HTTP/S server"
done
#Allowing http[s] from inside to outside
iptables -A OUTPUT -o $if -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
# Allow DNS - you might want to limit this to a few know, trusted servers
iptables -A OUTPUT -o $if -p udp --dport 53 -j ACCEPT
#Allow ssh from inside to outside
iptables -A OUTPUT -o $if -p tcp --dport 22 -m state --state NEW -j ACCEPT
#Allow working on localhost, using any IP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Allow ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
주석 처리된 규칙:
- 첫 번째는 들어오는 모든 TCP 연결을 허용합니다.
- 두 번째는 SYN 패킷 이외의 다른 것으로 새로운 TCP 연결이 설정되는 것을 막으려는 것 같습니다. 이는 특별히 이해가 되지 않습니다
!. 이것이 일반적인 작업 방식인 것 같습니다)이 질문에 대한 답변에는 몇 가지 세부정보가 있습니다. 더 많은 정보를 원하시면 Freezetux를 방문하세요.