iptables 스크립트를 실행할 때 웹사이트에 접근할 수 없습니다!

iptables 스크립트를 실행할 때 웹사이트에 접근할 수 없습니다!

내 컴퓨터를 보호하기 위해 스크립트를 작성했습니다.

#!/bin/bash

ssh=1.1.1.1
http='1.1.1.1 2.2.2.2'

# Clear any previous rules.
iptables -F

# Default drop policy.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#iptables -A INPUT  -p tcp -m state --state NEW,ESTABLISHED     -j ACCEPT
#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

iptables -N SSH_CHECK
iptables -N HTTP_CHECK
iptables -A INPUT -p tcp --dport 22 -j SSH_CHECK
iptables -A INPUT -p tcp --dport 80 -j HTTP_CHECK
iptables -A INPUT -p tcp --dport 443 -j HTTP_CHECK

iptables -A SSH_CHECK -s $ssh -j ACCEPT -m comment --comment "Allowing $ssh to ssh from his IP"
for web in $http; do
    iptables -A HTTP_CHECK -s $web -j ACCEPT -m comment --comment "Allowing $web to visit my HTTP/S server"
done

#Allowing http[s] from inside to outside
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --sport 80,443 -m state --state ESTABLISHED -j ACCEPT

#Allow ssh from inside to outside
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

#Allow working on localhost
iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

#Allow ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

출력은 iptables -L -v다음과 같습니다

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SSH_CHECK  tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
    0     0 HTTP_CHECK  tcp  --  any    any     anywhere             anywhere             tcp dpt:http
    0     0 HTTP_CHECK  tcp  --  any    any     anywhere             anywhere             tcp dpt:https
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             multiport sports http,https state ESTABLISHED
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp spt:ssh state ESTABLISHED
    0     0 ACCEPT     all  --  lo     any     localhost            localhost           
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-reply

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  any    eth0    anywhere             anywhere             multiport dports http,https state NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  any    eth0    anywhere             anywhere             tcp dpt:ssh state NEW,ESTABLISHED
    0     0 ACCEPT     all  --  any    lo      localhost            localhost           
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request

Chain HTTP_CHECK (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     1.1.1.1              anywhere             /* Allowing 1.1.1.1 to visit my HTTP/S server */
    0     0 ACCEPT     all  --  any    any     2.2.2.2              anywhere             /* Allowing 2.2.2.2 to visit my HTTP/S server */

Chain SSH_CHECK (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     1.1.1.1              anywhere             /* Allowing 1.1.1.1 to ssh from his IP */

1) 이 전략을 사용하여 웹사이트를 열고 싶은데 열 수 없습니다. 왜? 어떻게 해결할 수 있나요? 2) 스크립트에서 주석 처리를 해제할 때 이러한 규칙은 무엇입니까?

#iptables -A INPUT  -p tcp -m state --state NEW,ESTABLISHED     -j ACCEPT
#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

답변1

이름 확인을 사용하여 웹에 액세스하는 데 필요한 DNS에 액세스할 수 없습니다.

나는 다음과 같은 방법으로 규칙을 변경하겠습니다.

#!/bin/bash

ssh=1.1.1.1
http='1.1.1.1 2.2.2.2'
if=eth0

# Clear any previous rules.
iptables -F

# Default drop policy.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow all related and established packets
iptables -A INPUT  -p tcp -m state --state RELATED,ESTABLISHED     -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED     -j ACCEPT

#iptables -A INPUT  -p tcp -m state --state NEW,ESTABLISHED     -j ACCEPT
#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

iptables -N SSH_CHECK
iptables -N HTTP_CHECK
iptables -A INPUT -p tcp --dport 22 -j SSH_CHECK
iptables -A INPUT -p tcp --dport 80 -j HTTP_CHECK
iptables -A INPUT -p tcp --dport 443 -j HTTP_CHECK

iptables -A SSH_CHECK -s $ssh -j ACCEPT -m comment --comment "Allowing $ssh to ssh from his IP"
for web in $http; do
    iptables -A HTTP_CHECK -s $web -j ACCEPT -m comment --comment "Allowing $web to visit my HTTP/S server"
done

#Allowing http[s] from inside to outside
iptables -A OUTPUT -o $if -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
# Allow DNS - you might want to limit this to a few know, trusted servers
iptables -A OUTPUT -o $if -p udp --dport 53 -j ACCEPT

#Allow ssh from inside to outside
iptables -A OUTPUT -o $if -p tcp --dport 22 -m state --state NEW -j ACCEPT

#Allow working on localhost, using any IP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#Allow ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

주석 처리된 규칙:

관련 정보