SSH방화벽에서 들어오고 나가는 것만 허용하려고 하는데 문제는 스크립트 끝에 FTP있어도 사용할 수 있다는 것입니다.DROP
# Incoming SSH
$iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# Outgoing SSH
$iptables -A OUTPUT -p tcp --dport ssh -j ACCEPT
내 방법 DROP은 다음과 같습니다
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP
결과 iptables -L:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:domain ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:domain ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
DROP all -- anywhere anywhere
스크립트:
#!/bin/bash
iptables=/usr/sbin/iptables
$iptables -F
$iptables -P INPUT
$iptables -P OUTPUT
$iptables -X
$iptables -F -t nat
$iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
$iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
$iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
$iptables -A OUTPUT --p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
$iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
답변1
INPUT귀하와 체인의 첫 번째 줄은 OUTPUT모든 것을 받아들입니다. 이 두 명령을 사용하여 제거할 수 있습니다
iptables -D INPUT 1
iptables -D OUTPUT 1
하지만 실행하기 전에 여전히 액세스할 수 있는지 확인하세요(가급적이면 콘솔에서).
이제 스크립트를 제공했으므로 대안을 제안할 수 있습니다.
#!/bin/bash -e
PATH=/usr/sbin:$PATH
# Reset to a sane state, even if just temporarily
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
# Erase all the rules
iptables -F
iptables -t nat -F
# Simple NAT rule for outgoing traffic
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow the return half of established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow incoming and outgoing ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
# You probably want other stuff permitted here such as DNS on 53/udp and 53/tcp
# and maybe NTP on 123/udp
# iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
# iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
# iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
# Default policy is to discard all traffic
iptables -P INPUT DROP
iptables -P OUTPUT DROP