發佈於 作者: t850008

設定 Linux 上的防火牆

之前都是先把 Firewall 的規則寫在單一 Script 中,然後在開機時執行,現在改用在 /etc/sysconfig/iptables 中設定,然後只要在開機時執行 iptables 服務即可。

查看目前的 iptables Firewall 規則
# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

由上可以看出,目前是門戶洞開,完成沒有任何防備[@more@]修改 iptables Firewall 規則
1. 修改預設進入 INPUT 的預設規則為 DROP
# vim /etc/sysconig/iptables
# Generated by iptables-save v1.4.7 on Fri Nov 15 11:01:16 2013
*filter
:INPUT DROP [74:5300]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [48:5360]

重新啟動 Firewall
# service iptables restart

# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

2. 開啟本機所提供的一些服務(SSH / Web / DNS / FTP)
# vim /etc/sysconig/iptables
# Generated by iptables-save v1.4.7 on Fri Nov 15 11:01:16 2013
*filter
:INPUT DROP [74:5300]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [48:5360]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state –state NEW -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -m state –state NEW -p udp -m udp –dport 53 -j ACCEPT
-A INPUT -m state –state NEW -p tcp -m tcp –dport 53 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT
-A INPUT -p tcp -m multiport –dports 20,21,34500:34600 -j ACCEPT
COMMIT
# Completed on Fri Nov 15 11:01:16 2013

重新啟動 Firewall
# service iptables restart
# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  —  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     udp  —  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53
ACCEPT     tcp  —  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53
ACCEPT     tcp  —  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
ACCEPT     tcp  —  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
ACCEPT     tcp  —  0.0.0.0/0            0.0.0.0/0           multiport dports 20,21,34500:34600

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

3. 設定開機時啟動 iptables
# chkconfig –level 3 iptables on

載入相關模組
# grep MOD /etc/sysconfig/iptables-config
IPTABLES_MODULES=”ip_conntrack_netbios_ns ip_conntrack_ftp”
IPTABLES_MODULES_UNLOAD=”yes”

# service iptables restart
iptables:正在清除防火牆規則:                             [  確定  ]
iptables:正在設定 chains 為 ACCEPT 政策:filter           [  確定  ]
iptables:正在卸載模組:                                   [  確定  ]
iptables:正在套用防火牆規則:                             [  確定  ]
iptables:正在載入額外的模組:ip_conntrack_netbios_ns ip_co[  確定  ]p

# lsmod | grep ftp
nf_conntrack_ftp       12913  0
nf_conntrack           79645  5 nf_conntrack_ftp,nf_conntrack_netbios_ns,nf_conntrack_broadcast,nf_conntrack_ipv4,xt_state