發佈於 作者: t850008

Debian 8.x 上防火牆

1. 搜尋 iptables 相關套件
# apt-cache search iptables | grep ^iptables
iptables – administration tools for packet filtering and NAT
iptables-converter – convert iptables-commands from a file to iptables-save format
iptables-converter-doc – sphinx documentation for iptables-converter
iptables-dev – transitional dummy package
iptables-nftables-compat – iptables compat tools for nftables
iptables-optimizer – sort iptables rules by packet counters
iptables-optimizer-doc – sphinx html documentation for iptables-optimizer
iptables-persistent – boot-time loader for netfilter rules, iptables plugin

2. 安裝 iptables-persistent 套件
# apt-get install iptables-persistent
   ipv4 防火牆 /etc/iptables/rules.v4
   ipv6 防火牆 /etc/iptables/rules.v6


[@more@]3. 建立自行的防火牆規則
# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
f2b-sshd   tcp  —  0.0.0.0/0            0.0.0.0/0            multiport dports 22
ACCEPT     all  —  0.0.0.0/0            0.0.0.0/0
DROP       all  —  0.0.0.0/0            0.0.0.0/0            state INVALID
DROP       tcp  —  0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02 state NEW
DROP       tcp  —  0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x00
DROP       tcp  —  0.0.0.0/0            0.0.0.0/0            tcp flags:0x03/0x03
DROP       tcp  —  0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x06
DROP       tcp  —  0.0.0.0/0            0.0.0.0/0            tcp flags:0x05/0x05
DROP       tcp  —  0.0.0.0/0            0.0.0.0/0            tcp flags:0x11/0x01
DROP       tcp  —  0.0.0.0/0            0.0.0.0/0            tcp flags:0x30/0x20
DROP       tcp  —  0.0.0.0/0            0.0.0.0/0            tcp flags:0x18/0x08
DROP       tcp  —  0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x29
DROP       tcp  —  0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x37
DROP       tcp  —  0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x3F
DROP       tcp  —  0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x01
ACCEPT     all  —  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     tcp  —  192.168.1.0/24      0.0.0.0/0            tcp dpt:22 flags:0x17/0x02 state NEW

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  —  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  —  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

Chain f2b-sshd (1 references)
target     prot opt source               destination
RETURN     all  —  0.0.0.0/0            0.0.0.0/0

4. 將 ipv4/6 規則寫入 /etc/iptables/rules.v4/6
# /sbin/iptables-save > /etc/iptables/rules.v4
# /sbin/ip6tables-save > /etc/iptables/rules.v6

5. 在 /etc/rc.local 中設定,開機時載入
# sed -i ‘/^exit 0/i/sbin/iptables-restore < /etc/iptables/rules.v4’ /etc/rc.local
# sed -i ‘/^exit 0/i/sbin/ip6tables-restore < /etc/iptables/rules.v6’ /etc/rc.local