Posted by 我一直在使用Linode的VPS,新升级14.04以后,iptables防火墙的设置也有更新,特COPY一下,以备查询:
查看目前的防火墙规则:
sudo iptables -L
正常的显示应该为:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
导出iptalbles文件,以备修改,linode的官方的建议直接新建一个规则文件导入,但我导入总是不成功,所以先导出,再编辑,后导入,即正常
导出的命令:
sudo iptables-save > ~/iptables-rules
编辑文件:
vi iptables-rules
将*filter字段修改为:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
# Allow ping and traceroute.
-A INPUT -p icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp --icmp-type 11 -j ACCEPT
# Allow SSH connections.
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-A INPUT -p tcp --dport 80 -j ACCEPT
# Accept inbound traffic from established connections.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log what was incoming but denied (optional but useful).
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7
# Reject all other inbound.
-A INPUT -j REJECT
# Log any traffic which was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7
# Reject all traffic forwarding.
-A FORWARD -j REJECT
COMMIT
保存后导入规则:
sudo iptables-restore < ~/iptables-rules
测试规则:
sudo iptables -L
以上规则没有添加SS及HTTPS
ubuntu的iptables设置重启后会消失,如需保存防火墙规则设置,下次重启服务器时可以正常载入,则安装一个脚本:
sudo apt-get update
sudo apt-get install iptables-persistent
脚本下载完成后就会询问是否保存ipv4和ipv6的规则,如果确认就点是,不确认,就点否,以后可以单独执行保存命令:
sudo service iptables-persistent save
此脚本的执行结果是在/etc/iptables/目录中,生成两个规则文件
aliyun的网卡要注意,有内网和外网两个网卡,防火墙要指定外网,否则无法访问:
查看网卡信息
ifconfig
网卡为eth1
One comment