私のコンピュータを保護するためにスクリプトを書いた。
#!/bin/bash
ssh=1.1.1.1
http='1.1.1.1 2.2.2.2'
# Clear any previous rules.
iptables -F
# Default drop policy.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -N SSH_CHECK
iptables -N HTTP_CHECK
iptables -A INPUT -p tcp --dport 22 -j SSH_CHECK
iptables -A INPUT -p tcp --dport 80 -j HTTP_CHECK
iptables -A INPUT -p tcp --dport 443 -j HTTP_CHECK
iptables -A SSH_CHECK -s $ssh -j ACCEPT -m comment --comment "Allowing $ssh to ssh from his IP"
for web in $http; do
iptables -A HTTP_CHECK -s $web -j ACCEPT -m comment --comment "Allowing $web to visit my HTTP/S server"
done
#Allowing http[s] from inside to outside
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --sport 80,443 -m state --state ESTABLISHED -j ACCEPT
#Allow ssh from inside to outside
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
#Allow working on localhost
iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
#Allow ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
出力はiptables -L -v
次のとおりです
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SSH_CHECK tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 HTTP_CHECK tcp -- any any anywhere anywhere tcp dpt:http
0 0 HTTP_CHECK tcp -- any any anywhere anywhere tcp dpt:https
0 0 ACCEPT tcp -- eth0 any anywhere anywhere multiport sports http,https state ESTABLISHED
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp spt:ssh state ESTABLISHED
0 0 ACCEPT all -- lo any localhost localhost
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any eth0 anywhere anywhere multiport dports http,https state NEW,ESTABLISHED
0 0 ACCEPT tcp -- any eth0 anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
0 0 ACCEPT all -- any lo localhost localhost
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
Chain HTTP_CHECK (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any 1.1.1.1 anywhere /* Allowing 1.1.1.1 to visit my HTTP/S server */
0 0 ACCEPT all -- any any 2.2.2.2 anywhere /* Allowing 2.2.2.2 to visit my HTTP/S server */
Chain SSH_CHECK (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any 1.1.1.1 anywhere /* Allowing 1.1.1.1 to ssh from his IP */
1) この戦略を使ってウェブサイトを開けたいのですが、開けません。なぜ?どうすれば解決できますか? 2)スクリプトでコメントを解除するときのこれらの規則は何ですか?
#iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
答え1
名前解決を使用してWebにアクセスするために必要なDNSにアクセスすることはできません。
私は次の方法でルールを変更します。
#!/bin/bash
ssh=1.1.1.1
http='1.1.1.1 2.2.2.2'
if=eth0
# Clear any previous rules.
iptables -F
# Default drop policy.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow all related and established packets
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -N SSH_CHECK
iptables -N HTTP_CHECK
iptables -A INPUT -p tcp --dport 22 -j SSH_CHECK
iptables -A INPUT -p tcp --dport 80 -j HTTP_CHECK
iptables -A INPUT -p tcp --dport 443 -j HTTP_CHECK
iptables -A SSH_CHECK -s $ssh -j ACCEPT -m comment --comment "Allowing $ssh to ssh from his IP"
for web in $http; do
iptables -A HTTP_CHECK -s $web -j ACCEPT -m comment --comment "Allowing $web to visit my HTTP/S server"
done
#Allowing http[s] from inside to outside
iptables -A OUTPUT -o $if -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
# Allow DNS - you might want to limit this to a few know, trusted servers
iptables -A OUTPUT -o $if -p udp --dport 53 -j ACCEPT
#Allow ssh from inside to outside
iptables -A OUTPUT -o $if -p tcp --dport 22 -m state --state NEW -j ACCEPT
#Allow working on localhost, using any IP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Allow ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
注釈付きルール:
- 1つ目は、すべての着信TCP接続を許可します。
- 2つ目は、SYNパケット以外のもので、新しいTCP接続が確立されないようにすることです。これは特に理解できません
!
。これが一般的な作業方法のようです)この質問に対する回答にはいくつかの詳細があります。 詳細については、Freezetuxをご覧ください。