以下是帽客常用的配置方式:
# Generated by iptables-save v1.2.11 on Tue Dec 12 23:24:06 2006
*filter
:INPUT DROP [1032:90974]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1758:160527]
:BADPKT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -m state --state INVALID -j BADPKT
-A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j BADPKT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A INPUT -j LOG --log-prefix "** Firewall INPUT DROP **"
-A BADPKT -j DROP
COMMIT
# Completed on Tue Dec 12 23:24:06 2006
解說:
Create一個新chain名為BADPKT,預設動作為DROP
-A INPUT -i lo -j ACCEPT -> 對於loopback interface的封包是接受的
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP -> 對於127.0.0.1的IP位址,來源的介面必需為loopback,否則DROP
-A INPUT -m state --state INVALID -j BADPKT -> 封包狀態若不正常予以DROP
-A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j BADPKT -> 對於tcp的第一個封包必需是SYN,否則DROP
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -> 允許ssh的連線請求,最好加上 -s參數限定那個IP or subnet才可連線
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -> 允許本機第n個封包(自己發出去的嘛! 當然對之後的封包也要允許呀!)
-A INPUT -j LOG --log-prefix "** Firewall INPUT DROP **" -> 將iptables log記錄到/var/log/messages
-A BADPKT -j DROP -> BADPKT預設的policy
No comments:
Post a Comment