zoukankan      html  css  js  c++  java
  • Ubuntu 16.04 设置防火墙白名单

    为了确保服务器安全性,正确配置防火墙十分关键。Ubuntu服务器设置防火墙白名单可以使用iptablesufwiptables没有直接的操作命令,需要配置多个文件,ufw可以用于管理iptables规则,相对于iptables简单易执行。

    1 iptables设置防火墙白名单

    1.1 检查是否安装iptables

    (base) root@master:~# whereis iptables  #查看系统是否安装防火墙
    iptables: /sbin/iptables /usr/share/iptables /usr/share/man/man8/iptables.8.gz
    
    (base) root@master:~# apt-get install iptables #若未安装 执行安装命令
    
    (base) root@master:~# iptables -L  #查看防火墙信息
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
        
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination      
    
    

    1.2 添加iptables规则

    (base) root@master:~# vi /etc/iptables.rules
    
    # sample configuration for iptables service
    # you can edit this manually or use system-config-firewall
    # please do not ask us to add additional ports/services to this default configuration
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    
    #这里开始增加白名单服务器ip(请删除当前服务器的ip地址)
    -N whitelist
    -A whitelist -s xx.xx.xx.xx -j ACCEPT   
    -A whitelist -s xx.xx.xx.xx -j ACCEPT
    
    #这里结束白名单服务器ip
    
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 2181 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 9092 -j ACCEPT
    
    //下面这些 whitelist 端口号,仅限服务器之间通过内网访问
    #这里添加为白名单ip开放的端口
    
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j whitelist
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j whitelist
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j whitelist
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j whitelist
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 2181 -j whitelist
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 9092 -j whitelist
    
    #作用是每秒钟只允许 100 个数据包,用来防止 DDoS 攻击
    -A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
    -A INPUT -p icmp -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
    
    #这结束为白名单ip开放的端口
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT
    

    1.3 使防火墙规则生效

    (base) root@master:~# iptables-restore < /etc/iptables.rules
    

    1.4 添加iptables

    创建 /etc/network/if-post-down.d/iptables 文件,并添加如下内容:

    (base) root@master:~# vi /etc/network/if-post-down.d/iptables
    

    iptables文件内容如下:

    #!/bin/bash
    iptables-save > /etc/iptables.rules
    

    添加可执行权限

    (base) root@master:/etc/network/if-post-down.d# chmod +x /etc/network/if-post-down.d/iptables
    

    创建 /etc/network/if-pre-up.d/iptables 文件,添加如下内容

    (base) root@master:~# vi /etc/network/if-pre-up.d/iptables
    

    iptables文件内容如下:

    #!/bin/bash
    iptables-restore < /etc/iptables.rules
    

    添加执行权限

    (base) root@master:/etc/network/if-pre-up.d# chmod +x /etc/network/if-pre-up.d/iptables
    

    1.5 查看iptables规则是否生效

    (base) root@master:~# iptables -L -n
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:3306
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:2181
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:9092
    whitelist  tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    whitelist  tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
    whitelist  tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
    whitelist  tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:3306
    whitelist  tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:2181
    whitelist  tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:9092
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 10
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            limit: avg 100/sec burst 100
    REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain whitelist (6 references)
    target     prot opt source               destination         
    ACCEPT     all  --  xx.xx.xx.xx       0.0.0.0/0           
    ACCEPT     all  --  xx.xx.xx.xx        0.0.0.0/0   
    

    如果再次修改,则执行以下命令

    vi /etc/iptables.rules  #修改规则
    iptables-restore < /etc/iptables.rules #使修改后的规则生效
    iptables -L -n  #查看规则是否生效
    

    2 ufw设置防火墙白名单

    Ubuntu 16.04自带UFW(Uncomplicated Firewall)简单防火墙工具,默认状态是inactive。

    2.1 列出所有应用程序配置策略

    (base) root@master:~# sudo ufw app list 
    Available applications:
        OpenSSH
    

    2.2 允许SSH连接

    这一步设置非常重要,如果你是远程登录服务器,##开启ufw防火墙前,必须先添加允许SSH连接##,否则,ufw开启后SSH无法连接。

    (base) root@master:~# sudo ufw allow ssh
    Rules updated
    Rules updated (v6)
    

    如果SSH是自定义端口,则执行下列命令

    sudo ufw allow 端口号/tcp
    

    2.3 开启ufw

    (base) root@master:~# sudo ufw enable
    Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
    Firewall is active and enabled on system startup
    

    2.4 允许常见端口连接

    (base) root@master:~# sudo ufw allow http  #允许 HTTP 连接
    Rule added
    Rule added (v6)
    

    2.5 允许端口范围

    sudo ufw allow xxxx:yyyy/tcp #开启服务器上xxxx——yyyy的TCP端口
    
    

    2.6 允许特定IP

    (base) root@master:~# sudo ufw allow from XX.XX.XX.XX #允许XX.XX.XX.XX访问所有端口
    Rule added
    

    2.7允许子网

    sudo ufw allow from xx.xx.xx.xx/16 to any port 3306 #允许特定子网范围的计算机对服务器mysql3306端口的访问
    

    2.8 拒绝访问

    sudo ufw deny from xx.xx.xx.xx to any port 80  #拒绝xx.xx.xx.xx访问80端口
    

    2.9 删除ufw防火墙设置

    (base) root@master:~# sudo ufw status numbered #列出规则编号
    Status: active
    
         To                         Action      From
         --                         ------      ----
    [ 1] 22/tcp                     ALLOW IN    Anywhere                  
    [ 2] 80/tcp                     ALLOW IN    Anywhere                  
    [ 3] 3306/tcp                   ALLOW IN    Anywhere                  
    [ 4] 2181/tcp                   ALLOW IN    Anywhere                  
    [ 5] 9002/tcp                   ALLOW IN    Anywhere                  
    [ 6] 9092/tcp                   ALLOW IN    Anywhere
    

    如果删除80端口

    sudo ufw delete 2 #方法1使用规则编号删除
    
    sudo ufw delete allow 80 #方法2指定端口号直接删除
    
    

    2.10 禁用ufw

    sudo ufw disable
    

    2.11 重置ufw

    sudo ufw reset
    
  • 相关阅读:
    如何高效处理bug?
    如何获取字符串函数的实现?
    数据处理-csv,pandas
    CentOS 下安装SAC(Seismic Analysis Code)
    CentOS安装使用ffmpeg
    Tensorflow问题记录 --pydot Failed to import pydot. You must install pydot and graphviz for pydotprint to work
    Tensorflow学习记录 --TensorFlow高效读取数据tfrecord
    Committee to boost development of Chinese language teachers
    Consensus-based decentralized auctions for robust task allocation
    Chinese market critical to US firms: US-China Business Council
  • 原文地址:https://www.cnblogs.com/eugene0/p/12056901.html
Copyright © 2011-2022 走看看