我在正确配置 iptables 时遇到一些麻烦。我想阻止除 SSH 之外的所有传入流量,并允许任何传出流量。我执行了以下操作。
#!/bin/sh
ETH0=$(ifconfig eth0 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}')
ETH1=$(ifconfig eth1 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}')
#!/bin/sh
# My system IP/set ip address of server
# Flushing all rules
iptables -F
iptables -X
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A OUTPUT -o eht1 -j ACCEPT
# Allow incoming ssh only
iptables -A INPUT -p tcp -s 0/0 -d ${ETH1} --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s ${ETH1} -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
# make sure nothing comes or goes out of this box
iptables -A INPUT -j DROP
我的输出如下所示:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
77 5588 ACCEPT tcp -- any any anywhere tcp spts:login:65535 dpt:ssh state NEW,ESTABLISHED
224 13826 DROP all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any lo anywhere anywhere
92 6993 ACCEPT all -- any eth0 anywhere anywhere
45 6340 ACCEPT all -- any eth1 anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere tcp spt:ssh dpts:login:65535 state ESTABLISHED
允许 eth0 和 eth1 的出站流量,但不工作。
wget http://www.google.com会导致Resolving www.google.com (www.google.com)...
一段时间后我得到输出wget: unable to resolve host addresswww.google.de'`
但我的配置错误在哪里。我怎样才能允许更多的出站流量?
添加
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
让已建立的连接从互联网上获得回复。并将您的两行 SSH 行替换为这一行
iptables -A INPUT -p tcp -s 0/0 -d ${ETH1} --dport 22 -m state --state NEW -j ACCEPT
因为第一行已经涵盖了 ssh 的已建立部分。