我有一套规则,可以在将诸如 fail2ban 和其他东西添加到组合中之前为我提供最大的保护。问题是,虽然一切都在测试中检查出来,当我service iptables restart 关闭时它会恰到好处,但是当它应用规则时它会挂起。这是套装
# Allow all traffic.
#---------------------------------------------------------
*filter
:INPUT ACCEPT [81:5076]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [44:3868]
#---------------------------------------------------------
# protection based on http://thelowedown.wordpress.com/2008/07/03/iptables-how-to-use-the-limits-module/
# and https://gist.github.com/virtualstaticvoid/1024546
# and http://www.cyberciti.biz/tips/howto-limit-linux-syn-attacks.html
#---------------------------------------------------------
#---------------------------------------------------------
# General rules
#---------------------------------------------------------
# it is gerenally view as best practice to drop all and add
# just what is needed. Drop and reject to prevent abuse
# of the system and sour the milk
#---------------------------------------------------------
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
# Allow incoming HTTP
#---------------------------------------------------------
-A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# Allow incoming HTTPS
#---------------------------------------------------------
-A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
# Allow loopback access
#---------------------------------------------------------
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Allow packets from internal network to reach external network.
# if eth1 is connected to external network (internet)
# if eth0 is connected to internal network (192.168.1.x)
#---------------------------------------------------------
-A FORWARD -i eth0 -o eth1 -j ACCEPT
# Allow outbound DNS
#---------------------------------------------------------
-A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
-A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
#---------------------------------------------------------
# DATABASE Connections
#---------------------------------------------------------
# Allow MySQL connection only from a specific network
#---------------------------------------------------------
-A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
#---------------------------------------------------------
# SSH
#---------------------------------------------------------
# Allow ALL incoming SSH
#---------------------------------------------------------
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# Allow outgoing SSH
#---------------------------------------------------------
-A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# limit ssh to 10 connections in 10mins
# note 198.255.255.255 is fake for this post
#---------------------------------------------------------
-I INPUT -p tcp -s 0/0 -d 198.255.255.255 --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
-I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 11 -j DROP
-A OUTPUT -p tcp -s 198.255.255.255 -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
#---------------------------------------------------------
# DoS
#---------------------------------------------------------
# Prevent general DoS attack
#---------------------------------------------------------
-A INPUT -p tcp --dport 22 -m limit --limit 5/minute --limit-burst 10 -j ACCEPT
-A INPUT -p tcp --dport 80 -m limit --limit 5/minute --limit-burst 100 -j ACCEPT
-A INPUT -p tcp --dport 443 -m limit --limit 5/minute --limit-burst 100 -j ACCEPT
# Syn-flood protection
#---------------------------------------------------------
-A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Interface 0 incoming syn-flood protection
#---------------------------------------------------------
-N syn_flood
-A INPUT -p tcp --syn -j syn_flood
-A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
-A syn_flood -j DROP
# Furtive port scanner
#---------------------------------------------------------
#-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
#-A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
#-A port-scan -j DROP
# Ping of death
#---------------------------------------------------------
#-A FORWARD -p icmp --icmp-type echo-request -m limit \ --limit 1/s -j ACCEPT
# Limiting the incoming icmp ping request
#---------------------------------------------------------
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
-A INPUT -p icmp -j DROP
-A OUTPUT -p icmp -j ACCEPT
#---------------------------------------------------------
# Logging
#---------------------------------------------------------
# Log dropped packets
#---------------------------------------------------------
-N LOGGING
-A INPUT -j LOGGING
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
-A LOGGING -j DROP
COMMIT
# End
我不得不删除port-scan死亡规则和 ping 规则,因为它导致它无法通过测试。我也想纠正一下。
任何想法为什么它会通过测试但永远坚持应用规则?
更新
到目前为止,除了评论所有内容
# Allow all traffic.
#---------------------------------------------------------
*filter
:INPUT ACCEPT [81:5076]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [44:3868]
我仍然得到奇怪的结果,比如iptables在重新启动时挂起,无法yum install *。在这一点上,就像我只需要重新开始修复规则一样!
| 归档时间: |
|
| 查看次数: |
3171 次 |
| 最近记录: |