标签:star 访问 ons stat sha 端口号 服务器安全 ddos 重置
为了确保服务器安全性,正确配置防火墙十分关键。Ubuntu服务器设置防火墙白名单可以使用iptables
和ufw
。iptables
没有直接的操作命令,需要配置多个文件,ufw
可以用于管理iptables
规则,相对于iptables
简单易执行。
iptables
设置防火墙白名单iptables
(base) root@master:~# whereis iptables #查看系统是否安装防火墙
iptables: /sbin/iptables /usr/share/iptables /usr/share/man/man8/iptables.8.gz
(base) root@master:~# apt-get install iptables #若未安装 执行安装命令
(base) root@master:~# iptables -L #查看防火墙信息
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
iptables
规则(base) root@master:~# vi /etc/iptables.rules
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#这里开始增加白名单服务器ip(请删除当前服务器的ip地址)
-N whitelist
-A whitelist -s xx.xx.xx.xx -j ACCEPT
-A whitelist -s xx.xx.xx.xx -j ACCEPT
#这里结束白名单服务器ip
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2181 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9092 -j ACCEPT
//下面这些 whitelist 端口号,仅限服务器之间通过内网访问
#这里添加为白名单ip开放的端口
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2181 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9092 -j whitelist
#作用是每秒钟只允许 100 个数据包,用来防止 DDoS 攻击
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
-A INPUT -p icmp -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
#这结束为白名单ip开放的端口
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
(base) root@master:~# iptables-restore < /etc/iptables.rules
iptables
创建 /etc/network/if-post-down.d/iptables 文件,并添加如下内容:
(base) root@master:~# vi /etc/network/if-post-down.d/iptables
iptables
文件内容如下:
#!/bin/bash
iptables-save > /etc/iptables.rules
添加可执行权限
(base) root@master:/etc/network/if-post-down.d# chmod +x /etc/network/if-post-down.d/iptables
创建 /etc/network/if-pre-up.d/iptables 文件,添加如下内容
(base) root@master:~# vi /etc/network/if-pre-up.d/iptables
iptables
文件内容如下:
#!/bin/bash
iptables-restore < /etc/iptables.rules
添加执行权限
(base) root@master:/etc/network/if-pre-up.d# chmod +x /etc/network/if-pre-up.d/iptables
(base) root@master:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2181
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9092
whitelist tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
whitelist tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
whitelist tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
whitelist tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
whitelist tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2181
whitelist tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9092
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 10
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 100
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain whitelist (6 references)
target prot opt source destination
ACCEPT all -- xx.xx.xx.xx 0.0.0.0/0
ACCEPT all -- xx.xx.xx.xx 0.0.0.0/0
如果再次修改,则执行以下命令
vi /etc/iptables.rules #修改规则
iptables-restore < /etc/iptables.rules #使修改后的规则生效
iptables -L -n #查看规则是否生效
ufw
设置防火墙白名单Ubuntu 16.04自带UFW(Uncomplicated Firewall)简单防火墙工具,默认状态是inactive。
(base) root@master:~# sudo ufw app list
Available applications:
OpenSSH
这一步设置非常重要,如果你是远程登录服务器,##开启ufw
防火墙前,必须先添加允许SSH连接##,否则,ufw
开启后SSH无法连接。
(base) root@master:~# sudo ufw allow ssh
Rules updated
Rules updated (v6)
如果SSH是自定义端口,则执行下列命令
sudo ufw allow 端口号/tcp
ufw
(base) root@master:~# sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
(base) root@master:~# sudo ufw allow http #允许 HTTP 连接
Rule added
Rule added (v6)
sudo ufw allow xxxx:yyyy/tcp #开启服务器上xxxx——yyyy的TCP端口
(base) root@master:~# sudo ufw allow from XX.XX.XX.XX #允许XX.XX.XX.XX访问所有端口
Rule added
sudo ufw allow from xx.xx.xx.xx/16 to any port 3306 #允许特定子网范围的计算机对服务器mysql3306端口的访问
sudo ufw deny from xx.xx.xx.xx to any port 80 #拒绝xx.xx.xx.xx访问80端口
ufw
防火墙设置(base) root@master:~# sudo ufw status numbered #列出规则编号
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 80/tcp ALLOW IN Anywhere
[ 3] 3306/tcp ALLOW IN Anywhere
[ 4] 2181/tcp ALLOW IN Anywhere
[ 5] 9002/tcp ALLOW IN Anywhere
[ 6] 9092/tcp ALLOW IN Anywhere
如果删除80端口
sudo ufw delete 2 #方法1使用规则编号删除
sudo ufw delete allow 80 #方法2指定端口号直接删除
ufw
sudo ufw disable
ufw
sudo ufw reset
标签:star 访问 ons stat sha 端口号 服务器安全 ddos 重置
原文地址:https://www.cnblogs.com/eugene0/p/12056901.html