Ubuntu 16.04 设置防火墙白名单
为了确保服务器安全性,正确配置防火墙十分关键。Ubuntu服务器设置防火墙白名单可以使用iptables和ufw。iptables没有直接的操作命令,需要配置多个文件,ufw可以用于管理iptables规则,相对于iptables简单易执行。
1 iptables设置防火墙白名单
1.1 检查是否安装iptables
(base) root@master:~# whereis iptables #查看系统是否安装防火墙
iptables: /sbin/iptables /usr/share/iptables /usr/share/man/man8/iptables.8.gz
(base) root@master:~# apt-get install iptables #若未安装 执行安装命令
(base) root@master:~# iptables -L #查看防火墙信息
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
1.2 添加iptables规则
(base) root@master:~# vi /etc/iptables.rules
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#这里开始增加白名单服务器ip(请删除当前服务器的ip地址)
-N whitelist
-A whitelist -s xx.xx.xx.xx -j ACCEPT
-A whitelist -s xx.xx.xx.xx -j ACCEPT
#这里结束白名单服务器ip
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2181 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9092 -j ACCEPT
//下面这些 whitelist 端口号,仅限服务器之间通过内网访问
#这里添加为白名单ip开放的端口
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2181 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9092 -j whitelist
#作用是每秒钟只允许 100 个数据包,用来防止 DDoS 攻击
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
-A INPUT -p icmp -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
#这结束为白名单ip开放的端口
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
1.3 使防火墙规则生效
(base) root@master:~# iptables-restore < /etc/iptables.rules
1.4 添加iptables
创建 /etc/network/if-post-down.d/iptables 文件,并添加如下内容:
(base) root@master:~# vi /etc/network/if-post-down.d/iptables
iptables文件内容如下:
#!/bin/bash
iptables-save > /etc/iptables.rules
添加可执行权限
(base) root@master:/etc/network/if-post-down.d# chmod +x /etc/network/if-post-down.d/iptables
创建 /etc/network/if-pre-up.d/iptables 文件,添加如下内容
(base) root@master:~# vi /etc/network/if-pre-up.d/iptables
iptables文件内容如下:
#!/bin/bash
iptables-restore < /etc/iptables.rules
添加执行权限
(base) root@master:/etc/network/if-pre-up.d# chmod +x /etc/network/if-pre-up.d/iptables
1.5 查看iptables规则是否生效
(base) root@master:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2181
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9092
whitelist tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
whitelist tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
whitelist tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
whitelist tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
whitelist tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2181
whitelist tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9092
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 10
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 100
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain whitelist (6 references)
target prot opt source destination
ACCEPT all -- xx.xx.xx.xx 0.0.0.0/0
ACCEPT all -- xx.xx.xx.xx 0.0.0.0/0
如果再次修改,则执行以下命令
vi /etc/iptables.rules #修改规则
iptables-restore < /etc/iptables.rules #使修改后的规则生效
iptables -L -n #查看规则是否生效
2 ufw设置防火墙白名单
Ubuntu 16.04自带UFW(Uncomplicated Firewall)简单防火墙工具,默认状态是inactive。
2.1 列出所有应用程序配置策略
(base) root@master:~# sudo ufw app list
Available applications:
OpenSSH
2.2 允许SSH连接
这一步设置非常重要,如果你是远程登录服务器,##开启ufw防火墙前,必须先添加允许SSH连接##,否则,ufw开启后SSH无法连接。
(base) root@master:~# sudo ufw allow ssh
Rules updated
Rules updated (v6)
如果SSH是自定义端口,则执行下列命令
sudo ufw allow 端口号/tcp
2.3 开启ufw
(base) root@master:~# sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
2.4 允许常见端口连接
(base) root@master:~# sudo ufw allow http #允许 HTTP 连接
Rule added
Rule added (v6)
2.5 允许端口范围
sudo ufw allow xxxx:yyyy/tcp #开启服务器上xxxx——yyyy的TCP端口
2.6 允许特定IP
(base) root@master:~# sudo ufw allow from XX.XX.XX.XX #允许XX.XX.XX.XX访问所有端口
Rule added
2.7允许子网
sudo ufw allow from xx.xx.xx.xx/16 to any port 3306 #允许特定子网范围的计算机对服务器mysql3306端口的访问
2.8 拒绝访问
sudo ufw deny from xx.xx.xx.xx to any port 80 #拒绝xx.xx.xx.xx访问80端口
2.9 删除ufw防火墙设置
(base) root@master:~# sudo ufw status numbered #列出规则编号
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 80/tcp ALLOW IN Anywhere
[ 3] 3306/tcp ALLOW IN Anywhere
[ 4] 2181/tcp ALLOW IN Anywhere
[ 5] 9002/tcp ALLOW IN Anywhere
[ 6] 9092/tcp ALLOW IN Anywhere
如果删除80端口
sudo ufw delete 2 #方法1使用规则编号删除
sudo ufw delete allow 80 #方法2指定端口号直接删除
2.10 禁用ufw
sudo ufw disable
2.11 重置ufw
sudo ufw reset
- 上一篇 »Linux防火墙
- 下一篇 »linux 如何查看防火墙是否开启?