Ubuntu 16.04 iptables设置

发表于 | 分类于 | | 阅读

最近换了 Ubuntu 16.04 LTS 设置好防火墙规则后,发现 iptables 服务不可用,自己就折腾了一番,基本达到要求。

准备
查看系统版本
1
lsb_release -a

返回结果如下:

1
2
3
4
5
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.3 LTS
Release:        16.04
Codename:       xenial

设置防火墙脚本
1
cat fhq.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#! /usr/bin/env bash
## flush iptables rules
iptables -F
iptables -X
iptables -Z
## default rules
iptables -P INPUT  DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# allow locale data
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
#---------------------------------------------------------------SMG start
#limit
#iptables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 128 --connlimit-mask 32 -j DROP
#To ensure that the connection is normal
iptables -A INPUT -p all  -m state --state RELATED,ESTABLISHED -j ACCEPT
#nginx common access
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
## OPENSSH PORT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#ACCEPT PORT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp --dport 443 -j ACCEPT
##dns
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
##for ping:
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
### end ###
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset

要开放其他端口照着 ACCEPT PORT 规则写就好了。
给防火墙脚本添加执行权限

1
chmod +x fhq.sh

加入开机启动脚本(在exit 0 之前添加防火墙脚本)
查看 rc.local 权限如没有执行权限需添加执行权限(PS:rc.local实际位置为:/etc/rc.d/rc.local)

1
2
ls -l /etc/rc.d/rc.local
sudo chmod +x /etc/rc.d/rc.local

1
nano /etc/rc.local
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
## user boot script start
/home/minghu/fhq.sh >/dev/null 2>&1
exit 0

重启系统查看防火墙状态

1
sudo iptables -nL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  127.0.0.1            127.0.0.1
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:53
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 255
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

大功告成了,现在可以设置iptables服务了。

设置IPTABLES服务
首先保存防火墙规则
1
sudo iptables-save >/etc/iptables.rules

但是 /etc/iptables.rules文件中并没有保存下来内容之好手动添加内容进去了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Generated by iptables-save v1.6.0 on Wed Sep 27 10:10:30 2017
*filter
:INPUT DROP [7:1113]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [36389:6267310]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p udp -m udp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 24343 -j ACCEPT
-A INPUT -p udp -m udp --dport 24343 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9000 -j ACCEPT
-A INPUT -p udp -m udp --dport 9000 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A FORWARD -s 172.16.1.0/24 -j ACCEPT
COMMIT
# Completed on Wed Sep 27 10:10:30 2017
# Generated by iptables-save v1.6.0 on Wed Sep 27 10:10:30 2017
*nat
:PREROUTING ACCEPT [152:7945]
:INPUT ACCEPT [52:2912]
:OUTPUT ACCEPT [3105:192534]
:POSTROUTING ACCEPT [3198:196254]
-A POSTROUTING -s 172.16.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Sep 27 10:10:30 2017

设置IPTABLES开机加载防火墙规则文件
1
sudo nano /etc/network/if-pre-up.d/iptables
1
2
# /usr/bin/env bash
iptables-restore </etc/iptables.rules

添加执行权限

1
sudo chmod +x /etc/network/if-pre-up.d/iptables

取消开机启动脚本里面的防火墙脚本重启系统试试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  127.0.0.1            127.0.0.1
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:53
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 255
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

开放端口一样,达到预期效果
PS:其实在第一步设置防火墙脚本并加入 rc.local 开机启动时也会开启防火墙设置效果也是一样的,但我就是喜欢折腾。这里其实也是多提供一点思路。