Я написал сценарий для защиты моей машины:
#!/bin/bash
ssh=1.1.1.1
http='1.1.1.1 2.2.2.2'
# Clear any previous rules.
iptables -F
# Default drop policy.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -N SSH_CHECK
iptables -N HTTP_CHECK
iptables -A INPUT -p tcp --dport 22 -j SSH_CHECK
iptables -A INPUT -p tcp --dport 80 -j HTTP_CHECK
iptables -A INPUT -p tcp --dport 443 -j HTTP_CHECK
iptables -A SSH_CHECK -s $ssh -j ACCEPT -m comment --comment "Allowing $ssh to ssh from his IP"
for web in $http; do
iptables -A HTTP_CHECK -s $web -j ACCEPT -m comment --comment "Allowing $web to visit my HTTP/S server"
done
#Allowing http[s] from inside to outside
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --sport 80,443 -m state --state ESTABLISHED -j ACCEPT
#Allow ssh from inside to outside
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
#Allow working on localhost
iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
#Allow ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
Результат iptables -L -v
:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SSH_CHECK tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 HTTP_CHECK tcp -- any any anywhere anywhere tcp dpt:http
0 0 HTTP_CHECK tcp -- any any anywhere anywhere tcp dpt:https
0 0 ACCEPT tcp -- eth0 any anywhere anywhere multiport sports http,https state ESTABLISHED
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp spt:ssh state ESTABLISHED
0 0 ACCEPT all -- lo any localhost localhost
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any eth0 anywhere anywhere multiport dports http,https state NEW,ESTABLISHED
0 0 ACCEPT tcp -- any eth0 anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
0 0 ACCEPT all -- any lo localhost localhost
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
Chain HTTP_CHECK (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any 1.1.1.1 anywhere /* Allowing 1.1.1.1 to visit my HTTP/S server */
0 0 ACCEPT all -- any any 2.2.2.2 anywhere /* Allowing 2.2.2.2 to visit my HTTP/S server */
Chain SSH_CHECK (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any 1.1.1.1 anywhere /* Allowing 1.1.1.1 to ssh from his IP */
1) Я хочу открывать веб-сайты с этим политика, но не могу. Почему? как я могу это исправить? 2) Что это за правила, когда я раскомментирую их в своем сценарии?
#iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP