Ubuntu 16.04 设置防火墙白名单

为了确保服务器安全性,正确配置防火墙十分关键。Ubuntu服务器设置防火墙白名单可以使用iptablesufwiptables没有直接的操作命令,需要配置多个文件,ufw可以用于管理iptables规则,相对于iptables简单易执行。

1 iptables设置防火墙白名单

1.1 检查是否安装iptables

(base) root@master:~# whereis iptables  #查看系统是否安装防火墙
iptables: /sbin/iptables /usr/share/iptables /usr/share/man/man8/iptables.8.gz

(base) root@master:~# apt-get install iptables #若未安装 执行安装命令

(base) root@master:~# iptables -L  #查看防火墙信息
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
    

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination      

1.2 添加iptables规则

(base) root@master:~# vi /etc/iptables.rules
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

#这里开始增加白名单服务器ip(请删除当前服务器的ip地址)
-N whitelist
-A whitelist -s xx.xx.xx.xx -j ACCEPT   
-A whitelist -s xx.xx.xx.xx -j ACCEPT

#这里结束白名单服务器ip

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2181 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9092 -j ACCEPT

//下面这些 whitelist 端口号,仅限服务器之间通过内网访问
#这里添加为白名单ip开放的端口

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2181 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9092 -j whitelist

#作用是每秒钟只允许 100 个数据包,用来防止 DDoS 攻击
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
-A INPUT -p icmp -m limit --limit 100/sec --limit-burst 100 -j ACCEPT

#这结束为白名单ip开放的端口
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

1.3 使防火墙规则生效

(base) root@master:~# iptables-restore < /etc/iptables.rules

1.4 添加iptables

创建 /etc/network/if-post-down.d/iptables 文件,并添加如下内容:

(base) root@master:~# vi /etc/network/if-post-down.d/iptables

iptables文件内容如下:

#!/bin/bash
iptables-save > /etc/iptables.rules

添加可执行权限

(base) root@master:/etc/network/if-post-down.d# chmod +x /etc/network/if-post-down.d/iptables

创建 /etc/network/if-pre-up.d/iptables 文件,添加如下内容

(base) root@master:~# vi /etc/network/if-pre-up.d/iptables

iptables文件内容如下:

#!/bin/bash
iptables-restore < /etc/iptables.rules

添加执行权限

(base) root@master:/etc/network/if-pre-up.d# chmod +x /etc/network/if-pre-up.d/iptables

1.5 查看iptables规则是否生效

(base) root@master:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:3306
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:2181
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:9092
whitelist  tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
whitelist  tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
whitelist  tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
whitelist  tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:3306
whitelist  tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:2181
whitelist  tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:9092
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 10
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            limit: avg 100/sec burst 100
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain whitelist (6 references)
target     prot opt source               destination         
ACCEPT     all  --  xx.xx.xx.xx       0.0.0.0/0           
ACCEPT     all  --  xx.xx.xx.xx        0.0.0.0/0   

如果再次修改,则执行以下命令

vi /etc/iptables.rules  #修改规则
iptables-restore < /etc/iptables.rules #使修改后的规则生效
iptables -L -n  #查看规则是否生效

2 ufw设置防火墙白名单

Ubuntu 16.04自带UFW(Uncomplicated Firewall)简单防火墙工具,默认状态是inactive。

2.1 列出所有应用程序配置策略

(base) root@master:~# sudo ufw app list 
Available applications:
    OpenSSH

2.2 允许SSH连接

这一步设置非常重要,如果你是远程登录服务器,##开启ufw防火墙前,必须先添加允许SSH连接##,否则,ufw开启后SSH无法连接。

(base) root@master:~# sudo ufw allow ssh
Rules updated
Rules updated (v6)

如果SSH是自定义端口,则执行下列命令

sudo ufw allow 端口号/tcp

2.3 开启ufw

(base) root@master:~# sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

2.4 允许常见端口连接

(base) root@master:~# sudo ufw allow http  #允许 HTTP 连接
Rule added
Rule added (v6)

2.5 允许端口范围

sudo ufw allow xxxx:yyyy/tcp #开启服务器上xxxx——yyyy的TCP端口

2.6 允许特定IP

(base) root@master:~# sudo ufw allow from XX.XX.XX.XX #允许XX.XX.XX.XX访问所有端口
Rule added

2.7允许子网

sudo ufw allow from xx.xx.xx.xx/16 to any port 3306 #允许特定子网范围的计算机对服务器mysql3306端口的访问

2.8 拒绝访问

sudo ufw deny from xx.xx.xx.xx to any port 80  #拒绝xx.xx.xx.xx访问80端口

2.9 删除ufw防火墙设置

(base) root@master:~# sudo ufw status numbered #列出规则编号
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  
[ 2] 80/tcp                     ALLOW IN    Anywhere                  
[ 3] 3306/tcp                   ALLOW IN    Anywhere                  
[ 4] 2181/tcp                   ALLOW IN    Anywhere                  
[ 5] 9002/tcp                   ALLOW IN    Anywhere                  
[ 6] 9092/tcp                   ALLOW IN    Anywhere

如果删除80端口

sudo ufw delete 2 #方法1使用规则编号删除

sudo ufw delete allow 80 #方法2指定端口号直接删除

2.10 禁用ufw

sudo ufw disable

2.11 重置ufw

sudo ufw reset
posted @ 2019-12-17 21:13  Christine_7  阅读(7582)  评论(0编辑  收藏  举报