一、ubuntu的配置比较简单
创建/etc/iptables.up.rules文件,添加:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11:788]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 5666 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 161 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 #将拦截记录记入/var/log/syslog
-A INPUT -j DROP
COMMIT
载入配置:
iptables-restore < /etc/iptables.up.rules
配置开机生效:
vim /etc/network/interface里面添加
pre-up iptables-restore < /etc/iptables.up.rules
二、centos的配置。
centos 为了使防火墙拦截信息能记入日志就要先修改rsyslog配置文件
# vim /etc/rsyslog.conf
...
kern.debug /var/log/firewall.log
...
# service rsyslog restart
更洁癖点的做法就是把日志切割也配置上:
vim /etc/logrotate.d/syslog
添加/var/log/firewall.log 到文件列表名:
# cat /etc/logrotate.d/syslog
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
/var/log/firewall.log
{
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
最后,添加防火墙规则:
vim /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1320:136890]
:LOGGING - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 5666 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 161 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 6379 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -i eth0 -p tcp -m tcp --dport 6379 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j DROP
COMMIT
载入规则:
/etc/init.d/iptables reload
查看规则
# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:5666
ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:161
ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:6379
ACCEPT tcp -- 192.168.10.0/24 0.0.0.0/0 tcp dpt:6379
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 192.168.0.0/24 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 192.168.10.0/24 0.0.0.0/0 icmp type 8
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `iptables denied: '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain LOGGING (0 references)
target prot opt source destination:
然后在别的机器上telnet一个不存在的端口,就会发现类似的日志:
# tail -f /var/log/firewall.log
Jan 22 16:09:48 redis1 kernel: iptables denied: IN=eth0 OUT= MAC=00:16:3e:7a:02:07:00:22:aa:ce:d4:05:08:00 SRC=192.168.10.68 DST=192.168.0.37 LEN=64 TOS=0x10 PREC=0x00 TTL=63 ID=54038 DF PROTO=TCP SPT=51606 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 22 16:09:49 redis1 kernel: iptables denied: IN=eth0 OUT= MAC=00:16:3e:7a:02:07:00:22:aa:ce:d4:05:08:00 SRC=192.168.10.68 DST=192.168.0.37 LEN=64 TOS=0x10 PREC=0x00 TTL=63 ID=24804 DF PROTO=TCP SPT=51606 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 22 16:09:50 redis1 kernel: iptables denied: IN=eth0 OUT= MAC=00:16:3e:7a:02:07:00:22:aa:ce:d4:05:08:00 SRC=192.168.10.68 DST=192.168.0.37 LEN=64 TOS=0x10 PREC=0x00 TTL=63 ID=32012 DF PROTO=TCP SPT=51606 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 22 16:09:58 redis1 kernel: iptables denied: IN=eth0 OUT= MAC=00:16:3e:7a:02:07:00:22:aa:ce:d4:05:08:00 SRC=192.168.10.68 DST=192.168.0.37 LEN=48 TOS=0x10 PREC=0x00 TTL=63 ID=26525 DF PROTO=TCP SPT=51606 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
参考文章:
阅读(948) | 评论(0) | 转发(0) |