為了確保服務器安全性,正確配置防火牆十分關鍵。Ubuntu服務器設置防火牆白名單可以使用iptables和ufw。iptables沒有直接的操作命令,需要配置多個文件,ufw可以用於管理iptables規則,相對於iptables簡單易執行。
1 iptables設置防火牆白名單
1.1 檢查是否安裝iptables
(base) root@master:~# whereis iptables #查看系統是否安裝防火牆
iptables: /sbin/iptables /usr/share/iptables /usr/share/man/man8/iptables.8.gz
(base) root@master:~# apt-get install iptables #若未安裝 執行安裝命令
(base) root@master:~# iptables -L #查看防火牆信息
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
1.2 添加iptables規則
(base) root@master:~# vi /etc/iptables.rules
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#這里開始增加白名單服務器ip(請刪除當前服務器的ip地址)
-N whitelist
-A whitelist -s xx.xx.xx.xx -j ACCEPT
-A whitelist -s xx.xx.xx.xx -j ACCEPT
#這里結束白名單服務器ip
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2181 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9092 -j ACCEPT
//下面這些 whitelist 端口號,僅限服務器之間通過內網訪問
#這里添加為白名單ip開放的端口
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2181 -j whitelist
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9092 -j whitelist
#作用是每秒鍾只允許 100 個數據包,用來防止 DDoS 攻擊
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
-A INPUT -p icmp -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
#這結束為白名單ip開放的端口
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
1.3 使防火牆規則生效
(base) root@master:~# iptables-restore < /etc/iptables.rules
1.4 添加iptables
創建 /etc/network/if-post-down.d/iptables 文件,並添加如下內容:
(base) root@master:~# vi /etc/network/if-post-down.d/iptables
iptables文件內容如下:
#!/bin/bash
iptables-save > /etc/iptables.rules
添加可執行權限
(base) root@master:/etc/network/if-post-down.d# chmod +x /etc/network/if-post-down.d/iptables
創建 /etc/network/if-pre-up.d/iptables 文件,添加如下內容
(base) root@master:~# vi /etc/network/if-pre-up.d/iptables
iptables文件內容如下:
#!/bin/bash
iptables-restore < /etc/iptables.rules
添加執行權限
(base) root@master:/etc/network/if-pre-up.d# chmod +x /etc/network/if-pre-up.d/iptables
1.5 查看iptables規則是否生效
(base) root@master:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2181
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9092
whitelist tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
whitelist tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
whitelist tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
whitelist tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
whitelist tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2181
whitelist tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9092
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 10
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 100
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain whitelist (6 references)
target prot opt source destination
ACCEPT all -- xx.xx.xx.xx 0.0.0.0/0
ACCEPT all -- xx.xx.xx.xx 0.0.0.0/0
如果再次修改,則執行以下命令
vi /etc/iptables.rules #修改規則
iptables-restore < /etc/iptables.rules #使修改后的規則生效
iptables -L -n #查看規則是否生效
2 ufw設置防火牆白名單
Ubuntu 16.04自帶UFW(Uncomplicated Firewall)簡單防火牆工具,默認狀態是inactive。
2.1 列出所有應用程序配置策略
(base) root@master:~# sudo ufw app list
Available applications:
OpenSSH
2.2 允許SSH連接
這一步設置非常重要,如果你是遠程登錄服務器,##開啟ufw防火牆前,必須先添加允許SSH連接##,否則,ufw開啟后SSH無法連接。
(base) root@master:~# sudo ufw allow ssh
Rules updated
Rules updated (v6)
如果SSH是自定義端口,則執行下列命令
sudo ufw allow 端口號/tcp
2.3 開啟ufw
(base) root@master:~# sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
2.4 允許常見端口連接
(base) root@master:~# sudo ufw allow http #允許 HTTP 連接
Rule added
Rule added (v6)
2.5 允許端口范圍
sudo ufw allow xxxx:yyyy/tcp #開啟服務器上xxxx——yyyy的TCP端口
2.6 允許特定IP
(base) root@master:~# sudo ufw allow from XX.XX.XX.XX #允許XX.XX.XX.XX訪問所有端口
Rule added
2.7允許子網
sudo ufw allow from xx.xx.xx.xx/16 to any port 3306 #允許特定子網范圍的計算機對服務器mysql3306端口的訪問
2.8 拒絕訪問
sudo ufw deny from xx.xx.xx.xx to any port 80 #拒絕xx.xx.xx.xx訪問80端口
2.9 刪除ufw防火牆設置
(base) root@master:~# sudo ufw status numbered #列出規則編號
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 80/tcp ALLOW IN Anywhere
[ 3] 3306/tcp ALLOW IN Anywhere
[ 4] 2181/tcp ALLOW IN Anywhere
[ 5] 9002/tcp ALLOW IN Anywhere
[ 6] 9092/tcp ALLOW IN Anywhere
如果刪除80端口
sudo ufw delete 2 #方法1使用規則編號刪除
sudo ufw delete allow 80 #方法2指定端口號直接刪除
2.10 禁用ufw
sudo ufw disable
2.11 重置ufw
sudo ufw reset