我的Ubuntu LTS系統已經運作了幾年了。昨天停電迫使我的電腦停機。電源恢復後,我啟動了系統,一切似乎都開始正常,除了iptables.每當我重新啟動該系統時,它ufw總是會啟動,即使我已將其配置為不啟動。我更喜歡iptables只是因為我知道它,所以我關閉“ufw”並iptables通過以下過程重新配置並重新啟動它:
sudo ufw disable
sudo ip_tables_reset.sh
sudo ip_tables_config.sh
sudo iptables restart
並驗證
sudo iptables -S
返回:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
現在線路
sudo iptables restart
返回與
Bad argument 'restart'
但多年來我一直忠實地使用這個程式。我最近沒有安裝任何據我所知的更新。
是什麼改變了這種可靠的方法現在失敗了?
參考: iptables v1.4.12
答案1
你提到這個命令
sudo iptables restart # wrong usage, its not a service
下面的腳本集是如何備份、啟用或停用防火牆的...首先驗證您是否已安裝該軟體包
dpkg -l | grep iptables
查看目前 iptable 設定的一種方法
sudo iptables -L -n
顯示目前 iptable 規則的規範方式(僅顯示無更改)
sudo iptables-save
查看您的規則,您不會阻止傳入流量(您的屏蔽已關閉),而以下確實會阻止除指定連接埠之外的所有傳入流量
*filter
:INPUT DROP [331:17104]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [9727:1360720]
:GitHubWebHooks - [0:0]
-A INPUT -p tcp -m tcp --dport 9000 -j GitHubWebHooks
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A GitHubWebHooks -s 192.30.252.0/22 -j ACCEPT
-A GitHubWebHooks -j DROP
COMMIT
請注意,我打開了一個特定的IP 位址192.30.252.0/22,這樣我就可以運行一個伺服器來偵聽傳入流量,因此所有提及GitHubWebHooks 的內容都是可選的...如果您將上面的內容保存到文件中,然後按照您的規則加載該文件,那麼您將走吧……護盾升起
在更改任何內容之前,讓我們將當前規則轉儲到輸出檔案中
vi 防火牆_save_current_rules.sh
#!/usr/bin/env /bin/bash
set -o errexit # exit on error
# dump current iptable rules to file
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
# ........
curr_timestamp=$(date '+%H%M%S%N')
curr_rulesfile=/etc/iptables/rules.v4.${curr_timestamp}.current_rules
rulesdir=$( dirname $curr_rulesfile )
if [[ ! -d $rulesdir ]]; then
echo about to create dir $rulesdir
mkdir $rulesdir
fi
iptables-save > ${curr_rulesfile} # dump current iptable rules into output timestamped file
echo curr_rulesfile $curr_rulesfile
現在執行上面的腳本來儲存目前的 iptable 規則
sudo ./firewall_save_current_rules.sh
下面的程式碼將定義一組新的規則,預設情況下我們會阻止除指定部分之外的所有傳入流量(特別是 ssh 連接埠 + 正常的 http 和 https 連接埠)
vi 防火牆_shields_up.sh
#!/usr/bin/env /bin/bash
set -o errexit # exit on error
# create new set of iptable rules from inline list of rules - Block all incoming traffic by default except specified
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
# ........
curr_timestamp=$(date '+%H%M%S%N')
new_rulesfile=/etc/iptables/rules.v4.${curr_timestamp}.new_rules
rulesdir=$( dirname $new_rulesfile )
if [[ ! -d $rulesdir ]]; then
echo about to create dir $rulesdir
mkdir $rulesdir
fi
# ..... park into a new file below list of iptable rules
cat << EOF > ${new_rulesfile}
*filter
:INPUT DROP [331:17104]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [9727:1360720]
:GitHubWebHooks - [0:0]
-A INPUT -p tcp -m tcp --dport 9000 -j GitHubWebHooks
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A GitHubWebHooks -s 192.30.252.0/22 -j ACCEPT
-A GitHubWebHooks -j DROP
COMMIT
EOF
echo new_rulesfile $new_rulesfile
iptables-restore < ${new_rulesfile} # engage new iptable rules from file
echo here is new iptable settings
iptables-save
# ... if you are running docker you will want to bounce its daemon
# sudo service docker restart
執行上面的腳本來定義新的 iptable 規則
sudo ./firewall_shields_up.sh
為了完整起見,下面是一個故障排除腳本,它將通過打開所有傳入和傳出流量來有效禁用防火牆...如果您想要一個空的石板,請運行,但是在firewall_shields_up.sh之上運行以恢復正確的防火牆
vi 防火牆_shields_down.sh
#!/usr/bin/env /bin/bash
set -o errexit # exit on error
# open up all incoming and outgoing traffic ... effectively disabling the firewall
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
# ........ lets first backup current rules into timestamped file
curr_timestamp=$(date '+%H%M%S%N')
curr_rulesfile=/etc/iptables/rules.v4.${curr_timestamp}.current_rules_before_opening_up_all_traffic
rulesdir=$( dirname $curr_rulesfile )
if [[ ! -d $rulesdir ]]; then
echo about to create dir $rulesdir
mkdir $rulesdir
fi
iptables-save > ${curr_rulesfile} # dump current iptable rules into output timestamped file
echo curr_rulesfile $curr_rulesfile
# ... now alter iptables to lower shield
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
# ... display new iptable rules
echo
echo following are the new iptable rules after we opened up all incoming and outgoing traffic
echo
iptables-save