今天是: 收藏本站 设为主页
网站首页 >  技术专栏  >  linux  > 

Ubuntu 服务器版 Iptables 基本设置指南

日期:2011-03-16  点击率:3589





Editing iptables 编辑iptables
The only problem with our setup so far is that even the loopback port is blocked. We could have written the drop rule for just eth0 by specifying -i eth0, but we could also add a rule for the loopback. If we append this rule, it will come too late - after all the traffic has been dropped. We need to insert this rule onto the fourth line.

进行至此,仍有一个问题,就是环回接口也被阻断了。刚才添加DROP规则的时候其实就可以使用-i eth0来解决这一问题。然而我们也可以为环回接口添加一条新规则来解决这个问题。但是不能将新规则追加到末尾,因为前一条规则已经把所有报文都丢弃了,而应该把它插到DROP规则前面,即规则表中第四行的位置。

# iptables -I INPUT 4 -i lo -j ACCEPT# iptables -LChain INPUT (policy ACCEPT)target prot opt source destinationACCEPT all -- anywhere anywhere state RELATED,ESTABLISHEDACCEPT tcp -- anywhere anywhere tcp dpt:sshACCEPT tcp -- anywhere anywhere tcp dpt:wwwACCEPT all -- anywhere anywhereDROP all -- anywhere anywhere
The last two lines look nearly the same, so we will list iptables in greater detail.

规则表中的最后两行几乎一样,为了看看它们到底有什么不同,我们可以使用

# iptables -L -v
Logging 记录
In the above examples none of the traffic will be logged. If you would like to log dropped packets to syslog, this would be the quickest way:

在前面的例子中,没有任何报文会被记录到日志中。如果您希望将被丢弃的报文记录到syslog中,最简单的方法是:

# iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
See Tips section for more ideas on logging.

更多关于日志记录的信息,请参照Tips(技巧)这一节。

Saving iptables 保存设置
If you were to reboot your machine right now, your iptables configuration would disapear. Rather than type this each time you reboot, however, you can save the configuration, and have it start up automatically. To save the configuration, you can use iptables-save and iptables-restore.

机器重启后,iptables中的配置信息会被清空。您可以将这些配置保存下来,让iptables在启动时自动加载,省得每次都得重新输入。iptables-save和iptables-restore 是用来保存和恢复设置的。

Configuration on startup 开机自动加载配置
Save your firewall rules to a file

先将防火墙规则保存到/etc/iptables.up.rules文件中

# iptables-save > /etc/iptables.up.rules
Then modify the /etc/network/interfaces script to apply the rules automatically (the bottom line is added)

然后修改脚本/etc/network/interfaces,使系统能自动应用这些规则(最后一行是我们手工添加的)。

auto eth0iface eth0 inet dhcppre-up iptables-restore < /etc/iptables.up.rules
You can also prepare a set of down rules and apply it automatically

当网络接口关闭后,您可以让iptables使用一套不同的规则集。

auto eth0iface eth0 inet dhcppre-up iptables-restore < /etc/iptables.up.rulespost-down iptables-restore < /etc/iptables.down.rules




下一篇:谈PHP生成静态页面    上一篇:mysql套接字和tcpip连接方式