我正在用iptables保护我的debian。 我这样做是为了允许ssh,http和https:
# history | grep iptable 18 /sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT 22 /sbin/iptables -I INPUT 2 -i lo -j ACCEPT 23 /sbin/iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT 24 /sbin/iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT 25 /sbin/iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT 26 /sbin/iptables -P INPUT DROP 18:连接已经etablshed 22:本地主机23,24,25:ssh,http,https 26:阻止其他
我的规则:
# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
该行:
ACCEPT all -- anywhere anywhere
吓我一跳:这个规则是否允许所有的stream量?
编辑 :
# iptables -L -v -n Chain INPUT (policy DROP 1352 packets, 99220 bytes) pkts bytes target prot opt in out source destination 275 21348 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 67 packets, 9852 bytes) pkts bytes target prot opt in out source destination
你所指的lo线允许lo接口(localhost)上的所有stream量。 它通常是无害的,去除它会导致问题。
只有在将-v添加到iptables命令后,接口列才可见。
是的,这条线允许一切。