我做了以下的iptables规则文件:
*filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :sshguard - [0:0] -A INPUT -i enp3s0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow incoming SSH" -A INPUT -i enp3s0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT -m comment --comment "Allow outgoing SSH" -A INPUT -i enp3s0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow incoming HTTP" -A INPUT -i enp3s0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow incoming HTTPS" -A INPUT -i enp3s0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT -m comment --comment "Allow outgoing HTTP" -A INPUT -i enp3s0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT -m comment --comment "Allow outgoing HTTPS" -A INPUT -i enp3s0 -p udp --sport 53 -j ACCEPT -m comment --comment "Allow outgoing DNS" -A INPUT -i lo -j ACCEPT -m comment --comment "Allow ALL from localhost" -A INPUT -p icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Allow incoming ping" -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT -m comment --comment "Allow outgoing ping" -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT -m comment --comment "Prevent DoS attacks" -A INPUT -p tcp --dport 443 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT -m comment --comment "Prevent DoS attacks" -A INPUT -p tcp -m tcp --dport 22 -j sshguard -m comment --comment "SSH access protection" COMMIT 但是,当我尝试加载它iptables-restore < iptables.rules ,我有这个错误:
iptables-restore:第22行失败
我做错了吗?
编辑:
编辑2:经过多次testing后,似乎在/lib/modules/4.4.48-1-MANJARO/kernel/net/ipv4/netfilter目录中缺lessipt_state.ko.gz和ipt_comment.ko.gz模块
有谁知道如何添加这些模块?
好,那么在那个论坛之后: https : //bbs.archlinux.org/viewtopic.php?id = 195108 ,我意识到我的内核最近从-41更新到-48,而模块发现是基于uname已经过时),这就是为什么模块无法加载。 一个简单的重新启动修复所有问题:D