以下是我在ubuntu云服务器上的iptable规则:
猫/etc/iptables.rules:
*filter :INPUT DROP [598:41912] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [456:35354] -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -s mycompany.dyndns.com -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s mycompany.dyndns.com -p tcp -m tcp --dport 3306 -j ACCEPT -A INPUT -s mycompany.dyndns.com -p tcp -m tcp --dport 10000 -j ACCEPT -A INPUT -j DROP COMMIT 我没有在上面的iptable规则中打开ftp端口21,但是我可以通过ftp连接到服务器。 怎么样?
nmap服务器-IP
Not shown: 987 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 389/tcp open ldap 445/tcp filtered microsoft-ds 10000/tcp open java-or-OTGfileshare 2401/tcp open cvspserver 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 17.46 seconds
为什么这么多港口显示为开放。 我很清楚,这些服务在服务器上运行,但是当它不包含在iptable规则中时,它们如何列出或连接(ftp)这些端口?
需要帮忙…
The following script will be running at every 5 mins on cloud servers to update their iptables for the dyndns domain name: #!/bin/bash # # A script to update iptable records for dynamic dns hosts. # Written by: Dave Horner (http://dave.thehorners.com) # Released into public domain. # # Run this script in your cron table to update ips. # # You might want to put all your dynamic hosts in a sep. chain. # That way you can easily see what dynamic hosts are trusted. # # create the chain in iptables. /sbin/iptables -N dynamichosts # insert the chain into the input chain @ the head of the list. /sbin/iptables -I INPUT 1 -j dynamichosts # flush all the rules in the chain /sbin/iptables -F dynamichosts HOST=$1 HOSTFILE="/root/host-$HOST" CHAIN="dynamichosts" # change this to whatever chain you want. IPTABLES="/sbin/iptables" # check to make sure we have enough args passed. if [ "${#@}" -ne "1" ]; then echo "$0 hostname" echo "You must supply a hostname to update in iptables." exit fi # lookup host name from dns tables IP=`/usr/bin/dig +short $HOST | /usr/bin/tail -n 1` if [ "${#IP}" = "0" ]; then echo "Couldn't lookup hostname for $HOST, failed." exit fi OLDIP="" if [ -a $HOSTFILE ]; then OLDIP=`cat $HOSTFILE` # echo "CAT returned: $?" fi # save off new ip. echo $IP>$HOSTFILE echo "Updating $HOST in iptables." if [ "${#OLDIP}" != "0" ]; then echo "Removing old rule ($OLDIP)" `$IPTABLES -D $CHAIN -s $OLDIP/32 -j ACCEPT` fi echo "Inserting new rule ($IP)" `$IPTABLES -A $CHAIN -s $IP/32 -j ACCEPT`
这是云服务器上“ipables -L”的输出。
dynamichosts all -- anywhere anywhere dynamichosts all -- anywhere anywhere dynamichosts all -- anywhere anywhere dynamichosts all -- anywhere anywhere dynamichosts all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- APKGS-AP-dynamic-145.136.165.59.airtelbroadband.in anywhere tcp dpt:ssh ACCEPT tcp -- APKGS-AP-dynamic-145.136.165.59.airtelbroadband.in anywhere tcp dpt:10000 ACCEPT tcp -- APKGS-AP-dynamic-145.136.165.59.airtelbroadband.in anywhere tcp dpt:mysql DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain dynamichosts (937 references) target prot opt source destination ACCEPT all -- Telemedia-AP-dynamic-145.86.175.59.airtelbroadband.in anywhere
这里airtelbroadband是我的(dyndns域名)。 我认为以前发布的脚本创build新的链,并从这个领域一切都被允许 – 是这样吗? 可能是允许的端口ssh,webmin,mysql和www是无用的条目。 但是我希望这个域只能被允许到这些端口,而且当我从我的dyndns域系统中检查时,我可能只有nmap只列出云服务器上的允许端口。 还有什么帮助…?
扫描到远程主机。 “-A INPUT -i lo -j ACCEPT”允许从服务器-IP到服务器-IP的stream量。