線上輕鬆設定你的防火牆 – Online IPTables Firewall Generator

作者:Chun 在〈線上輕鬆設定你的防火牆 – Online IPTables Firewall Generator〉發佈留言

本篇文章更新時間:2024/10/02
如有資訊過時或語誤之處,歡迎使用 Contact 功能通知。
一介資男的 LINE 社群開站囉!歡迎入群聊聊~
如果本站內容對你有幫助,歡迎使用 BFX Pay 加密貨幣新台幣 贊助支持。


Linux 裡有套防火牆軟體 IPTables

就如名一般把一些規則表起來他就會照著規則管理,重點就是規則描述沒有這麼"友善具有親和力"XD

所以找了套線上幫我組態的工具: LinWiz://ServerFirewall (連結已死) http://www.lowth.com/LinWiz/1.09/ServerFirewall/fw.pl/iptables (連結已死)

我想會用 iptables 的人應該都會喜歡,幫了不少忙

以下提供一個常見網頁伺服器規則: 僅允許SSH(22), HTTP(80) 與HTTPS(443)服務連線

# Created: Sun Aug 31 18:31:24 2014
# By     : LinWiz://ServerFirewall, 1.09
# URL    : http://www.lowth.com/LinWiz/1.09
#
# This file is provided under the terms of the GNU General Public
# License which governs your rights to use and redistribute it, and
# highlights the fact that it is provided with NO WARRANTY what so ever.
# The full text of the license can be viewed on line at ..
#    http://www.lowth.com/LinWiz/1.09/COPYING.txt
# Do not use this file if you disagree with these terms.
#
# 
#
#
# Only allow 80, 443, 22 ports

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LINWIZ-INPUT - [0:0]
:REJECT-PKT - [0:0]
:SYN-FLOOD - [0:0]

-A INPUT -j LINWIZ-INPUT

######################################################################
# Allow all loopback interface traffic

-A LINWIZ-INPUT -i lo -j ACCEPT

# Block all attempts to spoof the loopback address

-A LINWIZ-INPUT -s 127.0.0.0/8 -j DROP
-A LINWIZ-INPUT -d 127.0.0.0/8 -j DROP

# Block all attempts to spoof the local IP address

#改成你伺服器的IP位置
-A LINWIZ-INPUT -s 192.168.0.1 -j DROP

# Block Syn Flood attacks

-A LINWIZ-INPUT -p tcp -m tcp --syn -j SYN-FLOOD

# Ensure that TCP connections start with syn packets

-A LINWIZ-INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP

# Allow session continuation traffic

-A LINWIZ-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow selected TCP/IP and/or UDP services

-A LINWIZ-INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A LINWIZ-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A LINWIZ-INPUT -p tcp -m tcp --dport 443 -j ACCEPT

# Block all other TCP/IP and UDP traffic

-A LINWIZ-INPUT -j REJECT-PKT

######################################################################
# Syn flood filtering chain

-A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN
-A SYN-FLOOD -j DROP

######################################################################
# Chain used to reject all TCP/IP, UDP and ICMP/PING packets

-A REJECT-PKT -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A REJECT-PKT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
-A REJECT-PKT -p icmp -m icmp --icmp-type ping -j REJECT --reject-with icmp-host-unreachable

COMMIT

Share:

作者: Chun

資訊愛好人士。主張「人人都該為了偷懶而進步」。期許自己成為斜槓到變進度條 100% 的年輕人。[///////////____36%_________]

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *


文章
Filter
Apply Filters
Close
Mastodon