IPTable 规则限制 eth1 访问端口 80 和 443
IPTable rules to restrict eth1 access to ports 80 and 443
我有一项服务在 eth1 的端口 80 和 443 上侦听客户流量。托管我的服务的服务器还在 eth0 和本地主机
上托管其他 admin/privileged 访问内容
我正在尝试设置 iptable 规则以锁定与客户端位于同一网络的服务器上的 eth1(通过 eth1 阻止 ssh 之类的东西/访问端口 9904 上的内部服务 运行 等)我也想要确保规则不禁止对 eth1:80 和 eth1:443 的常规访问。我提出了以下规则,但想与 iptable 专家一起审查此规则可能存在的问题。
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth1 -j DROP
- 以上规则是否足够
- 以上与谷歌搜索时发现的规则有何不同
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -i eth1 -p tcp -j ACCEPT
-A INPUT -i eth1 -j DROP
谢谢我在 https://serverfault.com/questions/834534/iptable-rules-to-restrict-eth1-access-to-ports-80-and-443 中回答了这个问题,为了完整起见将其添加到这里
The first set of rules first allow all incoming packets on your ports
80 and 443. Then it drops ALL other incoming packets (except those
already accepted).
The second set of rules first allow all incoming packets on ports 80
and 443. Then it drops incoming connections (excluding 80 and 443 that
are already accepted), which are packets with only the SYN flag set.
Then it allows all incoming packets.
The difference here is what happens to your OUTGOING connections. In
the first ruleset, if you attempt to connect to another server, any
packets that server sends in response will be dropped so you will
never receive any data. In the second case, those packets will be
allowed since the first packet from the remote server will have both
SYN and ACK set and therefore pass the SYN test, and any following
packets will not have SYN set at all, and therefore pass the test.
This has been traditionally done using conntrack which requires the
kernel to keep track of every connection in the firewall, with a
command like
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
that matches the incoming packet either to an existing connection, or
a connection related to some other existing connection (eg FTP data
connections). If you aren't using FTP or other protocols that use
multiple random ports, then the second ruleset achieves basically the
same result without the overhead of tracking and inspecting these
connections.
我有一项服务在 eth1 的端口 80 和 443 上侦听客户流量。托管我的服务的服务器还在 eth0 和本地主机
上托管其他 admin/privileged 访问内容我正在尝试设置 iptable 规则以锁定与客户端位于同一网络的服务器上的 eth1(通过 eth1 阻止 ssh 之类的东西/访问端口 9904 上的内部服务 运行 等)我也想要确保规则不禁止对 eth1:80 和 eth1:443 的常规访问。我提出了以下规则,但想与 iptable 专家一起审查此规则可能存在的问题。
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth1 -j DROP
- 以上规则是否足够
- 以上与谷歌搜索时发现的规则有何不同
-P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A INPUT -i eth1 -p tcp -j ACCEPT -A INPUT -i eth1 -j DROP
谢谢我在 https://serverfault.com/questions/834534/iptable-rules-to-restrict-eth1-access-to-ports-80-and-443 中回答了这个问题,为了完整起见将其添加到这里
The first set of rules first allow all incoming packets on your ports 80 and 443. Then it drops ALL other incoming packets (except those already accepted).
The second set of rules first allow all incoming packets on ports 80 and 443. Then it drops incoming connections (excluding 80 and 443 that are already accepted), which are packets with only the SYN flag set. Then it allows all incoming packets.
The difference here is what happens to your OUTGOING connections. In the first ruleset, if you attempt to connect to another server, any packets that server sends in response will be dropped so you will never receive any data. In the second case, those packets will be allowed since the first packet from the remote server will have both SYN and ACK set and therefore pass the SYN test, and any following packets will not have SYN set at all, and therefore pass the test.
This has been traditionally done using conntrack which requires the kernel to keep track of every connection in the firewall, with a command like
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
that matches the incoming packet either to an existing connection, or a connection related to some other existing connection (eg FTP data connections). If you aren't using FTP or other protocols that use multiple random ports, then the second ruleset achieves basically the same result without the overhead of tracking and inspecting these connections.