我正在使用 iptables 保护我的 debian。我这样做是为了允许 ssh、http 和 https:
# history | grep iptable
18 /sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
22 /sbin/iptables -I INPUT 2 -i lo -j ACCEPT
23 /sbin/iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
24 /sbin/iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
25 /sbin/iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
26 /sbin/iptables -P INPUT DROP
18:已建立连接 22:本地主机 23、24、25:ssh、http、https 26:阻止其他
我的规则:
# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
该行:
ACCEPT all -- anywhere anywhere
吓到我了:这条规则允许所有流量?
编辑:
# iptables -L -v -n
Chain INPUT (policy DROP 1352 packets, 99220 bytes)
pkts bytes target prot opt in out source destination
275 21348 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 67 packets, 9852 bytes)
pkts bytes target prot opt in out source destination
您所指的行允许
lo接口(本地主机)上的所有流量。它通常是无害的,删除它可能会导致问题。-v界面列仅在您添加到iptables命令后才可见。是的,那条线允许一切。