主页 / ubuntu / 问题 / 6004
Accepted
user3215
Asked: 2010-10-12 06:41:02 +0800 CST

ubuntu 上的 iptables 和 nmap

  • 772

以下是我在 ubuntu 云服务器上的 iptable 规则:

猫 /etc/iptables.rules:

*filter   
:INPUT DROP [598:41912]  
:FORWARD ACCEPT [0:0]  
:OUTPUT ACCEPT [456:35354] 
-A INPUT -i lo -j ACCEPT  
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT  
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT  
-A INPUT -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT  
-A INPUT -s mycompany.dyndns.com -p tcp -m tcp --dport 22 -j ACCEPT  
-A INPUT -s mycompany.dyndns.com -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s mycompany.dyndns.com -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -j DROP
COMMIT

我没有在上面的 iptable 规则中打开 ftp 端口 21,但我可以通过 ftp 连接到服务器。如何?

nmap 服务器 IP

Not shown: 987 closed ports 

PORT         STATE    SERVICE
21/tcp        open     ftp
22/tcp        open     ssh
25/tcp        open     smtp
53/tcp        open     domain
80/tcp        open     http
111/tcp       open     rpcbind
135/tcp       filtered msrpc
139/tcp       filtered netbios-ssn
389/tcp       open     ldap
445/tcp       filtered microsoft-ds
10000/tcp      open     java-or-OTGfileshare
2401/tcp      open     cvspserver
3306/tcp      open     mysql

Nmap done: 1 IP address (1 host up) scanned in 17.46 seconds

为什么这些端口显示为打开。我很清楚这些服务正在服务器上运行,但是当它不包含在 iptable 规则中时,它如何列出或连接(ftp)这些端口?

需要帮忙...

The following script will be running at every 5 mins on cloud servers to update their iptables for the dyndns domain name:

#!/bin/bash
#
# A script to update iptable records for dynamic dns hosts.
# Written by: Dave Horner (http://dave.thehorners.com)
# Released into public domain.
#
# Run this script in your cron table to update ips.
#
# You might want to put all your dynamic hosts in a sep. chain.
# That way you can easily see what dynamic hosts are trusted.
#
# create the chain in iptables.
 /sbin/iptables -N dynamichosts
# insert the chain into the input chain @ the head of the list.
 /sbin/iptables -I INPUT 1 -j dynamichosts
# flush all the rules in the chain
 /sbin/iptables -F dynamichosts

HOST=$1
HOSTFILE="/root/host-$HOST"
CHAIN="dynamichosts"  # change this to whatever chain you want.
IPTABLES="/sbin/iptables"

# check to make sure we have enough args passed.
if [ "${#@}" -ne "1" ]; then
    echo "$0 hostname"
    echo "You must supply a hostname to update in iptables."
    exit
fi

# lookup host name from dns tables
IP=`/usr/bin/dig +short $HOST | /usr/bin/tail -n 1`
if [ "${#IP}" = "0" ]; then
    echo "Couldn't lookup hostname for $HOST, failed."
    exit
fi

OLDIP=""
if [ -a $HOSTFILE ]; then
    OLDIP=`cat $HOSTFILE`
    # echo "CAT returned: $?"
fi

# save off new ip.
echo $IP>$HOSTFILE

echo "Updating $HOST in iptables."
if [ "${#OLDIP}" != "0" ]; then
    echo "Removing old rule ($OLDIP)"
    `$IPTABLES -D $CHAIN -s $OLDIP/32 -j ACCEPT`
fi
echo "Inserting new rule ($IP)"
`$IPTABLES -A $CHAIN -s $IP/32 -j ACCEPT`

这是云服务器上“ipables -L”的输出。

dynamichosts  all  --  anywhere             anywhere            
dynamichosts  all  --  anywhere             anywhere            
dynamichosts  all  --  anywhere             anywhere            
dynamichosts  all  --  anywhere             anywhere            
dynamichosts  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere tcp dpt:www
ACCEPT     all  --  anywhere             anywhere state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere state RELATED,ESTABLISHED 
ACCEPT     tcp  --  APKGS-AP-dynamic-145.136.165.59.airtelbroadband.in  anywhere tcp dpt:ssh 
ACCEPT     tcp  --  APKGS-AP-dynamic-145.136.165.59.airtelbroadband.in anywhere tcp dpt:10000 
ACCEPT     tcp  --  APKGS-AP-dynamic-145.136.165.59.airtelbroadband.in  anywhere tcp dpt:mysql 
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain dynamichosts (937 references)
target     prot opt source               destination         
ACCEPT     all  --  Telemedia-AP-dynamic-145.86.175.59.airtelbroadband.in  anywhere

这里airtelbroadband是我的(dyndns域名)。我认为之前发布的脚本创建了新的链,并且从这个域中一切都是允许的 - 是这样吗?可能是允许的端口 ssh、webmin、mysql 和 www 是无用的条目。但是我希望这个域应该只允许这些端口使用,当我从我的 dyndns 域系统检查时,我可能会在云服务器上列出仅允许的端口。还有什么帮助...?

server iptables

2 个回答

  1. 根据您的输出iptables -L,似乎没有读取您的/etc/iptables.rules文件。请注意,ACCEPT all -- anywhere anywhere比赛会让任何东西进入。

    您可能想要添加一些东西/etc/rc.local来调用iptables-restore < /etc/iptables.rules。不过,请注意不要将自己锁定在系统之外。:)

    • 1
  2. Best Answer

    这是与https://serverfault.com/questions/188550/iptables-nmap-on-ubuntu相同的问题

    正如那里的人所建议的那样,您的防火墙规则对云服务器本身 ( -A INPUT -i lo -j ACCEPT) 或您的“airtelbroadband”机器(您正在运行的脚本允许来自所选 dyndns IP 的所有流量)有特殊例外。

    因此,您需要nmap不同的 IP 地址运行(例如,只需使用云中的另一台机器)

    如果您想限制来自“airtelbroadband”主机的访问(例如,出于测试目的),那么您可以将脚本中的最后一行替换为您要应用的规则列表。例如,以下行将只允许来自您的家庭主机的 SSH、HTTP/HTTPS 和 MySQL 连接:

    $IPTABLES -A $CHAIN -s $IP/32 -p tcp --dport 22 -j ACCEPT
$IPTABLES -A $CHAIN -s $IP/32 -p tcp --dport 80 -j ACCEPT
$IPTABLES -A $CHAIN -s $IP/32 -p tcp --dport 443 -j ACCEPT
$IPTABLES -A $CHAIN -s $IP/32 -p tcp --dport 3306 -j ACCEPT

    警告:通过弄乱防火墙规则,特别是使用自动化脚本,将自己锁定在运行的主机之外是非常、非常、 非常容易的。考虑改为从第三台主机进行测试。

    • 1

相关问题