首页 > Ubuntu/Debian操作系统 > Easy Ubuntu 16.04 Server Firewall

Easy Ubuntu 16.04 Server Firewall

2016年10月23日

Easy Ubuntu 16.04 Server Firewall
https://oitibs.com/easy-ubuntu-16-server-firewall/
April 21, 2016 Views: 6054ArticlesBash, IPtables, Linux, Ubuntu
If you read our previous article Easy Ubuntu Server Firewall, then you may have noted that on Ubuntu 16.04 the described method no longer works. This is due to systemd. In the article below we will walk through creating a persistent IPTables based firewall on Ubuntu 16.04 LTS. First we need to install some required software packages. As seen in the command below, install iptables-persistent. Next we will make netfilter-persistent run at boot. This is the most important step as it will ensure your rules are reloaded at boot time.

1
# Install IPTables Persistent Package
2
apt-get install -y iptables-persistent
3
# Add netfilter-persistent Startup
4
invoke-rc.d netfilter-persistent save
5
# Stop netfilter-persistent Service
6
service netfilter-persistent stop
Once the packages above are installed and the service is stopped, you will have a new directory at /etc/iptables/. This directory holds the IPTables filter rules that will be reloaded at boot time. These files are named rules.v4 and rules.v6 respectively. IPV4 rules are loaded into rules.v4 and IPV6 rules are loaded into rules.v6. For the purpose of this article we will focus on IPV4 rules. Next we will want to copy the rules below into our rules.v4 file. Of course the rules will need to be modified to fit your environment.

1
# Generated by iptables-save v1.3.3 on Wed Apr 9 10:51:08 2008
2
# Flush out any rules that are already in there
3
*filter
4
:INPUT ACCEPT [146:11332]
5
:FORWARD ACCEPT [0:0]
6
:OUTPUT ACCEPT [104:9831]
7

8
# Allow internal loopback connections
9
-A INPUT -i lo -j ACCEPT
10
-A OUTPUT -o lo -j ACCEPT
11

12
# Allow pinging
13
-A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
14

15
# Allow any outbound data, and any inbound data related to a connection that is already in use
16
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
17
-A OUTPUT -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
18

19
# =========BEGIN SERVER SPECIFIC PORT OPEN RULES=========
20
# Allow SCP/SSH Access from Green & Blue Subnet
21
-A INPUT -s 172.16.12.0/255.255.255.0 -p tcp -m tcp –dport 22 -j ACCEPT
22
-A INPUT -s 10.10.12.0/255.255.255.0 -p tcp -m tcp –dport 22 -j ACCEPT
23

24
# Allow HTTP Access from Red Subnet/Internet
25
-A INPUT -p tcp -m state –state NEW,ESTABLISHED –dport 80 -j ACCEPT
26

27
# Allow HTTPS Access from Red Subnet/Internet
28
-A INPUT -p tcp -m state –state NEW,ESTABLISHED –dport 443 -j ACCEPT
29

30
# Allow MySQL Access from Red Subnet/Internet
31
-A INPUT -p tcp -m state –state NEW,ESTABLISHED –dport 3306 -j ACCEPT
32

33
# Allow FTP Access from Red Subnet/Internet
34
-A INPUT -p tcp -m state –state NEW,ESTABLISHED –dport 21 -j ACCEPT
35
-A INPUT -p tcp -m state –state NEW,ESTABLISHED –dport 58000:58010 -j ACCEPT
36
# =========END SERVER SPECIFIC PORT OPEN RULES=========
37

38
# Drop everything that hasn’t been picked up by one of the rules above
39
-A INPUT -j DROP
40
-A FORWARD -j DROP
41
-A OUTPUT -j DROP
42

43
COMMIT
44
# Completed on Wed Apr 9 10:51:08 2008
Lastly, in order for our new rules to take affect, we simply need to start the netfilter-persistent service as seen below. That’s it, you now have a fully functional IPTables based firewall.

1
# Start netfilter-persistent Service
2
service netfilter-persistent start
3
# Check if IPTables were applied
4
iptables -L

本文的评论功能被关闭了.