阿里云linux服务器上使用iptables设置安全策略的方法

(最后更新于2019-09-22) 分类: Linux 评论(0) 阅读(580) 赞(0)

公司的产品一直运行在云服务器上,从而有幸接触过aws的ec2,盛大的云服务器,最近准备有使用阿里云的弹性计算(云服务器)。前两种云服务器在安全策略这块做的比较好,提供简单明了的配置界面,而且给了默认的安全策略,反观阿里云服务器,安全策略需要自己去配置,甚至centos机器上都没有预装iptables(起码我们申请两台上都没有),算好可以使用yum来安装,安装命令如下:

  yum install -y iptables

iptables安装好后就可以来配置规则了。由于作为web服务器来使用,所以对外要开放 80 端口,另外肯定要通过ssh进行服务器管理,22 端口也要对外开放,当然最好是把ssh服务的默认端口改掉,在公网上会有很多人试图破解密码的,如果修改端口,记得要把该端口对外开发,否则连不上就悲剧了。下面提供配置规则的详细说明:

  第一步:清空所有规则    当Chain INPUT (policy DROP)时执行/sbin/iptables -F后,你将和服务器断开连接  所有在清空所有规则前把policy DROP该为INPUT,防止悲剧发生,小心小心再小心  /sbin/iptables -P INPUT ACCEPT  清空所有规则  /sbin/iptables -F  /sbin/iptables -X  计数器置0  /sbin/iptables -Z    第二步:设置规则    允许来自于lo接口的数据包,如果没有此规则,你将不能通过127.0.0.1访问本地服务,例如ping 127.0.0.1  /sbin/iptables -A INPUT -i lo -j ACCEPT     开放TCP协议22端口,以便能ssh,如果你是在有固定ip的场所,可以使用 -s 来限定客户端的ip  /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT    开放TCP协议80端口供web服务  /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT    10.241.121.15是另外一台服务器的内网ip,由于之间有通信,接受所有来自10.241.121.15的TCP请求  /sbin/iptables -A INPUT -p tcp -s 10.241.121.15 -j ACCEPT    接受ping  /sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT    这条规则参看:http://www.netingcn.com/iptables-localhost-not-access-internet.html  /sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT    屏蔽上述规则以为的所有请求,不可缺少,否则防火墙没有任何过滤的功能  /sbin/iptables -P INPUT DROP    可以使用 iptables -L -n 查看规则是否生效

至此防火墙就算配置好,但是这是临时的,当重启iptables或重启机器,上述配置就会被清空,要想永久生效,还需要如下操作:

  /etc/init.d/iptables save   或  service iptables save    执行上述命令可以在文件 /etc/sysconfig/iptables 中看到配置

以下提供一个干净的配置脚本:

  /sbin/iptables -P INPUT ACCEPT  /sbin/iptables -F  /sbin/iptables -X  /sbin/iptables -Z    /sbin/iptables -A INPUT -i lo -j ACCEPT   /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT  /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT  /sbin/iptables -A INPUT -p tcp -s 10.241.121.15 -j ACCEPT  /sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT  /sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT  /sbin/iptables -P INPUT DROP

最后执行 service iptables save ,先确保ssh连接没有问题,防止规则错误,导致无法连上服务器,因为没有save,重启服务器规则都失效,否则就只有去机房才能修改规则了。也可以参考:ubuntu iptables 配置脚本来写一个脚本。

最后再次提醒,在清空规则之前一定要小心,确保Chain INPUT (policy ACCEPT)。

脚本之家补充阿里云的linux_drop_port.sh

  #!/bin/bash  #########################################  #Function: linux drop port  #Usage:  bash linux_drop_port.sh  #Author:  Customer Service Department  #Company:  Alibaba Cloud Computing  #Version:  2.0  #########################################     check_os_release()  {   while true   do   os_release=$(grep "Red Hat Enterprise Linux Server release"/etc/issue 2>/dev/null)   os_release_2=$(grep "Red Hat Enterprise Linux Server release"/etc/redhat-release 2>/dev/null)   if [ "$os_release" ] && [ "$os_release_2" ]   then    if echo "$os_release"|grep "release 5" >/dev/null2>&1    then    os_release=redhat5    echo "$os_release"    elif echo "$os_release"|grep "release 6">/dev/null 2>&1    then    os_release=redhat6    echo "$os_release"    else    os_release=""    echo "$os_release"    fi    break   fi   os_release=$(grep "Aliyun Linux release" /etc/issue2>/dev/null)   os_release_2=$(grep "Aliyun Linux release" /etc/aliyun-release2>/dev/null)   if [ "$os_release" ] && [ "$os_release_2" ]   then    if echo "$os_release"|grep "release 5" >/dev/null2>&1    then    os_release=aliyun5    echo "$os_release"    elif echo "$os_release"|grep "release 6">/dev/null 2>&1    then    os_release=aliyun6    echo "$os_release"    else    os_release=""    echo "$os_release"    fi    break   fi   os_release=$(grep "CentOS release" /etc/issue 2>/dev/null)   os_release_2=$(grep "CentOS release" /etc/*release2>/dev/null)   if [ "$os_release" ] && [ "$os_release_2" ]   then    if echo "$os_release"|grep "release 5" >/dev/null2>&1    then    os_release=centos5    echo "$os_release"    elif echo "$os_release"|grep "release 6">/dev/null 2>&1    then    os_release=centos6    echo "$os_release"    else    os_release=""    echo "$os_release"    fi    break   fi   os_release=$(grep -i "ubuntu" /etc/issue 2>/dev/null)   os_release_2=$(grep -i "ubuntu" /etc/lsb-release2>/dev/null)   if [ "$os_release" ] && [ "$os_release_2" ]   then    if echo "$os_release"|grep "Ubuntu 10" >/dev/null2>&1    then    os_release=ubuntu10    echo "$os_release"    elif echo "$os_release"|grep "Ubuntu 12.04">/dev/null 2>&1    then    os_release=ubuntu1204    echo "$os_release"    elif echo "$os_release"|grep "Ubuntu 12.10">/dev/null 2>&1    then    os_release=ubuntu1210    echo "$os_release"    else    os_release=""    echo "$os_release"    fi    break   fi   os_release=$(grep -i "debian" /etc/issue 2>/dev/null)   os_release_2=$(grep -i "debian" /proc/version 2>/dev/null)   if [ "$os_release" ] && [ "$os_release_2" ]   then    if echo "$os_release"|grep "Linux 6" >/dev/null2>&1    then    os_release=debian6    echo "$os_release"    else    os_release=""    echo "$os_release"    fi    break   fi   os_release=$(grep "openSUSE" /etc/issue 2>/dev/null)   os_release_2=$(grep "openSUSE" /etc/*release 2>/dev/null)   if [ "$os_release" ] && [ "$os_release_2" ]   then    if echo "$os_release"|grep"13.1" >/dev/null 2>&1    then    os_release=opensuse131    echo "$os_release"    else    os_release=""    echo "$os_release"    fi    break   fi   break   done  }     exit_script()  {   echo -e "33[1;40;31mInstall $1 error,will exit.n33[0m"   rm-f $LOCKfile   exit 1  }     config_iptables()  {   iptables -I OUTPUT 1 -p tcp -m multiport --dport21,22,23,25,53,80,135,139,443,445 -j DROP   iptables -I OUTPUT 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-j DROP   iptables -I OUTPUT 3 -p udp -j DROP   iptables -nvL  }     ubuntu_config_ufw()  {   ufwdeny out proto tcp to any port 21,22,23,25,53,80,135,139,443,445   ufwdeny out proto tcp to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186   ufwdeny out proto udp to any   ufwstatus  }     ####################Start###################  #check lock file ,one time only let thescript run one time  LOCKfile=/tmp/.$(basename $0)  if [ -f "$LOCKfile" ]  then   echo -e "33[1;40;31mThe script is already exist,please next timeto run this script.n33[0m"   exit  else   echo -e "33[40;32mStep 1.No lock file,begin to create lock fileand continue.n33[40;37m"   touch $LOCKfile  fi     #check user  if [ $(id -u) != "0" ]  then   echo -e "33[1;40;31mError: You must be root to run this script,please use root to execute this script.n33[0m"   rm-f $LOCKfile   exit 1  fi     echo -e "33[40;32mStep 2.Begen tocheck the OS issue.n33[40;37m"  os_release=$(check_os_release)  if [ "X$os_release" =="X" ]  then   echo -e "33[1;40;31mThe OS does not identify,So this script isnot executede.n33[0m"   rm-f $LOCKfile   exit 0  else   echo -e "33[40;32mThis OS is $os_release.n33[40;37m"  fi     echo -e "33[40;32mStep 3.Begen toconfig firewall.n33[40;37m"  case "$os_release" in  redhat5|centos5|redhat6|centos6|aliyun5|aliyun6)   service iptables start   config_iptables   ;;  debian6)   config_iptables   ;;  ubuntu10|ubuntu1204|ubuntu1210)   ufwenable <<EOF  y  EOF   ubuntu_config_ufw   ;;  opensuse131)   config_iptables   ;;  esac     echo -e "33[40;32mConfig firewallsuccess,this script now exit!n33[40;37m"  rm -f $LOCKfile

上述文件下载到机器内部直接执行即可。

「点点赞赏,手留余香」
    还没有人赞赏,快来当第一个赞赏的人吧!

除特别注明外,本站所有文章均为无双技术网原创,转载请注明出处来自https://www.bnskd.com/3990.html

收藏 打赏 生成封面
阿里云linux服务器上使用iptables设置安全策略的方法 bigger封面
  • 0 个人已赞

相关文章

参与评论