ufw等效iptables规则示例
ufw等效iptables规则示例
iptables
iptables内容:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Common rule
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED -p tcp -m tcp --sport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5599 -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED -p tcp -m tcp --sport 5599 -j ACCEPT
# Passive output rule(when you need listen a port, add rule in this zone)
-A INPUT -m state --state NEW -m tcp -p tcp --dport 7001 -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED -p tcp -m tcp --sport 7001 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3300 -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED -p tcp -m tcp --sport 3300 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2404 -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED -p tcp -m tcp --sport 2404 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED -p tcp -m tcp --sport 3306 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 102 -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED -p tcp -m tcp --sport 102 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 6379 -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED -p tcp -m tcp --sport 6379 -j ACCEPT
# Active output rule(when you need connect to other machine, add rule in this zone. MUST appoint -s locale ip, -d destination ip)
# This sample allow local machine(192.168.120.8) connect to 192.168.120.5:1521 (Oracle)
#-A INPUT -i eth3 -p tcp -m tcp -d 100.168.0.150 -s 100.168.0.213 -j ACCEPT
#-A OUTPUT -o eth3 -p tcp -m tcp -s 100.168.0.150 -s 100.168.0.213 --dport 1521 -j ACCEPT
# This sample allow local machine(192.168.120.8) connect to 192.168.120.1-192.168.120.255 (any port)via eth3
# and allow that 192.168.120.1-192.168.120.255 connect to local machine(192.168.120.8)(any port)via eth3.
-A INPUT -i eth1 -p tcp -m tcp -d 198.122.0.150 -s 198.122.0.0/16 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp -s 198.122.0.150 -d 198.122.0.0/16 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp -d 198.122.0.150 -s 198.122.0.0/16 -j ACCEPT
-A OUTPUT -o eth1 -p udp -m udp -s 198.122.0.150 -d 198.122.0.0/16 -j ACCEPT
-A INPUT -i eth2 -p tcp -m tcp -d 10.123.16.150 -s 10.123.16.0/16 -j ACCEPT
-A OUTPUT -o eth2 -p tcp -m tcp -s 10.123.16.150 -d 10.123.16.0/16 -j ACCEPT
-A INPUT -i eth2 -p udp -m udp -d 10.123.16.150 -s 10.123.16.0/16 -j ACCEPT
-A OUTPUT -o eth2 -p udp -m udp -s 10.123.16.150 -d 10.123.16.0/16 -j ACCEPT
-A INPUT -i eth3 -p tcp -m tcp -d 100.168.0.150 -s 100.168.0.0/16 -j ACCEPT
-A OUTPUT -o eth3 -p tcp -m tcp -s 100.168.0.150 -d 100.168.0.0/16 -j ACCEPT
-A INPUT -i eth3 -p udp -m udp -d 100.168.0.150 -s 100.168.0.0/16 -j ACCEPT
-A OUTPUT -o eth3 -p udp -m udp -s 100.168.0.150 -d 100.168.0.0/16 -j ACCEPT
#-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT解释:
1、默认策略
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]- 默认策略为拒绝所有流量(DROP)。
- 所有进入、转发和输出流量需匹配具体规则,否则会被丢弃。
2、基础规则
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT- 允许已有连接和相关连接的流量。
-A INPUT -p icmp -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT- 允许 ICMP(Ping)流量。
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT- 允许本地回环流量。
3、SSH 服务
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED -p tcp -m tcp --sport 22 -j ACCEPT- 允许 SSH 服务(TCP 22端口)的入站新连接和出站响应。
4、开放的特定端口
- 配置了多个被动监听的端口(如 5599、7001、3306 等),每个端口都有独立的入站和出站规则。
5、网段访问权限
-A INPUT -i eth1 -p tcp -m tcp -d 198.122.0.150 -s 198.122.0.0/16 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp -s 198.122.0.150 -d 198.122.0.0/16 -j ACCEPT- 允许网卡
eth1上的本地地址198.122.0.150与网段198.122.0.0/16的 TCP 流量通信。
UFW
等效转换\迁移:
ufw需要从在线镜像拉取安装包,然后上传到子站服务器离线安装。
1、安装后启用ufw(均在root环境操作)
ufw enable2、配置默认策略(默认关闭所有出入方向访问)
ufw default deny incoming
ufw default deny outgoing
ufw default deny routed如果不是强制要求可以保留开启出向访问和路由流量策略。
即默认策略为
ufw default deny incoming
ufw default allow outgoing 然后立即开放ssh端口(以防断开连接)
ufw allow in proto tcp to any port 22
#ufw allow out proto tcp from any port 22(如果禁用出方向的话再执行)注意ssh端口,如果不是22需要修改成其他的端口。
3、添加基础规则
逐一添加对应的规则:
允许已建立和相关连接的流量
ufw allow in proto tcp from any to any state ESTABLISHED,RELATED #ufw allow out proto tcp from any to any state ESTABLISHED,RELATED(如果禁用出方向的话再执行)允许 ICMP 流量
ufw allow in proto icmp #ufw allow out proto icmp(如果禁用出方向的话再执行)允许本地回环流量
ufw allow in on lo #ufw allow out on lo(如果禁用出方向的话再执行)
4、开放指定端口
逐一添加开放的端口:
开放被动监听的端口示例:
ufw allow in proto tcp to any port 5599
#ufw allow out proto tcp from any port 5599(如果禁用出方向的话再执行)
ufw allow in proto tcp to any port 7001
#ufw allow out proto tcp from any port 7001(如果禁用出方向的话再执行)其他端口依次执行类似命令。
5:网段访问规则
针对特定网卡和网段,设置流量允许规则:
198.122.0.0/16 网段流量
ufw allow in on eth1 proto tcp from 198.122.0.0/16 to 198.122.0.150 #ufw allow out on eth1 proto tcp from 198.122.0.150 to 198.122.0.0/16(如果禁用出方向的话再执行) ufw allow in on eth1 proto udp from 198.122.0.0/16 to 198.122.0.150 #ufw allow out on eth1 proto udp from 198.122.0.150 to 198.122.0.0/16(如果禁用出方向的话再执行)10.123.16.0/16 网段流量
ufw allow in on eth2 proto tcp from 10.123.16.0/16 to 10.123.16.150 #ufw allow out on eth2 proto tcp from 10.123.16.150 to 10.123.16.0/16(如果禁用出方向的话再执行) ufw allow in on eth2 proto udp from 10.123.16.0/16 to 10.123.16.150 #ufw allow out on eth2 proto udp from 10.123.16.150 to 10.123.16.0/16(如果禁用出方向的话再执行)100.168.0.0/16 网段流量
ufw allow in on eth3 proto tcp from 100.168.0.0/16 to 100.168.0.150 #ufw allow out on eth3 proto tcp from 100.168.0.150 to 100.168.0.0/16(如果禁用出方向的话再执行) ufw allow in on eth3 proto udp from 100.168.0.0/16 to 100.168.0.150 #ufw allow out on eth3 proto udp from 100.168.0.150 to 100.168.0.0/16(如果禁用出方向的话再执行)