Debian配置iptables

Debian默认已经安装iptables，查看规则iptables -L默认允许所有出入，这是非常不安全的，因此需要对规则进行调整。

编辑配置文件：

/etc/iptables.test.rules  

添加下面的规则，请根据实际情况调整：

*filter    # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0  -A INPUT -i lo -j ACCEPT  -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT    # Accepts all established inbound connections  -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT    # Allows all outbound traffic  # You could modify this to only allow certain traffic  -A OUTPUT -j ACCEPT    # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)  -A INPUT -p tcp --dport 80 -j ACCEPT  -A INPUT -p tcp --dport 443 -j ACCEPT    # Allows SSH connections  # The --dport number is the same as in /etc/ssh/sshd_config  -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT    # Now you should read up on iptables rules and consider whether ssh access  # for everyone is really desired. Most likely you will only allow access from certain IPs.    # Allow ping  #  note that blocking other types of icmp packets is considered a bad idea by some  #  remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:  #  https://security.stackexchange.com/questions/22711  -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT    # log iptables denied calls (access via 'dmesg' command)  -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7    # Reject all other inbound - default deny unless explicitly allowed policy:  -A INPUT -j REJECT  -A FORWARD -j REJECT    COMMIT  

激活规则：

iptables-restore < /etc/iptables.test.rules  

保存规则到主配置文件：

iptables-save > /etc/iptables.up.rules  

开机自动加载规则

#编辑配置  /etc/network/if-pre-up.d/iptables  

添加如下内容

#!/bin/sh   /sbin/iptables-restore < /etc/iptables.up.rules  

添加执行权限

chmod +x /etc/network/if-pre-up.d/iptables  

OK,一切皆已搞定，感觉比CentOS的iptables要麻烦一点。

原文出处：faq.xiaoz -> https://faq.xiaoz.me/archives/176.html