“UbuntuHelp:Router/Firewall”的版本间的差异
来自Ubuntu中文
小 (创建新页面为 '{{From|https://help.ubuntu.com/community/Router/Firewall}} {{Languages|UbuntuHelp:Router/Firewall}} == Basic == Install the Uncomplicated Firewall, package name is '''ufw'''. Th...') |
小 |
||
第2行: | 第2行: | ||
{{Languages|UbuntuHelp:Router/Firewall}} | {{Languages|UbuntuHelp:Router/Firewall}} | ||
== Basic == | == Basic == | ||
− | Install the Uncomplicated Firewall, package name is '''ufw'''. | + | Install the Uncomplicated Firewall, package name is '''ufw'''. Uncomplicated firewall just sets up |
− | + | iptables using a simple syntax, or an extended syntax based on OpenBSD's PF. To use ```ufw``` for | |
+ | routing, you must know iptables and should edit the files in /etc/ufw/*.rules. | ||
== Advanced == | == Advanced == | ||
− | + | The following is a specific example of a firewall script using only iptables. | |
− | The following is a specific example of a firewall script. | + | |
<pre><nowiki> | <pre><nowiki> | ||
#!/bin/sh | #!/bin/sh | ||
− | |||
− | |||
− | |||
− | |||
− | |||
# External (Internet-facing) interface | # External (Internet-facing) interface | ||
第19行: | 第14行: | ||
# External IP address (automatically detected) | # External IP address (automatically detected) | ||
− | EXTIP=" | + | EXTIP=$(/sbin/ip addr show dev "$EXTIF" | perl -lne 'if(/inet (\S+)/){print$1;last}'); |
# Internal interface | # Internal interface | ||
第44行: | 第39行: | ||
− | + | /sbin/iptables-restore <<-EOF; | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | *filter | |
− | + | :INPUT DROP [0:0] | |
− | + | :FORWARD DROP [0:0] | |
− | + | :OUTPUT DROP [0:0] | |
− | + | ||
# INPUT: Incoming traffic from various interfaces # | # INPUT: Incoming traffic from various interfaces # | ||
# Loopback interface is valid | # Loopback interface is valid | ||
− | + | -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT | |
# Local interface, local machines, going anywhere is valid | # Local interface, local machines, going anywhere is valid | ||
− | + | -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT | |
# Remote interface, claiming to be local machines, IP spoofing, get lost | # Remote interface, claiming to be local machines, IP spoofing, get lost | ||
− | + | -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j REJECT | |
# External interface, from any source, for ICMP traffic is valid | # External interface, from any source, for ICMP traffic is valid | ||
− | + | -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT | |
# Allow any related traffic coming back to the MASQ server in. | # Allow any related traffic coming back to the MASQ server in. | ||
− | + | -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
# Internal interface, DHCP traffic accepted | # Internal interface, DHCP traffic accepted | ||
− | + | -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT | |
− | + | -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT | |
# External interface, HTTP/HTTPS traffic allowed | # External interface, HTTP/HTTPS traffic allowed | ||
− | + | -A INPUT -i $EXTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT | |
− | + | -A INPUT -i $EXTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 443 -j ACCEPT | |
# External interface, SSH traffic allowed | # External interface, SSH traffic allowed | ||
− | + | -A INPUT -i $EXTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT | |
# Catch-all rule, reject anything else | # Catch-all rule, reject anything else | ||
− | + | -A INPUT -s $UNIVERSE -d $UNIVERSE -j REJECT | |
第101行: | 第88行: | ||
# Workaround bug in netfilter | # Workaround bug in netfilter | ||
− | + | -A OUTPUT -m conntrack -p icmp --ctstate INVALID -j DROP | |
# Loopback interface is valid. | # Loopback interface is valid. | ||
− | + | -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT | |
# Local interfaces, any source going to local net is valid | # Local interfaces, any source going to local net is valid | ||
− | + | -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT | |
# local interface, MASQ server source going to the local net is valid | # local interface, MASQ server source going to the local net is valid | ||
− | + | -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT | |
# outgoing to local net on remote interface, stuffed routing, deny | # outgoing to local net on remote interface, stuffed routing, deny | ||
− | + | -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j REJECT | |
# anything else outgoing on remote interface is valid | # anything else outgoing on remote interface is valid | ||
− | + | -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT | |
# Internal interface, DHCP traffic accepted | # Internal interface, DHCP traffic accepted | ||
− | + | -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT | |
− | + | -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT | |
# Catch all rule, all other outgoing is denied and logged. | # Catch all rule, all other outgoing is denied and logged. | ||
− | + | -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j REJECT | |
+ | # Accept solicited tcp packets | ||
+ | -A FORWARD -i $EXTIF -o $INTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | ||
− | # | + | # Allow packets across the internal interface |
+ | -A FORWARD -i $INTIF -o $INTIF -j ACCEPT | ||
− | # - | + | # Forward packets from the internal network to the Internet |
+ | -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT | ||
− | # | + | # Catch-all REJECT rule |
− | + | -A FORWARD -j REJECT | |
− | + | ||
− | + | COMMIT | |
− | # | + | # Address translations (only; there is no actual forwarding done here) |
− | + | *nat | |
+ | :PREROUTING ACCEPT [0:0] | ||
+ | :POSTROUTING ACCEPT [0:0] | ||
+ | :OUTPUT ACCEPT [0:0] | ||
− | # | + | # ----- Begin OPTIONAL FORWARD Section ----- |
− | + | ||
− | # | + | #Optionally forward incoming tcp connections on port 1234 to 192.168.0.100 |
− | + | #-A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 1234 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT | |
+ | #-A PREROUTING -t nat -p tcp -d $EXTIP --dport 1234 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.100:1234 | ||
− | # | + | # ----- End OPTIONAL FORWARD Section ----- |
− | + | ||
# IP-Masquerade | # IP-Masquerade | ||
− | + | -A POSTROUTING -o $EXTIF -j MASQUERADE | |
+ | COMMIT | ||
+ | EOF | ||
echo " done." | echo " done." |
2009年11月17日 (二) 20:32的版本
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
Basic
Install the Uncomplicated Firewall, package name is ufw. Uncomplicated firewall just sets up iptables using a simple syntax, or an extended syntax based on OpenBSD's PF. To use ```ufw``` for routing, you must know iptables and should edit the files in /etc/ufw/*.rules.
Advanced
The following is a specific example of a firewall script using only iptables.
#!/bin/sh # External (Internet-facing) interface EXTIF="eth0" # External IP address (automatically detected) EXTIP=$(/sbin/ip addr show dev "$EXTIF" | perl -lne 'if(/inet (\S+)/){print$1;last}'); # Internal interface INTIF="br0" # Internal IP address (in CIDR notation) INTIP="192.168.0.1/32" # Internal network address (in CIDR notation) INTNET="192.168.0.0/24" # The address of anything/everything (in CIDR notation) UNIVERSE="0.0.0.0/0" echo "External: [Interface=$EXTIF] [IP=$EXTIP]" echo "Internal: [Interface=$INTIF] [IP=$INTIP] [Network:$INTNET]" echo echo -n "Loading rules..." # Enabling IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/iptables-restore <<-EOF; *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # INPUT: Incoming traffic from various interfaces # # Loopback interface is valid -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # Local interface, local machines, going anywhere is valid -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT # Remote interface, claiming to be local machines, IP spoofing, get lost -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j REJECT # External interface, from any source, for ICMP traffic is valid -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT # Allow any related traffic coming back to the MASQ server in. -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Internal interface, DHCP traffic accepted -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT # External interface, HTTP/HTTPS traffic allowed -A INPUT -i $EXTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT -A INPUT -i $EXTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 443 -j ACCEPT # External interface, SSH traffic allowed -A INPUT -i $EXTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT # Catch-all rule, reject anything else -A INPUT -s $UNIVERSE -d $UNIVERSE -j REJECT # OUTPUT: Outgoing traffic from various interfaces # # Workaround bug in netfilter -A OUTPUT -m conntrack -p icmp --ctstate INVALID -j DROP # Loopback interface is valid. -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # Local interfaces, any source going to local net is valid -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT # local interface, MASQ server source going to the local net is valid -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT # outgoing to local net on remote interface, stuffed routing, deny -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j REJECT # anything else outgoing on remote interface is valid -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT # Internal interface, DHCP traffic accepted -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT # Catch all rule, all other outgoing is denied and logged. -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j REJECT # Accept solicited tcp packets -A FORWARD -i $EXTIF -o $INTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Allow packets across the internal interface -A FORWARD -i $INTIF -o $INTIF -j ACCEPT # Forward packets from the internal network to the Internet -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT # Catch-all REJECT rule -A FORWARD -j REJECT COMMIT # Address translations (only; there is no actual forwarding done here) *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # ----- Begin OPTIONAL FORWARD Section ----- #Optionally forward incoming tcp connections on port 1234 to 192.168.0.100 #-A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 1234 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #-A PREROUTING -t nat -p tcp -d $EXTIP --dport 1234 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.100:1234 # ----- End OPTIONAL FORWARD Section ----- # IP-Masquerade -A POSTROUTING -o $EXTIF -j MASQUERADE COMMIT EOF echo " done."