之前服务器上一直用的Cent OS,默认没有开启防火墙,不需要放行80 443等端口就可以http|https访问.最近换到Debian9之后发现https访问网页服务被拦截了,就研究了一下iptables防火墙的配置
系统要求:
Debian6.x/7.x及以上版本
配置步骤
1.首先确定你的系统已经安装Iptables
打开SSH终端,输入 whereis iptables
如果输出以下信息,说明你的系统已经安装了iptables
1 2 3
| root@debian:~# whereis iptables iptables: /sbin/iptables /etc/iptables.rules /usr/share/iptables /usr/share/man/man8/iptables.8.gz root@debian:~#
|
如果没有的话,先安装iptables
apt-get install iptables
###2.安装成功后查看iptables端口开放情况###
1 2 3 4 5 6 7 8 9 10
| root@debian:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination root@debian:~#
|
默认情况没有任何配置
3.配置iptables
编辑配置文件
加入以下内容
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
| # Generated by iptables-save *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -I INPUT -p tcp --dport 8888 -j ACCEPT -I INPUT -p udp --dport 8888 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed
|
ESC :wq
保存退出
这只是一个简单的模板,放行了tcp22 80 443端口,以及8888的tcp和udp端口
可自行修改
4.加载iptables.rules规则
1 2 3 4 5 6 7 8 9 10 11 12 13
| root@debian:~# iptables-restore < /etc/iptables.rules root@debian:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:8888 ACCEPT tcp -- anywhere anywhere tcp dpt:8888 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
|
可以看到规则以及被加载了
5.设置开机启动
vim /etc/network/if-pre-up.d/iptables
加入
1 2
| #!/bin/bash /sbin/iptables-restore < /etc/iptables.rules
|
ESC :wq
保存退出
chmod +x /etc/network/if-pre-up.d/iptables
这样就搞定了,可以重启试试有没有正常加载
1 2
| root@debian:~# reboot root@debian:~# iptables -L
|