欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

阿里云linux服务器上使用iptables设置安全策略的方法

程序员文章站 2023-11-09 11:39:10
公司的产品一直运行在云服务器上,从而有幸接触过aws的ec2,盛大的云服务器,最近准备有使用阿里云的弹性计算(云服务器)。前两种云服务器在安全策略这块做的比较好,提供简单明...

公司的产品一直运行在云服务器上,从而有幸接触过aws的ec2,盛大的云服务器,最近准备有使用阿里云的弹性计算(云服务器)。前两种云服务器在安全策略这块做的比较好,提供简单明了的配置界面,而且给了默认的安全策略,反观阿里云服务器,安全策略需要自己去配置,甚至centos机器上都没有预装iptables(起码我们申请两台上都没有),算好可以使用yum来安装,安装命令如下:

yum install -y iptables

iptables安装好后就可以来配置规则了。由于作为web服务器来使用,所以对外要开放 80 端口,另外肯定要通过ssh进行服务器管理,22 端口也要对外开放,当然最好是把ssh服务的默认端口改掉,在公网上会有很多人试图破解密码的,如果修改端口,记得要把该端口对外开发,否则连不上就悲剧了。下面提供配置规则的详细说明:

第一步:清空所有规则

当chain input (policy drop)时执行/sbin/iptables -f后,你将和服务器断开连接
所有在清空所有规则前把policy drop该为input,防止悲剧发生,小心小心再小心
/sbin/iptables -p input accept
清空所有规则
/sbin/iptables -f
/sbin/iptables -x
计数器置0
/sbin/iptables -z

第二步:设置规则

允许来自于lo接口的数据包,如果没有此规则,你将不能通过127.0.0.1访问本地服务,例如ping 127.0.0.1
/sbin/iptables -a input -i lo -j accept 

开放tcp协议22端口,以便能ssh,如果你是在有固定ip的场所,可以使用 -s 来限定客户端的ip
/sbin/iptables -a input -p tcp --dport 22 -j accept

开放tcp协议80端口供web服务
/sbin/iptables -a input -p tcp --dport 80 -j accept

10.241.121.15是另外一台服务器的内网ip,由于之间有通信,接受所有来自10.241.121.15的tcp请求
/sbin/iptables -a input -p tcp -s 10.241.121.15 -j accept

接受ping
/sbin/iptables -a input -p icmp -m icmp --icmp-type 8 -j accept

这条规则参看:http://www.netingcn.com/iptables-localhost-not-access-internet.html
/sbin/iptables -a input -m state --state established -j accept

屏蔽上述规则以为的所有请求,不可缺少,否则防火墙没有任何过滤的功能
/sbin/iptables -p input drop

可以使用 iptables -l -n 查看规则是否生效

至此防火墙就算配置好,但是这是临时的,当重启iptables或重启机器,上述配置就会被清空,要想永久生效,还需要如下操作:

/etc/init.d/iptables save 
或
service iptables save

执行上述命令可以在文件 /etc/sysconfig/iptables 中看到配置

以下提供一个干净的配置脚本:

/sbin/iptables -p input accept
/sbin/iptables -f
/sbin/iptables -x
/sbin/iptables -z

/sbin/iptables -a input -i lo -j accept 
/sbin/iptables -a input -p tcp --dport 22 -j accept
/sbin/iptables -a input -p tcp --dport 80 -j accept
/sbin/iptables -a input -p tcp -s 10.241.121.15 -j accept
/sbin/iptables -a input -p icmp -m icmp --icmp-type 8 -j accept
/sbin/iptables -a input -m state --state established -j accept
/sbin/iptables -p input drop

最后执行 service iptables save ,先确保ssh连接没有问题,防止规则错误,导致无法连上服务器,因为没有save,重启服务器规则都失效,否则就只有去机房才能修改规则了。也可以参考:ubuntu iptables 配置脚本来写一个脚本。

最后再次提醒,在清空规则之前一定要小心,确保chain input (policy accept)。

补充阿里云的linux_drop_port.sh

#!/bin/bash
#########################################
#function: linux drop port
#usage:  bash linux_drop_port.sh
#author:  customer service department
#company:  alibaba cloud computing
#version:  2.0
#########################################
 
check_os_release()
{
 while true
 do
 os_release=$(grep "red hat enterprise linux server release"/etc/issue 2>/dev/null)
 os_release_2=$(grep "red hat enterprise linux server release"/etc/redhat-release 2>/dev/null)
 if [ "$os_release" ] && [ "$os_release_2" ]
 then
  if echo "$os_release"|grep "release 5" >/dev/null2>&1
  then
  os_release=redhat5
  echo "$os_release"
  elif echo "$os_release"|grep "release 6">/dev/null 2>&1
  then
  os_release=redhat6
  echo "$os_release"
  else
  os_release=""
  echo "$os_release"
  fi
  break
 fi
 os_release=$(grep "aliyun linux release" /etc/issue2>/dev/null)
 os_release_2=$(grep "aliyun linux release" /etc/aliyun-release2>/dev/null)
 if [ "$os_release" ] && [ "$os_release_2" ]
 then
  if echo "$os_release"|grep "release 5" >/dev/null2>&1
  then
  os_release=aliyun5
  echo "$os_release"
  elif echo "$os_release"|grep "release 6">/dev/null 2>&1
  then
  os_release=aliyun6
  echo "$os_release"
  else
  os_release=""
  echo "$os_release"
  fi
  break
 fi
 os_release=$(grep "centos release" /etc/issue 2>/dev/null)
 os_release_2=$(grep "centos release" /etc/*release2>/dev/null)
 if [ "$os_release" ] && [ "$os_release_2" ]
 then
  if echo "$os_release"|grep "release 5" >/dev/null2>&1
  then
  os_release=centos5
  echo "$os_release"
  elif echo "$os_release"|grep "release 6">/dev/null 2>&1
  then
  os_release=centos6
  echo "$os_release"
  else
  os_release=""
  echo "$os_release"
  fi
  break
 fi
 os_release=$(grep -i "ubuntu" /etc/issue 2>/dev/null)
 os_release_2=$(grep -i "ubuntu" /etc/lsb-release2>/dev/null)
 if [ "$os_release" ] && [ "$os_release_2" ]
 then
  if echo "$os_release"|grep "ubuntu 10" >/dev/null2>&1
  then
  os_release=ubuntu10
  echo "$os_release"
  elif echo "$os_release"|grep "ubuntu 12.04">/dev/null 2>&1
  then
  os_release=ubuntu1204
  echo "$os_release"
  elif echo "$os_release"|grep "ubuntu 12.10">/dev/null 2>&1
  then
  os_release=ubuntu1210
  echo "$os_release"
  else
  os_release=""
  echo "$os_release"
  fi
  break
 fi
 os_release=$(grep -i "debian" /etc/issue 2>/dev/null)
 os_release_2=$(grep -i "debian" /proc/version 2>/dev/null)
 if [ "$os_release" ] && [ "$os_release_2" ]
 then
  if echo "$os_release"|grep "linux 6" >/dev/null2>&1
  then
  os_release=debian6
  echo "$os_release"
  else
  os_release=""
  echo "$os_release"
  fi
  break
 fi
 os_release=$(grep "opensuse" /etc/issue 2>/dev/null)
 os_release_2=$(grep "opensuse" /etc/*release 2>/dev/null)
 if [ "$os_release" ] && [ "$os_release_2" ]
 then
  if echo "$os_release"|grep"13.1" >/dev/null 2>&1
  then
  os_release=opensuse131
  echo "$os_release"
  else
  os_release=""
  echo "$os_release"
  fi
  break
 fi
 break
 done
}
 
exit_script()
{
 echo -e "\033[1;40;31minstall $1 error,will exit.\n\033[0m"
 rm-f $lockfile
 exit 1
}
 
config_iptables()
{
 iptables -i output 1 -p tcp -m multiport --dport21,22,23,25,53,80,135,139,443,445 -j drop
 iptables -i output 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-j drop
 iptables -i output 3 -p udp -j drop
 iptables -nvl
}
 
ubuntu_config_ufw()
{
 ufwdeny out proto tcp to any port 21,22,23,25,53,80,135,139,443,445
 ufwdeny out proto tcp to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186
 ufwdeny out proto udp to any
 ufwstatus
}
 
####################start###################
#check lock file ,one time only let thescript run one time
lockfile=/tmp/.$(basename $0)
if [ -f "$lockfile" ]
then
 echo -e "\033[1;40;31mthe script is already exist,please next timeto run this script.\n\033[0m"
 exit
else
 echo -e "\033[40;32mstep 1.no lock file,begin to create lock fileand continue.\n\033[40;37m"
 touch $lockfile
fi
 
#check user
if [ $(id -u) != "0" ]
then
 echo -e "\033[1;40;31merror: you must be root to run this script,please use root to execute this script.\n\033[0m"
 rm-f $lockfile
 exit 1
fi
 
echo -e "\033[40;32mstep 2.begen tocheck the os issue.\n\033[40;37m"
os_release=$(check_os_release)
if [ "x$os_release" =="x" ]
then
 echo -e "\033[1;40;31mthe os does not identify,so this script isnot executede.\n\033[0m"
 rm-f $lockfile
 exit 0
else
 echo -e "\033[40;32mthis os is $os_release.\n\033[40;37m"
fi
 
echo -e "\033[40;32mstep 3.begen toconfig firewall.\n\033[40;37m"
case "$os_release" in
redhat5|centos5|redhat6|centos6|aliyun5|aliyun6)
 service iptables start
 config_iptables
 ;;
debian6)
 config_iptables
 ;;
ubuntu10|ubuntu1204|ubuntu1210)
 ufwenable <<eof
y
eof
 ubuntu_config_ufw
 ;;
opensuse131)
 config_iptables
 ;;
esac
 
echo -e "\033[40;32mconfig firewallsuccess,this script now exit!\n\033[40;37m"
rm -f $lockfile

上述文件下载到机器内部直接执行即可。