https://wiki.linuxsa.org/index.php?action=history&feed=atom&title=Debian%E9%85%8D%E7%BD%AEiptables
Debian配置iptables - 版本历史
2026-04-23T09:21:17Z
本wiki上该页面的版本历史
MediaWiki 1.43.1
https://wiki.linuxsa.org/index.php?title=Debian%E9%85%8D%E7%BD%AEiptables&diff=276&oldid=prev
2020年2月26日 (三) 02:54 Evan
2020-02-26T02:54:44Z
<p></p>
<p><b>新页面</b></p><div>=iptables=<br />
Debian已有firewalld 放弃iptables<br />
Debian默认已经安装iptables,查看规则iptables -L默认允许所有出入,这是非常不安全的,因此需要对规则进行调整。<br />
<br />
编辑配置文件:<br />
vim /etc/iptables.up.rules<br />
<br />
添加下面的规则,请根据实际情况调整:<br />
<pre><br />
*filter<br />
<br />
#ssh<br />
-A INPUT -p tcp --dport 22 -j ACCEPT<br />
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT<br />
<br />
# Accepts all established inbound connections<br />
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br />
<br />
# Allows all outbound traffic<br />
# You could modify this to only allow certain traffic<br />
-A OUTPUT -j ACCEPT<br />
<br />
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)<br />
#-A INPUT -p tcp --dport 80 -j ACCEPT<br />
#-A INPUT -p tcp --dport 80 -j ACCEPT<br />
<br />
# Allows SSH connections <br />
# The --dport number is the same as in /etc/ssh/sshd_config<br />
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT<br />
<br />
# Now you should read up on iptables rules and consider whether ssh access <br />
# for everyone is really desired. Most likely you will only allow access from certain IPs.<br />
<br />
# Allow ping<br />
# note that blocking other types of icmp packets is considered a bad idea by some<br />
# remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:<br />
# https://security.stackexchange.com/questions/22711<br />
#-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT<br />
<br />
# log iptables denied calls (access via 'dmesg' command)<br />
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7<br />
<br />
# Reject all other inbound - default deny unless explicitly allowed policy:<br />
-A INPUT -j REJECT<br />
-A FORWARD -j REJECT<br />
<br />
COMMIT </pre><br />
<br />
激活规则:<br />
iptables-restore < /etc/iptables.test.rules<br />
<br />
开机自动加载规则<br />
编辑配置<br />
vi /etc/network/if-pre-up.d/iptables<br />
<br />
添加如下内容<br />
<pre><br />
#!/bin/sh<br />
/sbin/iptables-restore < /etc/iptables.up.rules</pre><br />
<br />
添加执行权限<br />
chmod +x /etc/network/if-pre-up.d/iptables<br />
<br />
保存规则到主配置文件:<br />
iptables-save > /etc/iptables.up.rules<br />
<br />
=参考=<br />
[[大话iptables]]<br />
<br />
[[Iptables模块]]<br />
<br />
[https://www.centos.bz/2017/10/debian%E9%85%8D%E7%BD%AEiptables/ Debian配置iptables]<br />
<br />
https://wiki.debian.org/iptables<br />
<br />
[[category:debian]] [[category:Security]] [[category:ops]]</div>
Evan