https://wiki.linuxsa.org/index.php?action=history&feed=atom&title=Debian_iptables%E9%98%B2%E7%81%AB%E5%A2%99%E5%9F%BA%E7%A1%80
Debian iptables防火墙基础 - 版本历史
2026-04-17T10:07:35Z
本wiki上该页面的版本历史
MediaWiki 1.43.1
https://wiki.linuxsa.org/index.php?title=Debian_iptables%E9%98%B2%E7%81%AB%E5%A2%99%E5%9F%BA%E7%A1%80&diff=268&oldid=prev
2020年2月27日 (四) 09:03 Evan
2020-02-27T09:03:32Z
<p></p>
<p><b>新页面</b></p><div>=Notice=<br />
建议这个 firewalld 能安装 但是使用有点问题 放弃 2020<br />
[[Ufw on debian]]<br />
=install =<br />
apt install iptables<br />
Debian已有firewalld 放弃iptables<br />
<br />
好像系统是自带的呢<br />
<br />
<br />
[[Debian配置iptables]]<br />
<br />
=来几个小例子=<br />
<pre><br />
#这个多端口应该是不行的 <br />
iptables -A INPUT -p tcp -m muliport --dports 21,22,25,80,110 -j ACCEPT<br />
<br />
iptables -A INPUT -p tcp -m muliport --dports 21,22,25,80,110 -j DROP <br />
<br />
iptables -L -n --line-number<br />
<br />
查看设置的规则: sudo iptables -nvL --line-numbers<br />
插入一条规则到INPUT链第6的位置: sudo iptables -I INPUT 6 -j DROP <br />
修改INPUT链的第6条规则: sudo iptables -R INPUT 6 -j ACCEPT <br />
删除INPUT链第6条规则: sudo iptables -D INPUT 6<br />
<br />
#保存配置 但是这个保存 机器重启就没了<br />
iptables-save<br />
</pre><br />
<br />
==官方例子==<br />
<pre><br />
*filter<br />
<br />
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT<br />
<br />
# Accepts all established inbound connections<br />
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br />
<br />
# Allows all outbound traffic<br />
# You could modify this to only allow certain traffic<br />
-A OUTPUT -j ACCEPT<br />
<br />
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)<br />
-A INPUT -p tcp --dport 80 -j ACCEPT<br />
-A INPUT -p tcp --dport 443 -j ACCEPT<br />
<br />
# Allows SSH connections for script kiddies<br />
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE<br />
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT<br />
<br />
# Now you should read up on iptables rules and consider whether ssh access<br />
# for everyone is really desired. Most likely you will only allow access from certain IPs.<br />
<br />
# Allow ping<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT<br />
<br />
# log iptables denied calls (access via 'dmesg' command)<br />
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7<br />
<br />
# Reject all other inbound - default deny unless explicitly allowed policy:<br />
-A INPUT -j REJECT<br />
-A FORWARD -j REJECT<br />
<br />
COMMIT<br />
</pre><br />
<br />
<br />
=开机自启动 自动加载实现=<br />
<br />
== iptables-persistent==<br />
<pre><br />
apt install iptables-persistent<br />
<br />
Save your firewall rules with this command:<br />
<br />
debain9 or Ubuntu 16.04 Server<br />
netfilter-persistent save #这个为保存 <br />
netfilter-persistent reload<br />
<br />
用iptables 删除的 好像不生效 只能在 配置 文件 /etc/iptables/rules.v4 删除 <br />
</pre><br />
<br />
== 写入文件 ==<br />
<pre><br />
1、将iptables配置保存到/etc/iptables,这个文件名可以自己定义,与下面的配置一致即可<br />
<br />
iptables-save > /etc/iptables<br />
<br />
2、创建自启动配置文件,并授于可执行权限<br />
touch /etc/network/if-pre-up.d/iptables<br />
chmod +x /etc/network/if-pre-up.d/iptables<br />
<br />
3、编辑该自启动配置文件,内容为启动网络时恢复iptables配置<br />
vim /etc/network/if-pre-up.d/iptables<br />
<br />
文件内容如下:<br />
#!/bin/sh<br />
/sbin/iptables-restore < /etc/iptables<br />
<br />
4、:wq保存配置文件并退出即可,以后在修改完iptables配置之后只要再次执行下面的命令保存即可<br />
iptables-save > /etc/iptables<br />
<br />
</pre><br />
<br />
<br />
https://packages.debian.org/search?keywords=iptables-persistent<br />
<br />
=参考=<br />
<br />
https://wiki.debian.org/iptables<br />
<br />
https://wiki.debian.org/DebianFirewall<br />
<br />
<br />
[http://www.slyar.com/blog/vps-debian-iptables.html VPS安全之iptables基本配置(Debian)]<br />
<br />
[http://blog.linuxchina.net/?p=2813 myblog Ubuntu使用ufw或iptables配置防火墙]<br />
<br />
[https://www.thomas-krenn.com/en/wiki/Saving_Iptables_Firewall_Rules_Permanently Saving Iptables Firewall Rules Permanently]<br />
<br />
[http://chuansong.me/n/1490519851248 Debian/Ubuntu下使用iptables-persistent持久化iptables规则]<br />
<br />
[https://linuxconfig.org/how-to-install-missing-ifconfig-command-on-debian-linux How to install missing ifconfig command on Debian ]<br />
<br />
[http://salogs.com/news/2015/08/20/iptables-save/ 保存iptable规则并开机自动加载]<br />
<br />
[https://www.tennfy.com/2552.html Debian VPS下使用iptables防火墙]<br />
<br />
<br />
[[category:ops]] [[category:Security]]</div>
Evan