首页 » 网站建设 »

初识网站服务器的防火墙配置

2019年4月18日 / 53次阅读
网站安全

终于遇到了这个问题,开始关注网站服务器的防火墙配置。

 

目前在阿里云上的服务器,我用的Ubuntu,查了一个iptables如下:

xinlin@iZ239r252v4Z:~$ sudo iptables -L -n
[sudo] password for xinlin:
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

什么配置也没有,这意味着阿里云上Ubuntu系统的iptables是无效的,放行所有的流量。

不过阿里云有安全组,在安全组里面配置也是一样的。

Ubuntu有一个自己的ufw防火墙配置工具。

xinlin@iZ239r252v4Z:~$ which ufw
/usr/sbin/ufw
xinlin@iZ239r252v4Z:~$ service ufw status
● ufw.service - Uncomplicated firewall
Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
Active: active (exited) since Fri 2019-03-08 03:33:29 CST; 1 months 11 days ago
Main PID: 188 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/ufw.service

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

service在,但是默认ufw没有启用。

 

折腾CentOS7虚拟机的时候,编译安装好了Apache,运行起来后,发现不能访问自带的测试网页。

原因就是CentOS7的iptables配置,需要手动在INPUT规则链中添加能够访问80端口的流量。

下面是CentOS7(minimal版本)的初始iptables配置:

[xinlin@promote ~]$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination

Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination

Chain FORWARD_direct (1 references)
target prot opt source destination

Chain FWDI_public (2 references)
target prot opt source destination
FWDI_public_log all -- 0.0.0.0/0 0.0.0.0/0
FWDI_public_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDI_public_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0

Chain FWDI_public_allow (1 references)
target prot opt source destination

Chain FWDI_public_deny (1 references)
target prot opt source destination

Chain FWDI_public_log (1 references)
target prot opt source destination

Chain FWDO_public (2 references)
target prot opt source destination
FWDO_public_log all -- 0.0.0.0/0 0.0.0.0/0
FWDO_public_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDO_public_allow all -- 0.0.0.0/0 0.0.0.0/0

Chain FWDO_public_allow (1 references)
target prot opt source destination

Chain FWDO_public_deny (1 references)
target prot opt source destination

Chain FWDO_public_log (1 references)
target prot opt source destination

Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]

Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination

Chain INPUT_direct (1 references)
target prot opt source destination

Chain IN_public (2 references)
target prot opt source destination
IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0

Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW

Chain IN_public_deny (1 references)
target prot opt source destination

Chain IN_public_log (1 references)
target prot opt source destination

Chain OUTPUT_direct (1 references)
target prot opt source destination

CentOS的iptables配置明显复杂很多,体现了RedHat系列发行版的谨慎态度。

如果选择非阿里云的服务器,可能就需要我们自己配置开放某些端口,比如80和443端口。如果你在CentOS上安装和Apache或Nginx,但是不能访问测试网页,很可能就是这里的问题,需要手段配置iptables,开放端口。

CentOS7,firewall取代了iptables,系统中查询不到iptables服务,只能查询到firewalld服务。

[xinlin@promote ~]$ service iptables status
Redirecting to /bin/systemctl status iptables.service
Unit iptables.service could not be found.
[xinlin@promote ~]$ service firewalld status
Redirecting to /bin/systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-04-18 12:45:02 CST; 2h 20min ago
Docs: man:firewalld(1)
Main PID: 685 (firewalld)
CGroup: /system.slice/firewalld.service
└─685 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Apr 18 12:45:02 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Apr 18 12:45:02 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
[xinlin@promote ~]$ ps -e | grep firewalld
685 ? 00:00:00 firewalld

[xinlin@promote ~]$ service iptables status
Redirecting to /bin/systemctl status iptables.service
Unit iptables.service could not be found.
[xinlin@promote ~]$ service firewalld status
Redirecting to /bin/systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-04-18 12:45:02 CST; 2h 20min ago
Docs: man:firewalld(1)
Main PID: 685 (firewalld)
CGroup: /system.slice/firewalld.service
└─685 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Apr 18 12:45:02 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Apr 18 12:45:02 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
[xinlin@promote ~]$ ps -e | grep firewalld
685 ? 00:00:00 firewalld

查询80端口是否开放:

[xinlin@promote ~]$ sudo firewall-cmd --query-port=80/tcp
no

 

不管是Ubuntu的ufw,还是CentOS(以及Redhat)使用的firewalld,底层都有iptables在支撑。

本文链接:https://www.maixj.net/wz/server-iptables-21015

相关文章

留言区

《初识网站服务器的防火墙配置》有1条留言

  • 麦新杰

    此文记录的太乱了。 []


前一篇:
后一篇:

栏目精选

云上小悟,麦新杰的独立博客

Ctrl+D 收藏本页

栏目


©Copyright 麦新杰 Since 2014 云上小悟独立博客版权所有 备案号:苏ICP备14045477号-1。云上小悟网站部分内容来源于网络,转载目的是为了整合信息,收藏学习,服务大家,有些转载内容也难以判断是否有侵权问题,如果侵犯了您的权益,请及时联系站长,我会立即删除。

网站二维码
go to top