我写了以下iptables规则。但有一个问题。我不能ssh到我的vmware机器。我该怎么办呢?
#!/bin/bash
ip=`hostname -I| awk '{print $1}'`
LOOP=127.0.0.1
if=eth0
# Clear any previous rules.
iptables -F
# Default drop policy.
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Prevent external packets from using loopback addr
iptables -A INPUT -i $if -s $LOOP -j DROP
iptables -A FORWARD -i $if -s $LOOP -j DROP
iptables -A INPUT -i $if -d $LOOP -j DROP
iptables -A FORWARD -i $if -d $LOOP -j DROP
# Drop any tcp packet that does not start a connection with a syn flag.
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP -m comment --comment "Dropping any tcp packet that doesn't start a connection with a syn flag!"
# Drop any invalid packet that could not be identified.
iptables -A INPUT -m state --state INVALID -j DROP
# Drop invalid packets.
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
#Allow working on localhost
iptables -A INPUT -i lo -s $LOOP -d $LOOP -j ACCEPT
iptables -A OUTPUT -o lo -s $LOOP -d $LOOP -j ACCEPT
#Allow ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
#Openning outgoing trafic
iptables -A OUTPUT -o $if -s $ip -j ACCEPT
iptables -A INPUT -i $if -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $if -s x.x.x.x -j ACCEPT #The ip of my local virtual machine
iptables -A OUTPUT -o $if -m state --state ESTABLISHED,RELATED -j DROP
也是:
的结果$ sudo iptables -L -nv
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 * 127.0.0.1 0.0.0.0/0
0 0 DROP all -- eth0 * 0.0.0.0/0 127.0.0.1
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW /* Dropping any tcp packet that doesn't start a connection with a syn flag! */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
14 3687 ACCEPT all -- lo * 127.0.0.1 127.0.0.1
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
808 280K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 * x.x.x.x 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 * 127.0.0.1 0.0.0.0/0
0 0 DROP all -- eth0 * 0.0.0.0/0 127.0.0.1
Chain OUTPUT (policy DROP 7 packets, 420 bytes)
pkts bytes target prot opt in out source destination
14 3687 ACCEPT all -- * lo 127.0.0.1 127.0.0.1
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
1087 167K ACCEPT all -- * eth0 y.y.y.y 0.0.0.0/0
0 0 DROP all -- * eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 * 127.0.0.1 0.0.0.0/0
0 0 DROP all -- eth0 * 0.0.0.0/0 127.0.0.1
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
9 3427 ACCEPT all -- lo * 127.0.0.1 127.0.0.1
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
751 418K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 * x.x.x.x 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 * 127.0.0.1 0.0.0.0/0
0 0 DROP all -- eth0 * 0.0.0.0/0 127.0.0.1
Chain OUTPUT (policy DROP 7 packets, 420 bytes)
pkts bytes target prot opt in out source destination
9 3427 ACCEPT all -- * lo 127.0.0.1 127.0.0.1
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
795 152K ACCEPT all -- * eth0 y.y.y.y 0.0.0.0/0
答案 0 :(得分:-1)
打开到端口22的传入连接
magic.from_bufferESTABLISHED,RELATED规则(你已经拥有)应该理清其余部分。
答案 1 :(得分:-1)
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT