O iptables bloqueia quase tudo em uma interface e permite certas em outra interface

0

Eu tenho um vps e sua interface é venet0:0.

Gostaria de bloquear todo o tráfego recebido dessa interface e permitir apenas em determinadas portas:

  • tcp 22223-29
  • udp 33330
  • tcp 33332

Também quero permitir todas as conexões estabelecidas que se originam do servidor para a Internet.

Há também uma segunda interface virtual chamada tun1e quero bloquear tudo nessa interface, exceto as portas:

  • tcp 44430
  • udp 44431

Estou perdido em como bloquear tudo neste momento.

Aqui está um exemplo do que eu já tenho, mas o apache ainda funciona no IP público, enquanto não deveria.

# Flushing all rules iptables --flush iptables --delete-chain iptables -F iptables -X


### interface section use public Internet (venet0:0) ### iptables -A INPUT -i venet0:0 -j DROP

# Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP

#################################################
# allow loopback
#################################################

iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT

#################################################
# drop all ICMP
#################################################

iptables -A INPUT -p icmp --icmp-type any -j DROP iptables -A OUTPUT
-p icmp -j DROP

#################################################
# allow established connections
#################################################

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#################################################
# allow public per port
#################################################

# 22223 iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22223 -j ACCEPT


# 1194 OpenVPN iptables -A INPUT -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT
John
fonte
Essa é a ordem exata? RELACIONADO, ESTABELECIDO deve ser a regra nº 1. iptables -A INPUT -j DROP deve ser a última regra. As regras de aceitação ficam no meio.
cybernard

Respostas:

0

Qualquer coisa incluindo o icmp que não seja explicitamente permitido é descartada.

#allow related,established
iptables -A INPUT  -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#Don't mess with loopback
iptables -A INPUT -i lo -j ACCEPT
#accept 2 port for tun1
iptables -A INPUT -i tun1 -p tcp --dport 44430 -j ACCEPT
iptables -A INPUT -i tun1 -p udp --dport 44431 -j ACCEPT
#accept venet0:0 stuff
iptables -A INPUT -i venet0:0 -p tcp -m multiport --dports 22223:22229,33332 -j ACCEPT
iptables -A INPUT -i venet0:0 -p udp --dport 33330  -j ACCEPT
#literally drop everything else on every adapter
#then default policy doesn't matter
#seen default policy fail to block, maybe it required a reboot
iptables -A INPUT -j DROP

FRENTE

#allow related,established
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#Don't mess with loopback
iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -i venet0:0 -p tcp -m multiport --dports 22223:22229,33332 -j ACCEPT
iptables -A FORWARD -i venet0:0 -p udp --dport 33330  -j ACCEPT
#accept 2 port for tun1
iptables -A FORWARD -i tun1 -p tcp --dport 44430 -j ACCEPT
iptables -A FORWARD -i tun1 -p udp --dport 44431 -j ACCEPT

#Add before DROP rule
#If venet0:0 and tun1 are supposed to talk to each other
#Add next 2 lines (or leave them out and they can't)
iptables -A FORWARD -i venet0:0 -o tun1 -j ACCEPT
iptables -A FORWARD -i tun1 -o venet0:0  -j ACCEPT

#anything not allowed anywhere dropped.
iptables -A FORWARD -j DROP
cybernard
fonte