Eu tenho um vps e sua interface é venet0:0
.
Gostaria de bloquear todo o tráfego recebido dessa interface e permitir apenas em determinadas portas:
- tcp 22223-29
- udp 33330
- tcp 33332
Também quero permitir todas as conexões estabelecidas que se originam do servidor para a Internet.
Há também uma segunda interface virtual chamada tun1
e quero bloquear tudo nessa interface, exceto as portas:
- tcp 44430
- udp 44431
Estou perdido em como bloquear tudo neste momento.
Aqui está um exemplo do que eu já tenho, mas o apache ainda funciona no IP público, enquanto não deveria.
# Flushing all rules iptables --flush iptables --delete-chain iptables -F iptables -X
### interface section use public Internet (venet0:0) ### iptables -A INPUT -i venet0:0 -j DROP
# Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP
#################################################
# allow loopback
#################################################
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
#################################################
# drop all ICMP
#################################################
iptables -A INPUT -p icmp --icmp-type any -j DROP iptables -A OUTPUT
-p icmp -j DROP
#################################################
# allow established connections
#################################################
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#################################################
# allow public per port
#################################################
# 22223 iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22223 -j ACCEPT
# 1194 OpenVPN iptables -A INPUT -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT
Respostas:
Qualquer coisa incluindo o icmp que não seja explicitamente permitido é descartada.
FRENTE
fonte