The method of setting security policy using iptables on aliyun linux server
- 2020-05-10 23:23:48
- OfStack
The company's product 1 is shipped directly on the cloud server, so I have had the opportunity to contact ec2 of aws, shanda's cloud server, and recently prepared to use aliyun's elastic computing (cloud server). Security strategies in the first two cloud server to do better, provide a simple and clear the configuration of the interface, and gave it to the default security policy, in contrast, ali cloud server, security policies need to configure, even centos machines are not preinstalled iptables (at least we apply two stage), good can use yum to install, install command is as follows:
yum install -y iptablesOnce iptables is installed, you can configure the rules. Because as web server to use, so foreign to open port 80, the other must be through the ssh server management, 22 port will open to the public, of course, it is best to change the ssh service of the default port, the public will have a lot of people trying to crack the password, if you change port, remember to put the port development, or even not on tragedy. A detailed description of the configuration rules is provided below:
The first 1 Step: clear all rules
when Chain INPUT (policy DROP) When performing /sbin/iptables -F After that, you will disconnect from the server
All before emptying all rules policy DROP The for INPUT In case of tragedy be careful be careful
/sbin/iptables -P INPUT ACCEPT
Clear all rules
/sbin/iptables -F
/sbin/iptables -X
Counter set 0
/sbin/iptables -Z
The first 2 Step: set the rules
Permission comes from lo Interface to packets, if you do not have this rule, you will not be able to pass 127.0.0.1 Access local services, for example ping 127.0.0.1
/sbin/iptables -A INPUT -i lo -j ACCEPT
open TCP agreement 22 Port so that can ssh If you are in a fix ip Can be used -s To qualify the client ip
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
open TCP agreement 80 Port for web service
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
10.241.121.15 Is another 1 The Intranet of a server ip , as there is communication between all received from 10.241.121.15 the TCP request
/sbin/iptables -A INPUT -p tcp -s 10.241.121.15 -j ACCEPT
accept ping
/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
See this rule: http://www.netingcn.com/iptables-localhost-not-access-internet.html
/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
The above rules for blocking all requests, indispensable, or the firewall does not have any filtering function
/sbin/iptables -P INPUT DROP
You can use iptables -L -n Check to see if the rule is in effect At this point the firewall is even configured, but this is temporary, when you restart iptables or restart the machine, the above configuration will be cleared, in order to take effect permanently, you need to do the following:
/etc/init.d/iptables save
or
service iptables save
The above command can be executed in a file /etc/sysconfig/iptables See the configuration in A clean configuration script is provided below:
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 10.241.121.15 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -P INPUT DROPFinally, we will execute service iptables save, and make sure that there is no problem with the connection of ssh, so as to prevent the failure of connecting to the server due to the rule error. Without save, the server restart rule will be invalid. Otherwise, we will have to go to the machine room to modify the rule. You can also refer to the ubuntu iptables configuration script to write a script.
Finally, before emptying the rule 1 must be careful to make sure Chain INPUT (policy ACCEPT).
This site complements aliyun's linux_drop_port.sh
#!/bin/bash
#########################################
#Function: linux drop port
#Usage: bash linux_drop_port.sh
#Author: Customer Service Department
#Company: Alibaba Cloud Computing
#Version: 2.0
#########################################
check_os_release()
{
while true
do
os_release=$(grep "Red Hat Enterprise Linux Server release"/etc/issue 2>/dev/null)
os_release_2=$(grep "Red Hat Enterprise Linux Server release"/etc/redhat-release 2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "release 5" >/dev/null2>&1
then
os_release=redhat5
echo "$os_release"
elif echo "$os_release"|grep "release 6">/dev/null 2>&1
then
os_release=redhat6
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
os_release=$(grep "Aliyun Linux release" /etc/issue2>/dev/null)
os_release_2=$(grep "Aliyun Linux release" /etc/aliyun-release2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "release 5" >/dev/null2>&1
then
os_release=aliyun5
echo "$os_release"
elif echo "$os_release"|grep "release 6">/dev/null 2>&1
then
os_release=aliyun6
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
os_release=$(grep "CentOS release" /etc/issue 2>/dev/null)
os_release_2=$(grep "CentOS release" /etc/*release2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "release 5" >/dev/null2>&1
then
os_release=centos5
echo "$os_release"
elif echo "$os_release"|grep "release 6">/dev/null 2>&1
then
os_release=centos6
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
os_release=$(grep -i "ubuntu" /etc/issue 2>/dev/null)
os_release_2=$(grep -i "ubuntu" /etc/lsb-release2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "Ubuntu 10" >/dev/null2>&1
then
os_release=ubuntu10
echo "$os_release"
elif echo "$os_release"|grep "Ubuntu 12.04">/dev/null 2>&1
then
os_release=ubuntu1204
echo "$os_release"
elif echo "$os_release"|grep "Ubuntu 12.10">/dev/null 2>&1
then
os_release=ubuntu1210
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
os_release=$(grep -i "debian" /etc/issue 2>/dev/null)
os_release_2=$(grep -i "debian" /proc/version 2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "Linux 6" >/dev/null2>&1
then
os_release=debian6
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
os_release=$(grep "openSUSE" /etc/issue 2>/dev/null)
os_release_2=$(grep "openSUSE" /etc/*release 2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep"13.1" >/dev/null 2>&1
then
os_release=opensuse131
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
break
done
}
exit_script()
{
echo -e "\033[1;40;31mInstall $1 error,will exit.\n\033[0m"
rm-f $LOCKfile
exit 1
}
config_iptables()
{
iptables -I OUTPUT 1 -p tcp -m multiport --dport21,22,23,25,53,80,135,139,443,445 -j DROP
iptables -I OUTPUT 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-j DROP
iptables -I OUTPUT 3 -p udp -j DROP
iptables -nvL
}
ubuntu_config_ufw()
{
ufwdeny out proto tcp to any port 21,22,23,25,53,80,135,139,443,445
ufwdeny out proto tcp to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186
ufwdeny out proto udp to any
ufwstatus
}
####################Start###################
#check lock file ,one time only let thescript run one time
LOCKfile=/tmp/.$(basename $0)
if [ -f "$LOCKfile" ]
then
echo -e "\033[1;40;31mThe script is already exist,please next timeto run this script.\n\033[0m"
exit
else
echo -e "\033[40;32mStep 1.No lock file,begin to create lock fileand continue.\n\033[40;37m"
touch $LOCKfile
fi
#check user
if [ $(id -u) != "0" ]
then
echo -e "\033[1;40;31mError: You must be root to run this script,please use root to execute this script.\n\033[0m"
rm-f $LOCKfile
exit 1
fi
echo -e "\033[40;32mStep 2.Begen tocheck the OS issue.\n\033[40;37m"
os_release=$(check_os_release)
if [ "X$os_release" =="X" ]
then
echo -e "\033[1;40;31mThe OS does not identify,So this script isnot executede.\n\033[0m"
rm-f $LOCKfile
exit 0
else
echo -e "\033[40;32mThis OS is $os_release.\n\033[40;37m"
fi
echo -e "\033[40;32mStep 3.Begen toconfig firewall.\n\033[40;37m"
case "$os_release" in
redhat5|centos5|redhat6|centos6|aliyun5|aliyun6)
service iptables start
config_iptables
;;
debian6)
config_iptables
;;
ubuntu10|ubuntu1204|ubuntu1210)
ufwenable <<EOF
y
EOF
ubuntu_config_ufw
;;
opensuse131)
config_iptables
;;
esac
echo -e "\033[40;32mConfig firewallsuccess,this script now exit!\n\033[40;37m"
rm -f $LOCKfileThe above files can be downloaded and executed directly inside the machine.