IPTables: consente di uscire da SSH

Ho cercato di scrivere le mie regole per proteggere un server web con solo http / https, apt-get aggiornamenti, submit l'accesso SSH di posta. Finora ho fatto quello:

IPT=/sbin/iptables $IPT -F $IPT -X $IPT -t nat -F $IPT -t nat -X $IPT -t mangle -F $IPT -t mangle -X $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP # $IPT -A INPUT -m state --STATE ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m state --STATE ESTABLISHED,RELATED -j ACCEPT # # Allow All for SSH $IPT -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT $IPT -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT $IPT -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT # # Allow all for HTTP / HTTPS $IPT -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT $IPT -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT # # Allow loopback traffic $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # # Allow to be pinged ( Outside => srv ) $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $IPT -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT # # Allow outgoing DNS connections $IPT -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT $IPT -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT # # Apt-get $IPT -A OUTPUT -p tcp --dport 80 --sport 32786:61000 -j ACCEPT $IPT -A INPUT -p tcp --dport 80 --sport 32786:61000 -j ACCEPT $IPT -A OUTPUT -p tcp --dport 32786:61000 --sport 80 -j ACCEPT $IPT -A INPUT -p tcp --dport 32786:61000 --sport 80 -j ACCEPT # # SMTP Outgoing $IPT -A OUTPUT -p tcp --sport 1024:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A INPUT -p tcp -s 0/0 --sport 25 --dport 1024:65535 -m state --state ESTABLISHED-j ACCEPT # # Prevent DoS #$IPT -A INPUT -p tcp --dport 80 -m limit --limit 60/minute --limit-burst 150 -j ACCEPT $IPT -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 100 --connlimit-mask 32 -j REJECT --reject-with tcp-reset # # Log dropped packets $IPT -N LOGGING $IPT -A INPUT -j LOGGING $IPT -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7 $IPT -A LOGGING -j DROP # $IPT -L 

Ma sembra che mi sia mancato qualcosa per uscire da SSH in output ( da questo server a un telecommand, altrimenti funziona), ma non riesco a trovare ciò. Ho anche provato a ssh la destinazione digitando il IP nel caso in cui qualche roba DNS fosse bloccata ma che non funzionava neanche.

  • Che cosa potrebbe causare il messaggio "richiesta esecuzione fallita sul canale 0" per apparire
  • Perché questa linea di file iptables non è rioutput in CentOS 6
  • Inoltro di RDP tramite una macchina Linux usando iptables: non funzionante
  • iptables-restore sta creando una regola pericolosa
  • Contare la width di banda da un contenitore Docker
  • (ssh) Connessione chiusa da
  • Sono abbastanza sicuro che queste regole sono il motivo per cui non funziona perché funziona bene se cerco di sciacquare e accettare tutti.

    Ecco l'output iptables -L -n:

     Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:443 state ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:32786:61000 dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80 dpts:32786:61000 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:25 dpts:1024:65535 state ESTABLISHED REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 #conn/32 > 100 reject-with tcp-reset LOGGING all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:32786:61000 dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80 dpts:32786:61000 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW,ESTABLISHED Chain LOGGING (1 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 5 LOG flags 0 level 7 prefix `IPTables Packet Dropped: ' DROP all -- 0.0.0.0/0 0.0.0.0/0 

  • La sicurezza di SSH e del server remoto è sicura sul wifi pubblico?
  • Ping: sendmsg: errore di funzionamento non consentito dopo l'installazione di iptables su Arch GNU / Linux
  • Imansible cambiare l'indirizzo IP di origine (a ip flottante) per i pacchetti in output udp
  • NAT-ing riscrive l'IP di origine nei pacchetti?
  • Registrazione NAT di Iptables
  • PuTTY errore fatale: il server ha rifiutato di avviare una shell / command
  • 4 Solutions collect form web for “IPTables: consente di uscire da SSH”

    Quando si dispone di una connessione in output, la port di destinazione sarà 22 quindi questa dovrebbe essere la regola:

     $IPT -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT 

    Inoltre, dovresti avere una regola per coprire ESTABLISHED e RELATED sopra le catene INPUT e OUTPUT :

     $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 

    Spero che questo ti aiuti.

    La regola per il traffico SSH in output non include la NEW istruzione, necessaria per avviare le connessioni in output.

    Questo è un errore classico quando non si capisce l'architettura client-server e "firewall di stato"

    In un'architettura client-server, l'unica port conosciuta a priori è la port di destinazione poiché il client sceglie una port effimera 1 , ad exception di eccezioni estremamente rare, ad esempio DHCP.

    Dal punto di vista firewall off point, each singolo pacchetto espulso da esso ha lo stato NUOVO specialmente nelle connessioni TCP. 2

    Prima vediamo cosa abbiamo

     IPT=/sbin/iptables $IPT -F $IPT -X $IPT -t nat -F $IPT -t nat -X $IPT -t mangle -F $IPT -t mangle -X $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP # Excellent!! because always we need to accept this kind of states because # always are response packets, remember we can be client or server $IPT -A INPUT -m state --STATE ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m state --STATE ESTABLISHED,RELATED -j ACCEPT # Allow All for SSH # this accept ssh connections from outside, and the response for this input # is a outgoing packet with the state ESTABLISHED. (four lines above) $IPT -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT # this rule are meaningless because you never start a ssh connection from # source port 22, this because the source ports are choose randomly $IPT -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT # this one let start a ssh connection from within to the outside and the response # enter in state ESTABLISHED, 13 lines above $IPT -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT # Allow all for HTTP / HTTPS # http servers are very basic if we think on client-server, they only respond a # client request, except if some web software try to establish a network connection # to the outside, for this block the only rule with meaning is the first, the rest are # meaningless $IPT -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT $IPT -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT # Allow loopback traffic # this are obligatory rules avoiding the firewall block himself $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Allow to be pinged ( Outside => srv ) # always the interpretation depends from the point of view # with this rules you can accept ping request from outside and despond the request # but you cannot ping from inside to outside because in that scenario you send the request (OUTPUT) # and receive a reply from outside (INPUT) $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $IPT -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT # Allow outgoing DNS connections # this allow send dns queries to the DNS server that you have registered in the file # /etc/resolv.conf $IPT -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT # this one are meaningless because the response from the DNS server is ESTABLISHED and is # accepted in the very beginning in the firewall $IPT -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT # Apt-get # AFAIK apt use http or ftp, they can use https but is less common # the specification of a range on source port are meaningless $IPT -A OUTPUT -p tcp --dport 80 --sport 32786:61000 -j ACCEPT $IPT -A INPUT -p tcp --dport 80 --sport 32786:61000 -j ACCEPT $IPT -A OUTPUT -p tcp --dport 32786:61000 --sport 80 -j ACCEPT $IPT -A INPUT -p tcp --dport 32786:61000 --sport 80 -j ACCEPT # SMTP Outgoing # I don't known why you start adding more criteria without meaning # maybe you start surfing on the net and starting copy&paste code without see what you are doing # always when yo need to learn something go to the root, or in this case to www.netfilter.org $IPT -A OUTPUT -p tcp --sport 1024:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A INPUT -p tcp -s 0/0 --sport 25 --dport 1024:65535 -m state --state ESTABLISHED-j ACCEPT # the rules below are.... copy&paste from somewhere # Prevent DoS #$IPT -A INPUT -p tcp --dport 80 -m limit --limit 60/minute --limit-burst 150 -j ACCEPT $IPT -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 100 --connlimit-mask 32 -j REJECT --reject-with tcp-reset # # Log dropped packets $IPT -N LOGGING $IPT -A INPUT -j LOGGING $IPT -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7 $IPT -A LOGGING -j DROP 

    Quindi, per me, hai bisogno di questo firewall

     IPT=/sbin/iptables $IPT -F $IPT -X $IPT -t nat -F $IPT -t nat -X $IPT -t mangle -F $IPT -t mangle -X $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP # accept a priori all the responses $IPT -A INPUT -m state --STATE ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m state --STATE ESTABLISHED,RELATED -j ACCEPT # Allow All for SSH # allow ssh connections from outside to inside $IPT -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT # allow ssh connections from inside to outside $IPT -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT # Allow all for HTTP / HTTPS $IPT -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT $IPT -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT # Allow loopback traffic $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Allow to be pinged ( Outside => srv ) $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $IPT -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT # from srv to outside $IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT $IPT -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT # Allow outgoing DNS connections $IPT -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT # Apt-get $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT $IPT -A OUTPUT -p tcp --dport 21 -j ACCEPT # SMTP Outgoing $IPT -A OUTPUT -p tcp --dport 25 -j ACCEPT 

    Spero che sia stato utile. E mi dispiace per il mio inglese, non è la mia lingua madre.

    Per le regole più semplici (ignorare per ora):

     iptables -A INPUT -p tcp --sport 22 -j ACCEPT iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT 

    Questo dovrebbe fare il trucco. una volta che lo provate e riuscirai, puoi modificarlo per includere gli indirizzi IP di stato, origine / destinazione, porte diverse.

    Suggerimenti per Linux e Windows Server, quali Ubuntu, Centos, Apache, Nginx, Debian e argomenti di rete.