站内公告:

亲友传真---海外信息直接看 https://qycz.org

Main Menu

Debian 10 定制 iptables / ip6tables 个人桌面防火墙,(方法之二),

作者 jingyue, 九月 01, 2019, 03:14:06 下午

jingyue

Debian 10 定制 iptables / ip6tables 个人桌面防火墙,(方法之二),

0),内容摘要,

Debian 10 定制 iptables 个人桌面防火墙规则,可屏蔽 GFW 中间人 RST 攻击,其过滤表规则( IPv4部分 )如下,

# Generated by xtables-save v1.8.2
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags RST RST -j LOG --log-prefix RST_attack --log-ip-options
-A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG --log-prefix input_droped --log-ip-options
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix forward_droped --log-ip-options
-A FORWARD -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -j ACCEPT
-A OUTPUT -m state --state NEW -j ACCEPT
# -A OUTPUT -j LOG --log-ip-options --log-prefix "output_droped"
# -A OUTPUT -j DROP
COMMIT
# Completed

1),全文链接,

引用自: jingyue 于 八月 21, 2019, 03:47:26 上午
Debian 10 定制 iptables 个人桌面防火墙规则,

2),参考链接,

引用自: jingyue 于 九月 01, 2019, 03:04:08 上午
Debian 10 查看防火墙记录,

https://www.minghui.org/mh/articles/2023/1/20/为什么会有人类-455562.html
https://www.minghui.org/mh/articles/2023/4/17/为什么要救度众生-458929.htm

救你为何难
https://gb.falundafa.org/chigb/hy4/hy4-018.htm

大法开传你还迷
https://gb.falundafa.org/chigb/hy4/hy4-024.htm

世上几人醒
https://gb.falundafa.org/chigb/hy4/hy4-051.htm

选择未来
https://gb.falundafa.org/chigb/hy4/hy4-063.htm
http://www.minghui.org/mh/articles/2024/8/5/深蓝色的法轮-480298.html
https://www.minghui.org/mh/articles/2023/8/30/书讯-《为什么会有人类》在巴黎出书发行-464732.html
https://www.minghui.org/mh/articles/2010/5/18/【征稿选登】李洪志师父在92东方健康博览会的奇迹-223842.html
https://www.minghui.org/mh/articles/2012/11/3/未来人的神话——忆师尊在哈尔滨传法-264844.html
https://www.minghui.org/mh/articles/2014/5/11/【庆祝513】回忆师尊在北京传法的片段-291380.html
https://www.minghui.org/mh/articles/2022/5/21/【庆祝513】忆师恩-万载难遇的机缘(上)-442904.html
https://www.minghui.org/mh/articles/2022/5/21/【庆祝513】忆师恩-万载难遇的机缘(下)-443903.html
王友群:大法弟子眼中的李洪志大师
http://cn.epochtimes.com/gb/23/5/7/n13989878.htm
http://www.minghui.org/mh/articles/2023/6/9/大法弘传31周年五大洲政要表彰法轮大法和创始人(1)-461808.html
http://www.minghui.org/mh/articles/2023/6/11/在东方博览会上见证师父的神通法力-461847.html
http://www.minghui.org/mh/articles/2024/1/15/一名英国学员在神韵演出现场看到的(译文)-471044.html

jingyue

 

Debian 10 设置个人桌面防火墙 iptables / ip6tables 规则,(方法之一),


1),新建一个文本文件,名字为 iptables.rules,(支持 IPv4),
把下面引用的内容复制粘贴到 iptables.rules 里面,保存,
引用
# Generated by xtables-save v1.8.2
*filter
:INPUT DROP [0:0]                                                                         
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags RST RST -j LOG --log-ip-options --log-prefix "RST_attack"
-A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG --log-ip-options --log-prefix "input_droped"
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-ip-options --log-prefix "forward_droped"
-A FORWARD -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -j ACCEPT
-A OUTPUT -m state --state NEW -j ACCEPT
# -A OUTPUT -j LOG --log-ip-options --log-prefix "output_droped"
# -A OUTPUT -j DROP
COMMIT
# Completed


2),新建一个文本文件,名字为 ip6tables.rules,(支持 IPv6),

把下面引用的内容复制粘贴到 ip6tables.rules 里面,保存,

引用
# Generated by xtables-save v1.8.2
*filter
:INPUT DROP [0:0]                                                                         
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -s ::1/128 -d ::1/128 -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s ::1/128 -d ::1/128 -o lo -j ACCEPT
-A OUTPUT -m state --state NEW -j ACCEPT
-A OUTPUT -j DROP
COMMIT
# Completed


3),新建一个文本文件,名字为 firewall2,(可执行的脚本),
把下面引用的内容复制粘贴到 firewall2 里面,保存,
引用
#!/bin/sh

/sbin/iptables-restore < /etc/iptables.rules

/sbin/ip6tables-restore < /etc/ip6tables.rules


4),终端命令,

引用
# cp iptables.rules /etc/
引用
# cp ip6tables.rules /etc/
引用
# chmod +x firewall2
引用
# cp firewall2 /etc/network/if-pre-up.d/
引用
# reboot

全文结束,


参考链接,
https://wiki.debian.org/iptables

https://www.minghui.org/mh/articles/2023/1/20/为什么会有人类-455562.html
https://www.minghui.org/mh/articles/2023/4/17/为什么要救度众生-458929.htm

救你为何难
https://gb.falundafa.org/chigb/hy4/hy4-018.htm

大法开传你还迷
https://gb.falundafa.org/chigb/hy4/hy4-024.htm

世上几人醒
https://gb.falundafa.org/chigb/hy4/hy4-051.htm

选择未来
https://gb.falundafa.org/chigb/hy4/hy4-063.htm
http://www.minghui.org/mh/articles/2024/8/5/深蓝色的法轮-480298.html
https://www.minghui.org/mh/articles/2023/8/30/书讯-《为什么会有人类》在巴黎出书发行-464732.html
https://www.minghui.org/mh/articles/2010/5/18/【征稿选登】李洪志师父在92东方健康博览会的奇迹-223842.html
https://www.minghui.org/mh/articles/2012/11/3/未来人的神话——忆师尊在哈尔滨传法-264844.html
https://www.minghui.org/mh/articles/2014/5/11/【庆祝513】回忆师尊在北京传法的片段-291380.html
https://www.minghui.org/mh/articles/2022/5/21/【庆祝513】忆师恩-万载难遇的机缘(上)-442904.html
https://www.minghui.org/mh/articles/2022/5/21/【庆祝513】忆师恩-万载难遇的机缘(下)-443903.html
王友群:大法弟子眼中的李洪志大师
http://cn.epochtimes.com/gb/23/5/7/n13989878.htm
http://www.minghui.org/mh/articles/2023/6/9/大法弘传31周年五大洲政要表彰法轮大法和创始人(1)-461808.html
http://www.minghui.org/mh/articles/2023/6/11/在东方博览会上见证师父的神通法力-461847.html
http://www.minghui.org/mh/articles/2024/1/15/一名英国学员在神韵演出现场看到的(译文)-471044.html

快速回复

警告: 该贴已经至少 180 天没有更改。
除非你一定要回复,否则也许考虑发一个新贴会更好。

Note: this post will not display until it has been approved by a moderator.

名称:
电子邮件:
验证码:
请将此框留空:
三乘七等于几?(请用阿拉伯数字回答):
Shortcuts: ALT+S post or ALT+P preview