使用iptable来阻塞除特定端口之外的所有来自internet的通信量。
使用iptable来阻塞除特定端口之外的所有来自internet的通信量。
提问于 2021-05-10 15:13:04
我有一个Emby服务器运行在UbuntuServer20.04LTS上,我希望配置iptables来阻止除8920端口之外的所有来自internet的传入连接,但允许正常的传入连接(ssh等)。来自本地网络上的节点。这个是可能的吗?(我这么做是因为我的Zyxel路由器EMG3425-Q10A没有正确地进行端口转发。仍在努力解决这个问题。)
回答 1
Ask Ubuntu用户
回答已采纳
发布于 2021-05-10 20:42:14
这是一个iptables脚本。局域网(局域网)和接口定义是为我的测试计算机准备的,必须根据用户的要求进行更改:
doug@s19:~/iptables/misc$ cat ask1337350
#!/bin/sh
FWVER=0.01
#
# ask1337350 Smythies 2021.05.10 Ver:0.01
# See here:
# https://askubuntu.com/questions/1337350/using-iptables-to-block-all-internet-originating-traffic-except-for-a-specific-p
# run as sudo on s19.
#
# Note: These rules likely need to be merged with
# any existing iptables rules set.
echo "Loading ask1337350 rule set version $FWVER..\n"
# The location of the iptables program
#
IPTABLES=/sbin/iptables
#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Set for Smythies s19 computer (for testing). Edit for ask1337350's computer.
# EXTIF="enp3s0" no,no,no use the bridge br0, or everything breaks, big time.
EXTIF="br0"
EXTIP="192.168.111.136"
NETWORK="192.168.111.0/24"
UNIVERSE="0.0.0.0/0"
# Clearing any previous configuration
# Be careful here. I can do this on s18, but do not know
# about vxsa4's computer.
#
echo " Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
# Smythies: While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z
# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# Allow any related traffic coming back to the server in.
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow in any LAN traffic
#
$IPTABLES -A INPUT -s $NETWORK -i $EXTIF -j ACCEPT
# Also allow in port 8920 traffic from anywhere
# The question does not specify a protocol. Do both.
#
$IPTABLES -A INPUT --protocol udp --destination-port 8920 -i $EXTIF -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --destination-port 8920 -i $EXTIF -j ACCEPT
# Do not allow in anything else
# Could also just fall through to default policy here, but sometimes a logging rule is also desired.
#
$IPTABLES -A INPUT -i $EXTIF -j DROP
# At this point carry on. This might need to be merged into whatever existing iptables rule set.
#
echo ask1337350 rule set version $FWVER done.经过一段短暂的时间之后,给出了这样的结果:
doug@s19:~/iptables/misc$ sudo iptables -xvnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8 616 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
133 7916 ACCEPT all -- br0 * 0.0.0.0/0 192.168.111.136 state RELATED,ESTABLISHED
51 3355 ACCEPT all -- br0 * 192.168.111.0/24 0.0.0.0/0
0 0 ACCEPT udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:8920
0 0 ACCEPT tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8920
19 5880 DROP all -- br0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 90 packets, 12122 bytes)
pkts bytes target prot opt in out source destination页面原文内容由Ask Ubuntu提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://askubuntu.com/questions/1337350
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号