debian

Debian Minimal如何设置防火墙

小樊
38
2025-07-20 04:42:16
栏目: 智能运维

在Debian Minimal系统中设置防火墙,通常推荐使用iptablesnftables。以下是使用这两种工具设置防火墙的基本步骤:

使用 iptables

  1. 更新系统

    sudo apt update && sudo apt upgrade -y
    
  2. 安装 iptables(如果尚未安装):

    sudo apt install iptables -y
    
  3. 设置默认策略

    sudo iptables -P INPUT DROP
    sudo iptables -P FORWARD DROP
    sudo iptables -P OUTPUT ACCEPT
    
  4. 允许本地回环接口的流量

    sudo iptables -A INPUT -i lo -j ACCEPT
    sudo iptables -A OUTPUT -o lo -j ACCEPT
    
  5. 允许SSH连接(假设SSH端口为22):

    sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
    sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
    
  6. 允许HTTP和HTTPS连接(假设HTTP端口为80,HTTPS端口为443):

    sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
    sudo iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
    sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
    sudo iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
    
  7. 允许DNS查询(假设DNS端口为53):

    sudo iptables -A INPUT -p udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
    sudo iptables -A OUTPUT -p udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
    sudo iptables -A INPUT -p tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
    sudo iptables -A OUTPUT -p tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
    
  8. 保存 iptables 规则: Debian Minimal系统没有默认的 iptables 规则保存机制,你需要手动保存规则。可以使用以下命令将规则保存到文件中:

    sudo sh -c "iptables-save > /etc/iptables/rules.v4"
    
  9. 设置开机自启动: 创建一个 systemd 服务来加载这些规则:

    sudo nano /etc/systemd/system/iptables-restore.service
    

    添加以下内容:

    [Unit]
    Description=Restore IPTables rules
    After=network.target
    
    [Service]
    Type=oneshot
    ExecStart=/sbin/iptables-restore < /etc/iptables/rules.v4
    
    [Install]
    WantedBy=multi-user.target
    

    启用并启动服务:

    sudo systemctl enable iptables-restore.service
    sudo systemctl start iptables-restore.service
    

使用 nftables

  1. 更新系统

    sudo apt update && sudo apt upgrade -y
    
  2. 安装 nftables(如果尚未安装):

    sudo apt install nftables -y
    
  3. 设置默认策略

    sudo nft add table ip filter
    sudo nft add chain ip filter input { type filter hook input priority 0 \; }
    sudo nft add chain ip filter forward { type filter hook forward priority 0 \; }
    sudo nft add chain ip filter output { type filter hook output priority 0 \; }
    
    sudo nft add rule ip filter input accept
    sudo nft add rule ip filter forward accept
    sudo nft add rule ip filter output accept
    
  4. 允许本地回环接口的流量

    sudo nft add rule ip filter input iif lo accept
    sudo nft add rule ip filter output oif lo accept
    
  5. 允许SSH连接(假设SSH端口为22):

    sudo nft add rule ip filter input tcp dport 22 ct state new,established accept
    sudo nft add rule ip filter output tcp sport 22 ct state established accept
    
  6. 允许HTTP和HTTPS连接(假设HTTP端口为80,HTTPS端口为443):

    sudo nft add rule ip filter input tcp dport 80 ct state new,established accept
    sudo nft add rule ip filter output tcp sport 80 ct state established accept
    sudo nft add rule ip filter input tcp dport 443 ct state new,established accept
    sudo nft add rule ip filter output tcp sport 443 ct state established accept
    
  7. 允许DNS查询(假设DNS端口为53):

    sudo nft add rule ip filter input udp dport 53 ct state new,established accept
    sudo nft add rule ip filter output udp sport 53 ct state established accept
    sudo nft add rule ip filter input tcp dport 53 ct state new,established accept
    sudo nft add rule ip filter output tcp sport 53 ct state established accept
    
  8. 保存 nftables 规则

    sudo nft list ruleset > /etc/nftables.conf
    
  9. 设置开机自启动: 创建一个 systemd 服务来加载这些规则:

    sudo nano /etc/systemd/system/nftables-restore.service
    

    添加以下内容:

    [Unit]
    Description=Restore nftables rules
    After=network.target
    
    [Service]
    Type=oneshot
    ExecStart=/sbin/nft -f /etc/nftables.conf
    
    [Install]
    WantedBy=multi-user.target
    

    启用并启动服务:

    sudo systemctl enable nftables-restore.service
    sudo systemctl start nftables-restore.service
    

通过以上步骤,你可以在Debian Minimal系统中设置基本的防火墙规则。根据实际需求,你可以进一步调整和扩展这些规则。

0
看了该问题的人还看了