在Debian Minimal系统中设置防火墙,通常推荐使用iptables
或nftables
。以下是使用这两种工具设置防火墙的基本步骤:
iptables
更新系统:
sudo apt update && sudo apt upgrade -y
安装 iptables
(如果尚未安装):
sudo apt install iptables -y
设置默认策略:
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
允许本地回环接口的流量:
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
允许SSH连接(假设SSH端口为22):
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
允许HTTP和HTTPS连接(假设HTTP端口为80,HTTPS端口为443):
sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
允许DNS查询(假设DNS端口为53):
sudo iptables -A INPUT -p udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
保存 iptables
规则:
Debian Minimal系统没有默认的 iptables
规则保存机制,你需要手动保存规则。可以使用以下命令将规则保存到文件中:
sudo sh -c "iptables-save > /etc/iptables/rules.v4"
设置开机自启动: 创建一个 systemd 服务来加载这些规则:
sudo nano /etc/systemd/system/iptables-restore.service
添加以下内容:
[Unit]
Description=Restore IPTables rules
After=network.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore < /etc/iptables/rules.v4
[Install]
WantedBy=multi-user.target
启用并启动服务:
sudo systemctl enable iptables-restore.service
sudo systemctl start iptables-restore.service
nftables
更新系统:
sudo apt update && sudo apt upgrade -y
安装 nftables
(如果尚未安装):
sudo apt install nftables -y
设置默认策略:
sudo nft add table ip filter
sudo nft add chain ip filter input { type filter hook input priority 0 \; }
sudo nft add chain ip filter forward { type filter hook forward priority 0 \; }
sudo nft add chain ip filter output { type filter hook output priority 0 \; }
sudo nft add rule ip filter input accept
sudo nft add rule ip filter forward accept
sudo nft add rule ip filter output accept
允许本地回环接口的流量:
sudo nft add rule ip filter input iif lo accept
sudo nft add rule ip filter output oif lo accept
允许SSH连接(假设SSH端口为22):
sudo nft add rule ip filter input tcp dport 22 ct state new,established accept
sudo nft add rule ip filter output tcp sport 22 ct state established accept
允许HTTP和HTTPS连接(假设HTTP端口为80,HTTPS端口为443):
sudo nft add rule ip filter input tcp dport 80 ct state new,established accept
sudo nft add rule ip filter output tcp sport 80 ct state established accept
sudo nft add rule ip filter input tcp dport 443 ct state new,established accept
sudo nft add rule ip filter output tcp sport 443 ct state established accept
允许DNS查询(假设DNS端口为53):
sudo nft add rule ip filter input udp dport 53 ct state new,established accept
sudo nft add rule ip filter output udp sport 53 ct state established accept
sudo nft add rule ip filter input tcp dport 53 ct state new,established accept
sudo nft add rule ip filter output tcp sport 53 ct state established accept
保存 nftables
规则:
sudo nft list ruleset > /etc/nftables.conf
设置开机自启动: 创建一个 systemd 服务来加载这些规则:
sudo nano /etc/systemd/system/nftables-restore.service
添加以下内容:
[Unit]
Description=Restore nftables rules
After=network.target
[Service]
Type=oneshot
ExecStart=/sbin/nft -f /etc/nftables.conf
[Install]
WantedBy=multi-user.target
启用并启动服务:
sudo systemctl enable nftables-restore.service
sudo systemctl start nftables-restore.service
通过以上步骤,你可以在Debian Minimal系统中设置基本的防火墙规则。根据实际需求,你可以进一步调整和扩展这些规则。