Deepin系统配置Iptables防火墙

最近不知道为啥重启后好多服务不能使用,然后发现docker的原因安装了iptables防火墙,经过百度解决后写下这篇文章以记录

whereis iptables​ #查看系统是否安装防火墙可以看到:

iptables: /sbin/iptables /usr/share/iptables /usr/share/man/man8/iptables.8.gz #表示已经安装iptables
apt-get install iptables #如果默认没有安装,请运行此命令安装防火墙

iptables -L​ #查看防火墙配置信息,显示如下:

root@deepin:/home/saltedfishjun# iptables-save
# Generated by iptables-save v1.8.7 on Tue May 28 15:50:39 2024
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:App - [0:0]
:Main - [0:0]
-A OUTPUT -j Main
-A Main -o lo -j RETURN
COMMIT
# Completed on Tue May 28 15:50:39 2024
# Generated by iptables-save v1.8.7 on Tue May 28 15:50:39 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -j NFQUEUE --queue-num 0
-A INPUT -j ACCEPT
-A INPUT -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-521679a0d583 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-521679a0d583 -j DOCKER
-A FORWARD -i br-521679a0d583 ! -o br-521679a0d583 -j ACCEPT
-A FORWARD -i br-521679a0d583 -o br-521679a0d583 -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-521679a0d583 -o br-521679a0d583 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 6806 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3000 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-521679a0d583 -o br-521679a0d583 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 90 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-521679a0d583 ! -o br-521679a0d583 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-521679a0d583 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Tue May 28 15:50:39 2024
# Generated by iptables-save v1.8.7 on Tue May 28 15:50:39 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-521679a0d583 -j MASQUERADE
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 6806 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 3000 -j MASQUERADE
-A POSTROUTING -s 172.18.0.3/32 -d 172.18.0.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 90 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-521679a0d583 -j RETURN
-A DOCKER ! -i br-521679a0d583 -p tcp -m tcp --dport 8880 -j DNAT --to-destination 172.18.0.2:80
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 6806 -j DNAT --to-destination 172.17.0.2:6806
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 3004 -j DNAT --to-destination 172.17.0.3:3000
-A DOCKER ! -i br-521679a0d583 -p tcp -m tcp --dport 8089 -j DNAT --to-destination 172.18.0.3:80
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 90 -j DNAT --to-destination 172.17.0.4:90
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 88 -j DNAT --to-destination 172.17.0.4:80
COMMIT
# Completed on Tue May 28 15:50:39 2024
root@deepin:/home/saltedfishjun# iptables -A INPUT -j ACCEPTiptables -A INPUT -p tcp --dport 8888 -j ACCEPT
iptables v1.8.7 (nf_tables): Cannot use -A with -A

可以发现开放的端口仅为常用端口,需要端口并未开放,我们添加自定义规则

vim /etc/iptables/rules.v4​添加以下内容(备注:80是指web服务器端口,3306是指MySQL数据库链接端口,22是指SSH远程管理端口.)

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:syn-flood - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 0:65535 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 0:65535 -j ACCEPT
-A INPUT -p icmp -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A syn-flood -p tcp -m limit --limit 3/sec --limit-burst 6 -j RETURN
-A syn-flood -j REJECT --reject-with icmp-port-unreachable
COMMIT

iptables-restore < /etc/iptables/rules.v4​ #使防火墙规则生效

iptables -L -n​查看规则是否生效.

转载请注明出处