abra o arquivo de configuração iptables e adicione esta regra
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
Eu uso este script bash para configurar o iptables, tente conectar-me ao servidor web que escuta a porta 80, mas todas as solicitações negadas pelo $IPT -A OUTPUT -j LOG_DROP7
. Se eu não usar essa regra, todas as portas serão abertas!
#!/bin/bash
DEF_SSHPORT=9811;
ETH_INTERFACE=ens3;
echo "The network interface is $ETH_INTERFACE.";
echo "The SSH port is $DEF_SSHPORT.";
IPT=/sbin/iptables;
#remove all the previous
$IPT -X;
$IPT -F;
$IPT -t nat -F;
$IPT -t nat -X;
$IPT -t mangle -F;
$IPT -t mangle -X;
######################
# Default Policy DROP#
###################v##
$IPT -P INPUT -j DROP;
$IPT -P FORWARD -j DROP;
$IPT -P OUTPUT -j DROP;
#rules for log and drop
$IPT -N LOG_DROP;
$IPT -A LOG_DROP -j LOG --log-prefix "INPUT:DROP: " --log-level 6;
$IPT -A LOG_DROP -j DROP;
$IPT -N LOG_DROP1;
$IPT -A LOG_DROP1 -j LOG --log-prefix "INPUT:DROP1: " --log-level 6;
$IPT -A LOG_DROP1 -j DROP;
$IPT -N LOG_DROP2;
$IPT -A LOG_DROP2 -j LOG --log-prefix "INPUT:DROP2: " --log-level 6;
$IPT -A LOG_DROP2 -j DROP;
$IPT -N LOG_DROP3;
$IPT -A LOG_DROP3 -j LOG --log-prefix "INPUT:DROP3: " --log-level 6;
$IPT -A LOG_DROP3 -j DROP;
$IPT -N LOG_DROP4;
$IPT -A LOG_DROP4 -j LOG --log-prefix "INPUT:DROP4: " --log-level 6;
$IPT -A LOG_DROP4 -j DROP;
$IPT -N LOG_DROP5;
$IPT -A LOG_DROP5 -j LOG --log-prefix "INPUT:DROP5: " --log-level 6;
$IPT -A LOG_DROP5 -j DROP;
$IPT -N LOG_DROP6;
$IPT -A LOG_DROP6 -j LOG --log-prefix "INPUT:DROP6: " --log-level 6;
$IPT -A LOG_DROP6 -j DROP;
$IPT -N LOG_DROP7;
$IPT -A LOG_DROP7 -j LOG --log-prefix "INPUT:DROP7: " --log-level 6;
$IPT -A LOG_DROP7 -j DROP;
$IPT -N LOG_ALLOW7;
$IPT -A LOG_ALLOW7 -j LOG --log-prefix "INPUT:ALLOW8080: " --log-level 6;
$IPT -A LOG_ALLOW7 -j ACCEPT;
$IPT -N LOG_REJECT;
$IPT -A LOG_REJECT -j LOG --log-prefix "INPUT:REJECT: " --log-level 5;
$IPT -A LOG_REJECT -j DROP;
# We don't break the established connections
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT;
# iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT;
# echo "Established connections allowed";
# Authorizes the incoming and outgoing traffic on the loopback network interface (IP : 127.0.0.1)
$IPT -t filter -A INPUT -i lo -j ACCEPT;
$IPT -t filter -A OUTPUT -o lo -j ACCEPT;
echo "Loopback traffic allowed";
#
# Allow outgoing pings
#
$IPT -t filter -A OUTPUT -o $ETH_INTERFACE -p icmp -j ACCEPT;
#
# Allow TCP connections on tcp port 80, 8080, 443, $DEF_SSHPORT
#
$IPT -A INPUT -i $ETH_INTERFACE -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT;
$IPT -A OUTPUT -o $ETH_INTERFACE -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT;
$IPT -A INPUT -i $ETH_INTERFACE -p tcp --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT;
$IPT -A OUTPUT -o $ETH_INTERFACE -p tcp --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT;
$IPT -A INPUT -i $ETH_INTERFACE -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT;
$IPT -A OUTPUT -o $ETH_INTERFACE -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT;
#ssh
$IPT -A INPUT -i $ETH_INTERFACE -p tcp --dport $DEF_SSHPORT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT;
$IPT -A OUTPUT -o $ETH_INTERFACE -p tcp --sport $DEF_SSHPORT -m conntrack --ctstate ESTABLISHED -j ACCEPT;
#REROUTE from 80 to 8080 and 443 to 8443
$IPT -t nat -A PREROUTING -i $ETH_INTERFACE -p tcp --dport 80 -j DNAT --to :8080;
$IPT -t nat -A PREROUTING -i $ETH_INTERFACE -p tcp --dport 443 -j DNAT --to :8443;
########################
########ANTI DDOS########
########################
#reject traffic to localhost that does not originate from lo0
#$IPT -t filter -A INPUT ! -i lo -s 127.0.0.0/8 -j LOG --log-prefix -j LOG_DROP1;
echo "rule 1";
### 1: Drop invalid packets ###
$IPT -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j LOG_DROP1;
echo "rule 2";
### 2: Drop TCP packets that are new and are not SYN ###
$IPT -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j LOG_DROP1;
echo "rule 3";
### 3: Drop SYN packets with suspicious MSS value ###
$IPT -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j LOG_DROP2;
echo "rule 4";
### 4: Block packets with bogus TCP flags ###
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG_DROP2;
echo "rule 5";
### 5: Block spoofed packets ###
$IPT -t mangle -A PREROUTING -s 224.0.0.0/3 -j LOG_DROP3;
$IPT -t mangle -A PREROUTING -s 169.254.0.0/16 -j LOG_DROP3;
$IPT -t mangle -A PREROUTING -s 172.16.0.0/12 -j LOG_DROP3;
$IPT -t mangle -A PREROUTING -s 192.0.2.0/24 -j LOG_DROP3;
$IPT -t mangle -A PREROUTING -s 192.168.0.0/16 -j LOG_DROP3;
$IPT -t mangle -A PREROUTING -s 10.0.0.0/8 -j LOG_DROP3;
$IPT -t mangle -A PREROUTING -s 0.0.0.0/8 -j LOG_DROP3;
$IPT -t mangle -A PREROUTING -s 240.0.0.0/5 -j LOG_DROP3;
$IPT -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j LOG_DROP3;
echo "rule 6";
### 6: Drop ICMP (you usually don't need this protocol) ###
$IPT -t mangle -A PREROUTING -p icmp -j LOG_DROP4;
echo "rule 7";
### 7: Drop fragments in all chains ###
$IPT -t mangle -A PREROUTING -f -j LOG_DROP4;
echo "rule 8";
### 8: Limit connections per source IP ###
$IPT -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset;
echo "rule 9";
### 9: Limit RST packets ###
$IPT -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT;
$IPT -A INPUT -p tcp --tcp-flags RST RST -j DROP;
echo "rule 10";
### 10: Limit new TCP connections per second per source IP ###
$IPT -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT;
$IPT -A INPUT -p tcp -m conntrack --ctstate NEW -j LOG_DROP4;
echo "rule 11";
### 11: Use SYNPROXY on all ports (disables connection limiting rule) ###
#$IPT -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack;
#$IPT -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460;
#$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP;
echo "rule ssh brute-force protection";
### SSH brute-force protection ###
$IPT -A INPUT -p tcp --dport $DEF_SSHPORT -m conntrack --ctstate NEW -m recent --set;
$IPT -A INPUT -p tcp --dport $DEF_SSHPORT -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j LOG_DROP4;
echo "rule ssh protection against port scanning";
### Protection against port scanning ###
$IPT -N port-scanning;
$IPT -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN;
$IPT -A port-scanning -j LOG_DROP4;
#echo "reject traffic to localhost that does not originate from lo";
#reject traffic to localhost that does not originate from lo
#$IPT -t filter -A INPUT ! -i lo -s 127.0.0.0/8 -j LOG_DROP4;
######################
# Default Policy DROP#
###################v##
$IPT -A INPUT -i $ETH_INTERFACE -j LOG_DROP5;
$IPT -A FORWARD -i $ETH_INTERFACE -j LOG_DROP6;
$IPT -A OUTPUT -j LOG_DROP7;
rm /etc/iptables/rules.v4;
iptables-save > /etc/iptables/rules.v4;
apt-get install -y iptables-persistent;
Você pode me ajudar a editar as regras para permitir conexões tcp em 80?
Isso é ifconfig
output:
ens3 Link encap:Ethernet HWaddr fa:16:3e:4c:4c:65
inet addr:... Bcast:... Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3598 errors:0 dropped:0 overruns:0 frame:0
TX packets:3118 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:268852 (268.8 KB) TX bytes:4216143 (4.2 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:18186 errors:0 dropped:0 overruns:0 frame:0
TX packets:18186 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:1262093 (1.2 MB) TX bytes:1262093 (1.2 MB)
abra o arquivo de configuração iptables e adicione esta regra
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
Descobri que isso ajudou:
$IPT -A INPUT -i $ETH_INTERFACE -p tcp --sport 1024:65535 --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT;
$IPT -A OUTPUT -o $ETH_INTERFACE -p tcp --sport 8080 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT;
Obrigado a todos!