一站式下载学习分享平台 友情链接

网站首页源码插件 正文

初识网站服务器的防火墙配置

皮皮娃学习网 2020-07-13 源码插件 30 ℃0 评论

终于遇到了这个问题,开始关注网站服务器的防火墙配置。

目前在阿里云上的服务器,我用的Ubuntu,查了一个iptables如下:

xinlin@iZ239r252v4Z:~$ sudo iptables -L -n
[sudo] password for xinlin:
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

什么配置也没有,这意味着阿里云上Ubuntu系统的iptables是无效的,放行所有的流量。

不过阿里云有安全组,在安全组里面配置也是一样的。

Ubuntu有一个自己的ufw防火墙配置工具。

xinlin@iZ239r252v4Z:~$ which ufw
/usr/sbin/ufw
xinlin@iZ239r252v4Z:~$ service ufw status
● ufw.service - Uncomplicated firewall
Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
Active: active (exited) since Fri 2019-03-08 03:33:29 CST; 1 months 11 days ago
Main PID: 188 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/ufw.service

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

service在,但是默认ufw没有启用。

折腾CentOS7虚拟机的时候,编译安装好了Apache,运行起来后,发现不能访问自带的测试网页。

原因就是CentOS7的iptables配置,需要手动在INPUT规则链中添加能够访问80端口的流量。

下面是CentOS7(minimal版本)的初始iptables配置:

[xinlin@promote ~]$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination

Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination

Chain FORWARD_direct (1 references)
target prot opt source destination

Chain FWDI_public (2 references)
target prot opt source destination
FWDI_public_log all -- 0.0.0.0/0 0.0.0.0/0
FWDI_public_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDI_public_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0

Chain FWDI_public_allow (1 references)
target prot opt source destination

Chain FWDI_public_deny (1 references)
target prot opt source destination

Chain FWDI_public_log (1 references)
target prot opt source destination

Chain FWDO_public (2 references)
target prot opt source destination
FWDO_public_log all -- 0.0.0.0/0 0.0.0.0/0
FWDO_public_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDO_public_allow all -- 0.0.0.0/0 0.0.0.0/0

Chain FWDO_public_allow (1 references)
target prot opt source destination

Chain FWDO_public_deny (1 references)
target prot opt source destination

Chain FWDO_public_log (1 references)
target prot opt source destination

Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]

Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination

Chain INPUT_direct (1 references)
target prot opt source destination

Chain IN_public (2 references)
target prot opt source destination
IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0

Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW

Chain IN_public_deny (1 references)
target prot opt source destination

Chain IN_public_log (1 references)
target prot opt source destination

Chain OUTPUT_direct (1 references)
target prot opt source destination

CentOS的iptables配置明显复杂很多,体现了RedHat系列发行版的谨慎态度。

如果选择非阿里云的服务器,可能就需要我们自己配置开放某些端口,比如80和443端口。如果你在CentOS上安装和Apache或Nginx,但是不能访问测试网页,很可能就是这里的问题,需要手段配置iptables,开放端口。

CentOS7,firewall取代了iptables,系统中查询不到iptables服务,只能查询到firewalld服务。

[xinlin@promote ~]$ service iptables status
Redirecting to /bin/systemctl status iptables.service
Unit iptables.service could not be found.
[xinlin@promote ~]$ service firewalld status
Redirecting to /bin/systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-04-18 12:45:02 CST; 2h 20min ago
Docs: man:firewalld(1)
Main PID: 685 (firewalld)
CGroup: /system.slice/firewalld.service
└─685 /usr/bin/Python -Es /usr/sbin/firewalld --nofork --nopid

Apr 18 12:45:02 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Apr 18 12:45:02 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
[xinlin@promote ~]$ ps -e | grep firewalld
685 ? 00:00:00 firewalld

[xinlin@promote ~]$ service iptables status
Redirecting to /bin/systemctl status iptables.service
Unit iptables.service could not be found.
[xinlin@promote ~]$ service firewalld status
Redirecting to /bin/systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-04-18 12:45:02 CST; 2h 20min ago
Docs: man:firewalld(1)
Main PID: 685 (firewalld)
CGroup: /system.slice/firewalld.service
└─685 /usr/bin/Python -Es /usr/sbin/firewalld --nofork --nopid

Apr 18 12:45:02 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Apr 18 12:45:02 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
[xinlin@promote ~]$ ps -e | grep firewalld
685 ? 00:00:00 firewalld

查询80端口是否开放:

[xinlin@promote ~]$ sudo firewall-cmd --query-port=80/tcp
no

不管是Ubuntu的ufw,还是CentOS(以及Redhat)使用的firewalld,底层都有iptables在支撑。

本文标题:初识网站服务器的防火墙配置
本文链接:https://www.ppwxxw.com/post/297.html
作者授权:除特别说明外,本文由 皮皮娃学习网 原创编译并授权 皮皮娃学习网 刊载发布。
版权声明:本文不使用任何协议授权,您可以任何形式自由转载或使用。

Tags:SEO优化SEO疑难杂症Linux教程

< 皮皮娃学习网 >
如有密码均为:ppwxxw.com
天若有情天亦老、人间正道是沧桑
本站资源软件和源码 文章大部分为网上收集,如侵犯您的权利,请告知管理员,我们会及时删除,感谢理解.

站长邮箱:ppwxxw@ppwxxw.com

本文暂时没有评论,来添加一个吧(●'◡'●)


取消回复欢迎 发表评论:

搜索
网站分类
最新文章
标签