注意:
由于启用了iptables防火墙,请注意下FTP的主被动模式。
FTP使用的是21端口,在进行FTP文件传输时,客户端首先连接到21端口,进行用户的认证,认证成功后,当要传输文件时,服务器会开一个端口为20来进行传输数据文件,即端口20才是真正传输所用到的端口,端口21只用于FTP的登陆认证。
例如,使用vsftpd做ftp时,可以使用以下配置来限制端口访问,并且方便iptables规则设置:
脚本内容:
#!/bin/bash
#filename:ipt.sh
#by www.jb200.com
#
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
export PATH
#Begin
start(){
#kernal setting
echo "Kernal Setting..."
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 3 > /proc/sys/net/ipv4/tcp_retries1
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#iptables setting
echo "Iptables Setting..."
#default policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
#clear original rules
iptables -F
#input rule
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5666 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 873 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 2222:2225 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p all -m state --state INVALID,NEW -j DROP
BADIPS="`curl -s http://feeds.dshield.org/block.txt | awk '/^[1-9]/ {print $1 "/" $3}'`"
if [ "$BADIPS" ];then
for ip in $BADIPS
do
iptables -I INPUT -s $ip -j DROP
done
fi
}
stop(){
echo "Cleaning your Iptables:..."
iptables -F
iptables -X
iptables -Z
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
/etc/init.d/iptables stop
if [ "$?" == "0" ];then
echo "Done!"
fi
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop && start
;;
*)
echo $"Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
#End
保存脚本为ipt.sh,并添加到rc.local中,开机自动启动。