引言

有時(shí)候服務(wù)器，為了安全需要，會(huì)限制某些ip和端口對(duì)服務(wù)器的訪問。那具體該如何配置呢？本文帶你解決。

禁用IP和端口

1、方法1：iptables

iptables v1.8.4

Usage: iptables -[ACD] chain rule-specification [options]
       iptables -I chain [rulenum] rule-specification [options]
       iptables -R chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LS] [chain [rulenum]] [options]
       iptables -[FZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands:
Either long or short options are allowed.
  --append  -A chain            Append to chain
  --check   -C chain            Check for the existence of a rule
  --delete  -D chain            Delete matching rule from chain
  --delete  -D chain rulenum
                                Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
                                Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
                                Replace rule rulenum (1 = first) in chain
  --list    -L [chain [rulenum]]
                                List the rules in a chain or all chains
  --list-rules -S [chain [rulenum]]
                                Print the rules in a chain or all chains
  --flush   -F [chain]          Delete all rules in  chain or all chains
  --zero    -Z [chain [rulenum]]
                                Zero counters in chain or all chains
  --new     -N chain            Create a new user-defined chain
  --delete-chain
            -X [chain]          Delete a user-defined chain
  --policy  -P chain target
                                Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
                                Change chain name, (moving any references)
Options:
    --ipv4      -4              Nothing (line is ignored by ip6tables-restore)
    --ipv6      -6              Error (line is ignored by iptables-restore)
[!] --protocol  -p proto        protocol: by number or name, eg. `tcp'
[!] --source    -s address[/mask][...]
                                source specification
[!] --destination -d address[/mask][...]
                                destination specification
[!] --in-interface -i input name[+]
                                network interface name ([+] for wildcard)
 --jump -j target
                                target for rule (may load target extension)
  --goto      -g chain
                              jump to chain with no return
  --match       -m match
                                extended match (may load extension)
  --numeric     -n              numeric output of addresses and ports
[!] --out-interface -o output name[+]
                                network interface name ([+] for wildcard)
  --table       -t table        table to manipulate (default: `filter')
  --verbose     -v              verbose mode
  --wait        -w [seconds]    maximum wait to acquire xtables lock before give up
  --wait-interval -W [usecs]    wait time to try to acquire xtables lock
                                default is 1 second
  --line-numbers                print line numbers when listing
  --exact       -x              expand numbers (display exact values)
[!] --fragment  -f              match second or further fragments only
  --modprobe=<command>          try to insert modules using this command
  --set-counters PKTS BYTES     set the counter during insert/append
[!] --version   -V              print package version.

• ??端口

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 5053 -j DROP

• ??IP

iptables -I INPUT -s 10.115.10.129 -j DROP

• 保存配置
  sudo service iptables save
  實(shí)測(cè)這條命令行不通，報(bào)錯(cuò)：iptables: unrecognized service
  下面這條可以

sudo iptables-save

2、方法2：ufw

UFW (Uncomplicated Firewall)是Ubuntu 自帶的防火墻配置工具 。UFW 是一個(gè)用來管理 iptables 防火墻規(guī)則的用戶友好的前端工具。它的主要目的就是為了使得管理 iptables 更簡(jiǎn)單。

Usage: ufw COMMAND

Commands:
 enable                          enables the firewall
 disable                         disables the firewall
 default ARG                     set default policy
 logging LEVEL                   set logging to LEVEL
 allow ARGS                      add allow rule
 deny ARGS                       add deny rule
 reject ARGS                     add reject rule
 limit ARGS                      add limit rule
 delete RULE|NUM                 delete RULE
 insert NUM RULE                 insert RULE at NUM
 route RULE                      add route RULE
 route delete RULE|NUM           delete route RULE
 route insert NUM RULE           insert route RULE at NUM
 reload                          reload firewall
 reset                           reset firewall
 status                          show firewall status
 status numbered                 show firewall status as numbered list of RULES
 status verbose                  show verbose firewall status
 show ARG                        show firewall report
 version                         display version information

Application profile commands:
 app list                        list application profiles
 app info PROFILE                show information on PROFILE
 app update PROFILE              update PROFILE
 app default ARG                 set default application policy

Ubuntu安裝完畢，默認(rèn)沒有啟動(dòng)ufw。所以如果直接運(yùn)行上述語句，那么它啟動(dòng)后就會(huì)使用默認(rèn)規(guī)則，禁止一切流量，包括SSH的22端口，如果本來就是在SSH上遠(yuǎn)程操作，那么悲劇了，所以要先啟用SSH的端口（默認(rèn)是22，如果你設(shè)置了其他端口就加上去）

sudo ufw allow 22
sudo ufw reject 80 #(拒絕，直接返回：Connection refused）
sudo ufw deny 5053 #(否認(rèn)，過段時(shí)間后返回：Connection timed out）
sudo ufw enable
sudo ufw status

• 查看ufw防火墻是否在工作，查看使用中的規(guī)則

ufw status

• 啟動(dòng)/關(guān)閉/重置ufw防火墻

ufw enable
ufw disable
ufw reset

• 允許其它主機(jī)訪問本機(jī)21端口，協(xié)議包含tcp和udp

ufw allow 21

-允許其它主機(jī)使用tcp協(xié)議訪問本機(jī)80端口

ufw allow 80/tcp

• 可以使用in或out來指定向內(nèi)還是向外。如果未指定，默認(rèn)是in
  允許訪問本機(jī)http端口

ufw allow in http

• 禁止其它主機(jī)訪問本機(jī)80端口，

  • reject，直接告訴拒絕，返回的提示信息更多，比如ssh該主機(jī)時(shí)，直接返回：Connection refused

  • deny，否認(rèn)，返回的提示信息少，比如ssh該主機(jī)時(shí)，過段時(shí)間后才返回：Connection timed out

ufw reject 80

ufw deny 80

• 禁止本機(jī)對(duì)外訪問192.168.1.1
  （實(shí)測(cè)有用）

ufw deny out to 192.168.1.1

• 禁止192.168.1.1對(duì)內(nèi)訪問本機(jī)
  （實(shí)測(cè)沒用）

ufw deny from 192.168.1.1

• 刪除規(guī)則，只要在命令中加入delete就行了

ufw delete deny 80/tcp

• 打開/關(guān)閉log

ufw logging on
ufw logging off

logging on后 默認(rèn)是low 等級(jí)。ufw支持多個(gè)等級(jí)： ‘low’, ‘medium’, ‘high’ and ‘full’。簡(jiǎn)單說low記錄事件做少，其他等級(jí)記錄逐級(jí)增加。使用默認(rèn)的low level就夠了。log文件保存在/var/log/ufw.log 文件內(nèi)，可以用tail -n COUNT file的形式顯示最后幾行

參考文檔

Linux下iptables屏蔽IP和端口號(hào)
Ubuntu 18.04 防火墻設(shè)置ufw詳解
如何在 Ubuntu 20.04 上使用 UFW 來設(shè)置防火墻
Ubuntu自帶防火墻ufw配置和用法文章來源地址http://www.zghlxwxcb.cn/news/detail-595688.html

到了這里，關(guān)于【ubuntu】禁用IP和端口的文章就介紹完了。如果您還想了解更多內(nèi)容，請(qǐng)?jiān)谟疑辖撬阉鱐OY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！