iptables本地设置个人查阅后的小得
今天弄了好久的iptables,总算查到比较合适的资料。本人有台电脑,装了linux,生怕被黑客勒索,上回已经来个一次了,起码花费了我一周才修复,还有丢失了几个月的工作,实在是气愤了。所以想借助iptables的拦截看看是否有效。来源:https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands#allowing-internal-network-to-access-external主要的命令行如下:
Allowing Loopback Connections
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
Allowing Established and Related Incoming Connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Allowing Established Outgoing Connections
sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
Dropping Invalid Packets
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
Allowing All Incoming SSH
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allowing Outgoing SSH
sudo iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allowing All Incoming HTTP
sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allowing All Incoming HTTPS
sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Dropping Unwanted Traffic
sudo iptables -A INPUT -j DROP list all rules
sudo iptables -L --line-numbers
Delete a rule
sudo iptables -D INPUT <Number>
Save your changes
sudo -s iptables-save -c
SSH
https://kassadin.moe/2020/03/12/037-putty-default-settings-and-SSH-private-key-auth/
编辑sshd配置文件
echo "PubkeyAuthentication yes" >> "/etc/ssh/sshd_config" #修改配置表
echo "PasswordAuthentication no" >> "/etc/ssh/sshd_config" # (optional)
ssh-keygen -t ed25519 -b 2048-f /etc/ssh/id_ed25519
不用设置密码
一路回车,生成一对密钥id_ed25519 id_ed25519.pub
第一个是私钥,保存好,第二个公钥,给别人
mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys 在远程电脑上创建文件,记录密钥
sudo chmod 700 ~/.ssh && sudo chmod 600 ~/.ssh/authorized_keys 改权限,不让别人看
把本地电脑的公钥写进去
cat /etc/ssh/id_ed25519.pub >> ~/.ssh/authorized_keys
设置开机启动
systemctl restart sshd 重启sshd服务
systemctl start sshd
systemctl enable sshd
开启ssh开机自动启动命令
sudo systemctl enable sshd
关闭ssh开机自动启动命令
sudo systemctl disable sshd
单次开启ssh
sudo systemctl start sshd
查看ssh是否启动,看到Active: active (running)即表示成功
sudo systemctl status ssh
puttygen /etc/ssh/id_ed25519-o /etc/ssh/ed_putty
sudo chmod 777 /etc/ssh/ed_putty
下载私钥文件到本地电脑
putty验证方式选择密钥
Connetction ->> SSH ->> Auth
Private key file for authentication 选刚才转换好的ed_putty,保存一下
现在就可以“一键登录”远程主机了 电脑在路由器后面,不在路由器设置端口转发或dmz,外面根本进不来 一直用ubu桌面,都是默认值,也从来没有开启什么远程
页:
[1]