Notas de estudio: configuración del firewall del servidor UOS y método de mapeo del puerto 80 al 8080

Enterprise 2023-09-17 01:09:07 views: null

Instalar cortafuegos

apt install ufw

Ver el estado del firewall

sudo ufw status verbose

Configure el puerto 22 para que esté permitido (si usa SSH para acceder al servidor, primero debe permitirse el puerto 22; de lo contrario, no podrá conectarse al servidor después de iniciar el firewall)

sudo ufw allow 22

Iniciar cortafuegos

sudo ufw enable

Desactivar el cortafuegos

sudo ufw disable

Permitir puerto 8080

sudo ufw allow 8080

Configure la asignación del puerto 80 al puerto 8080.
Paso 1 Edite el archivo /etc/default/ufw y cambie los parámetros:
DEFAULT_FORWARD_POLICY="ACCEPT"

sudo vim /etc/default/ufw

Busque la línea DEFAULT_FORWARD_POLICY="DROP" y cambie el valor a "ACEPTAR"

Paso 2 Configure /etc/ufw/sysctl.conf para permitir el reenvío ipv4 o ipv6 (de forma predeterminada, los parámetros están comentados)

sudo vim /etc/ufw/sysctl.conf

El archivo contiene el siguiente contenido, elimine el signo # según sea necesario

#net/ipv4/ip_forward=1
#net/ipv6/conf/default/forwarding=1
#net/ipv6/conf/all/forwarding=1

Paso 3 Agregue NAT a la configuración de /etc/ufw/before.rules. Agregue lo siguiente antes de las reglas de filtro (*filtro)

sudo vim /etc/ufw/before.rules

El archivo contiene contenido similar a:

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines

Agregue la configuración nat delante de *filter. Después de agregarlo, el contenido de mi archivo es el siguiente

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
COMMIT

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines


# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

Paso 4 Reinicie el firewall

sudo ufw reload

referencia

Configurar iptables, reenvío de puertos ufw
Linux Instalación del firewall UOS
Linux - ¿Puedo usar ufw para configurar el reenvío de puertos?

Supongo que te gusta

Origin blog.csdn.net/sinat_37014456/article/details/119488932
Recomendado
Clasificación
Diario
Más
2024-05-19(0)
2024-05-18(30)
2024-05-17(4)
2024-05-16(22)
2024-05-15(5)
2024-05-14(10)
2024-05-13(7)
2024-05-12(22)
2024-05-11(31)
2024-05-10(32)

Code World

© 2018 codetd.com