ubuntu 开启防火墙具体方法（英文)

Here’s how to create a firewall on your Linode:

1. Check your Linode’s default firewall rules by entering the following command:

   sudo iptables -L

2. Examine the output. If you haven’t implemented any firewall rules yet, you should see an empty ruleset, as shown below:

   Chain INPUT (policy ACCEPT)
   target     prot opt source               destination
   
   Chain FORWARD (policy ACCEPT)
   target     prot opt source               destination
   
   Chain OUTPUT (policy ACCEPT)
   target     prot opt source               destination

3. Create a file to hold your firewall rules by entering the following command:

   sudo nano /etc/iptables.firewall.rules

4. Now it’s time to create some firewall rules. We’ve created some basic rules to get you started. Copy and paste the rules shown below in to the iptables.firewall.rulesfile you just created.

File:/etc/iptables.firewall.rules

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

5. Edit the rules as necessary. By default, the rules will allow traffic to the following services and ports: HTTP (80), HTTPS (443), SSH (22), and ping. All other ports will be blocked.

6. Save the changes to the firewall rules file by pressing Control-X, and then Y.
7. Activate the firewall rules by entering the following command:

   sudo iptables-restore < /etc/iptables.firewall.rules

8. Recheck your Linode’s firewall rules by entering the following command:

   sudo iptables -L

9. Examine the output. The new ruleset should look like the one shown below:

   Chain INPUT (policy ACCEPT)
   target     prot opt source               destination
   ACCEPT     all  --  anywhere             anywhere
   REJECT     all  --  anywhere             127.0.0.0/8          reject-with icmp-port-unreachable
   ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
   ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
   ACCEPT     icmp --  anywhere             anywhere
   LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
   DROP       all  --  anywhere             anywhere
   
   Chain FORWARD (policy ACCEPT)
   target     prot opt source               destination
   DROP       all  --  anywhere             anywhere
   
   Chain OUTPUT (policy ACCEPT)
   target     prot opt source               destination
   ACCEPT     all  --  anywhere             anywhere

10. Now you need to ensure that the firewall rules are activated every time you restart your Linode. Start by creating a new script with the following command:

    sudo nano /etc/network/if-pre-up.d/firewall

    CentOS users: If you are using CentOS 6.2 or higher, save your current iptables rules with the following command:

    /sbin/service iptables save

11. Copy and paste the following lines in to the file you just created:

File:/etc/network/if-pre-up.d/firewall

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

12. Press Control-X and then press Y to save the script.
13. Set the script’s permissions by entering the following command:

sudo chmod +x /etc/network/if-pre-up.d/firewall

That’s it! Your firewall rules are in place and protecting your Linode. Remember, you’ll need to edit the firewall rules later if you install other software or services.