donglie1898
donglie1898
2015-12-10 09:07

iptables阻止来自php的传出请求

We have a Ubuntu server that host a php server and game server. recently, we get a lot of dos and flood attack. so i find some rule for iptables can protect http and game port from attack.

here is my rules:

iptables -F
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m limit --limit 5/sec -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3724 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 25 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT

but the problem appear when php want to open a request like Soap WebService to another server. and iptables block this connection.

I think that problem is in this line :

iptables -P INPUT DROP

but without this line all request to all other port are allowed.

and this is php Soap error :

object(SoapClient)#48 (2) { ["_soap_version"]=> int(1) ["sdl"]=> resource(97) of type (Unknown) }

I appreciate all your comment. Thanks.

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

1条回答

  • dourangdz750379 dourangdz750379 6年前

    The problem is that outgoing connections use a random local port to listen for replies. So if, for example, you are requesting a DNS entry on port 53, your computer will listen on port 42316 for data. If the latter port is blocked, as is the case in the above setup, the connection will fail.

    This is easily solved generally allowing packets of state ESTABLISHED and RELATED connections.

    iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    

    Also, change the other rules to use state NEW, as that's most likely what you want to restrict. Otherwise it will just cripple the server's connectivty.

    点赞 评论 复制链接分享

为你推荐