我的防火墙脚本正在阻塞nginx Rtmp客户端连接。

Question

我的服务器正在1935年端口上运行Nginx Rtmp服务器

我正在运行一个防火墙脚本，以阻止在我的服务器上使用以下脚本在任何tcp端口上连接超过30次的坏客户端

#!/bin/sh

# The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
EXTIF="ens3"
EXTIP1="92.186.5.80"
EXTIMESENTER=30

UNIVERSE="0.0.0.0/0"

#Clearing any previous configuration
#
echo "  Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
# Otherwise, I can not seem to delete it later on
$IPTABLES -F add-to-connlimit-list
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z

echo "...load xt_recent..."
modprobe -r xt_recent
modprobe xt_recent ip_list_tot=5000 ip_pkt_list_tot=128
echo "...load list limitation..."
#######################################################################
# USER DEFINED CHAIN SUBROUTINES:
# add-to-connlimit-list
# To many connections from an IP address has been detected.
$IPTABLES -N add-to-connlimit-list
$IPTABLES -A add-to-connlimit-list -m recent --set --name BADGUY_CONN
$IPTABLES -A add-to-connlimit-list -j DROP
echo "...Accept incomming traffic..."

# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT

# Just DROP invalid packets.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m state --state INVALID -j DROP


# external interface, from any source, for any remaining ICMP traffic is valid
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -j DROP

#allow TcpPorts
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 1 --seconds 432000 --name BADGUY_CONN -j DROP
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP1 -p tcp -m connlimit --connlimit-above $EXTIMESENTER -j add-to-connlimit-list

$IPTABLES -A INPUT -i $EXTIF -d $EXTIP1 -m state --state NEW -p tcp -j ACCEPT

# Allow udp Packets

$IPTABLES -A INPUT -i $EXTIF -d $EXTIP1 -m state --state NEW -p udp -j ACCEPT


# Allow any related traffic coming back to the server in. i moved it here to drop the attacker current connectivety as you told me
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# O.K. at this point, we will DROP the packet, however some will be dropped without logging just to make the log file
# less cluttered.
#
$IPTABLES -A INPUT -i $EXTIF -p udp -m multiport --dport 33434:33448 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp -m multiport --dport 23,2323 -j DROP

#this rule may not needed
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j DROP

我能避免阻塞连接在我的RTMP服务器上的客户端吗？

Answer 1

移除以下规则：

# Allow any related traffic coming back to the server in. i moved it here to drop the attacker current connectivety as you told me
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP1 -m state --state ESTABLISHED,RELATED -j ACCEPT

更早一些，比如在ICMP事件之后。

添加一个新的规则ACCEPTing您的端口1935的东西，紧接着。您没有指定tcp或udp。我要做tcp：

$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 1935 -m state --state NEW -j ACCEPT

这将使任何人尝试建立一个新的连接到您的1935年港口。如果您想阻止坏人列表中的人，那么在“坏人检查”和“控制限制检查”之间添加这条新规则，如下所示：

#allow TcpPorts
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 1 --seconds 432000 --name BADGUY_CONN -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 1935 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP1 -p tcp -m connlimit --connlimit-above $EXTIMESENTER -j add-to-connlimit-list

注1:未经测试。