堆栈内存溢出
  简体   繁体   English

iptables阻止来自php的传出请求

[英]iptables block outgoing request from php

 原文  2015-12-10 09:07:03       php/ ubuntu/ iptables

问题描述

We have a Ubuntu server that host a php server and game server. 我们有一个托管php服务器和游戏服务器的Ubuntu服务器。 recently, we get a lot of dos and flood attack. 最近,我们得到了很多建议和洪水攻击。 so i find some rule for iptables can protect http and game port from attack. 所以我发现iptables可以保护http和游戏端口免受攻击的规则。

here is my rules: 这是我的规则: 

iptables -F
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m limit --limit 5/sec -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3724 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 25 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT

but the problem appear when php want to open a request like Soap WebService to another server. 但是当php要向另一个服务器打开Soap WebService之类的请求时出现问题。 and iptables block this connection. 和iptables阻止此连接。

I think that problem is in this line : 我认为问题出在这一行: 

iptables -P INPUT DROP

but without this line all request to all other port are allowed. 但如果没有此行,则允许对所有其他端口的所有请求。

and this is php Soap error : 这是php Soap错误: 

object(SoapClient)#48 (2) { ["_soap_version"]=> int(1) ["sdl"]=> resource(97) of type (Unknown) }

I appreciate all your comment. 感谢您的所有评论。 Thanks. 谢谢。

1 个解决方案

解决方案1
 0 已采纳  2015-12-10 10:59:34

The problem is that outgoing connections use a random local port to listen for replies. 问题是传出连接使用随机的本地端口来侦听答复。 So if, for example, you are requesting a DNS entry on port 53, your computer will listen on port 42316 for data. 因此,例如,如果您在端口53上请求DNS条目,则计算机将在端口42316上侦听数据。 If the latter port is blocked, as is the case in the above setup, the connection will fail. 如果后一个端口被阻止(如上述设置中的情况),则连接将失败。

This is easily solved generally allowing packets of state ESTABLISHED and RELATED connections. 通常允许状态已建立和相关连接的数据包,这很容易解决。 

iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Also, change the other rules to use state NEW, as that's most likely what you want to restrict. 另外,更改其他规则以使用状态NEW,因为这很可能是您要限制的状态。 Otherwise it will just cripple the server's connectivty. 否则,它将削弱服务器的连接性。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 PHP,IPTables和烧瓶请求 - PHP, IPTables, and Request to Flask php传出请求的端口信息? - Port information for outgoing request php? PHP-阻止来自其他域的请求 - PHP - block request from other domain 从PHP运行iptables时发生意外行为 - Unexpected behaviour when running iptables from php 使用PHP处理来自邮件服务器的传出邮件 - Process outgoing mail from mail server with PHP 阻止从AJAX请求中直接访问PHP文件吗? - Block direct access to PHP file except from AJAX request? 是否有任何PHP主机(共享)不阻止iPhone Apple推送通知(APNS)的端口2195和2196传出? - Are there any PHP Hosts (shared) which do not block port 2195 and 2196 outgoing for iPhone Apple Push Notifications (APNS)? 使用外发邮件服务器,用户名和密码验证从PHP发送电子邮件 - send email from PHP with outgoing mail server & userid and password authantication 使用TLS从PHP使用Gmail外发SMTP - Using Gmails Outgoing SMTP from PHP using TLS 如何记录来自PHP + cURL的传出HTTP请求? - How to log outgoing http requests from PHP + cURL?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM