云服务器的防火墙如何开启

云服务器的防火墙如何开启

随着互联网的快速发展，越来越多的企业和个人开始使用云服务器来部署和运行自己的应用，云服务器具有弹性扩展、安全可靠、成本低廉等优点，但同时也存在一定的安全隐患，为了保证云服务器的安全性，我们需要对云服务器进行防火墙设置，本文将详细介绍如何开启云服务器的防火墙。

查看防火墙状态

在开启云服务器防火墙之前，我们需要先查看防火墙的状态，不同的云服务商提供的API可能不同，以下是一些常见云服务商的API示例：

1、阿里云：

curl https://api.aliyun.com/v1/instances/{instanceId}/security-groups | json_pp

2、腾讯云：

curl https://cvm.qq.com/cgi-bin/cloudconsole/getinstancedetail?domain=xxxx&project=xxxxx&region=xxxxx&instanceid=xxxxx

3、百度云：

curl http://bcs.baidubce.com/api/v1/instance?instance_id={instanceId} | jq '.Instance'

4、华为云：

curl https://ecs.cn-north-4.myhuaweicloud.com/v1/{project_id}/servers/{server_id} | jq '.Server.SecurityGroups'

添加防火墙规则

在确认防火墙已经开启的情况下，我们需要添加防火墙规则，以下是一个简单的示例，用于允许SSH端口(22)的通信：

1、登录到云服务器，使用以下命令安装iptables(以Ubuntu为例):

sudo apt-get update
sudo apt-get install iptables

2、创建一个新的iptables链，并允许SSH端口的通信：

sudo iptables -N SSH_PORT_BLOCKING
sudo iptables -A INPUT -p tcp --dport 22 -j SSH_PORT_BLOCKING

3、允许已建立的连接和相关的数据包通过防火墙：

sudo iptables -A SSH_PORT_BLOCKING -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A SSH_PORT_BLOCKING -j RETURN

保存防火墙规则

为了让防火墙规则在服务器重启后依然生效，我们需要将这些规则保存到配置文件中，以下是一个简单的示例，将防火墙规则保存到/etc/sysconfig/iptables文件中：

1、备份当前的iptables规则：

sudo cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak

2、将新的防火墙规则追加到/etc/sysconfig/iptables文件中：

sudo sh -c 'cat << EOT >> /etc/sysconfig/iptables && cat /etc/sysconfig/iptables > /etc/sysconfig/iptables.bak' << EOT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
#Allow SSH port (TCP port 22) traffic to pass through firewall. This is necessary because the default policy of Ubuntu does not allow incoming connections on port 22. This rule will be added only when a new instance is created or when an existing instance is rebooted for the first time after being created. The following rules are necessary to ensure that established connections and related data packets can also pass through the firewall. These rules will be removed when this script is executed again in the future. See the comments at the bottom of this file for more details about these rules. This script was generated by the "Enable SSH Access" script provided with the Cloud Server Manager (CSM). Please DO NOT edit this file manually!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"$IPTABLES_FILTER"    -I FORWARD    -p tcp --dport 22    -j REJECT --reject-with icmp-host-prohibited       # Allow incoming SSH connection requests on port 22 (TCP port) to pass through the firewall. This is necessary because the default policy of Ubuntu does not allow incoming connections on port 22. This rule will be added only when a new instance is created or when an existing instance is rebooted for the first time after being created。 The following rules are necessary to ensure that established connections and related data packets can also pass through the firewall. These rules will be removed when this script is executed again in the future. See the comments at the bottom of this file for more details about these rules. This script was generated by the "Enable SSH Access" script provided with the Cloud Server Manager (CSM). Please DO NOT edit this file manually!!!!!!!!!!!!!!!!!!!!!!!!"$IPTABLES_FILTER"    -I FORWARD    -m state --state ESTABLISHED,RELATED    -j ACCEPT                # Allow established and related TCP connections to pass through the firewall. This is necessary because the default policy of Ubuntu does not allow incoming connections on port 22 if there are already established connections on that port. This rule will be added only when a new instance is created or when an existing instance is rebooted for thefirst time after being created. The following rules are necessary to ensure that established connections and related data packets can also pass through the firewall. These rules will be removed when this script is executed again in the future. See the comments at the bottom of this file for more details about these rules. This script was generated by the "Enable SSH Access" script provided with the Cloud Server Manager (CSM). Please DO NOT edit this file manually!"$IPTABLES_FILTER"    COMMIT                 # End of filter rules                   EOT' && cat /etc/sysconfig/iptables > /etc/sysconfig/iptables.bak && systemctl restart netfilter-persistent && systemctl enable netfilter-persistent && service netfilter-persistent restart || true'