- /sbin/iptables -I INPUT -p tcp —dport 21 -j ACCEPT //
- /sbin/iptables -I INPUT -p tcp —dport 8080 -j ACCEPT
- 如果没有此规则,你将不能通过127.0.0.1访问本地服务,例如ping 127.0.0.1
-A INPUT -p tcp -m state —state NEW -m tcp —dport 22 -j ACCEPT // 只要与该端口想新建立连接的数据包,均放过
-A INPUT -p tcp -m state —state NEW -m tcp —dport 21 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 80 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 8080 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 1054 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 1055:1057 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 2054 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 2055:2057 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 3306 -j ACCEPT
-A INPUT -j REJECT —reject-with icmp-host-prohibited //拒绝所有的数据包,并回复 icmp-host-prohibited数据包
-A FORWARD -j REJECT —reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jul 4 23:29:36 2016
[root localhost mysql]# cat /etc/sysconfig/iptables //NSCC超算中心2015/12/10
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state —state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Mysql Port
-A INPUT -m state —state NEW -m tcp -p tcp —dport 3306 -j ACCEPT
#Tomcat Port
-A INPUT -m state —state NEW -m tcp -p tcp —dport 8080 -j ACCEPT
# Earthquake Ports
-A INPUT -m state —state NEW -m tcp -p tcp —dport 1054 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 1055 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 1056 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 1057 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 1058 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 22 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 21 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 20 -j ACCEPT
# Test Earthquake Ports
-A INPUT -m state —state NEW -m tcp -p tcp —dport 2054 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 2055 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 2056 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 2057 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 2058 -j ACCEPT
-A INPUT -j REJECT —reject-with icmp-host-prohibited
-A FORWARD -j REJECT —reject-with icmp-host-prohibited
#-A RH-Firewall-1-INPUT -p tcp —dport 10000:10010 -j ACCEPT
COMMIT
命令复制
iptables -A INPUT -m state —state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state —state NEW -m tcp —dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m state —state NEW -m tcp —dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m state —state NEW -m tcp —dport 20 -j ACCEPT
iptables -A INPUT -p tcp -m state —state NEW -m tcp —dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m state —state NEW -m tcp —dport 8080 -j ACCEPT
iptables -A INPUT -p tcp -m state —state NEW -m tcp —dport 1053:1056 -j ACCEPT
iptables -A INPUT -p tcp -m state —state NEW -m tcp —dport 3306 -j ACCEPT
iptables -A INPUT -j REJECT —reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT —reject-with icmp-host-prohibited
第九章:防火墙和NAT服务器p252
- 客户端-Internet-防火墙-服务器-SELINUX细节权限配置-文件系统的权限rwx
- 防火墙是什么?定义有顺序的规则,管理进入主机的数据包的一种机制
- 防火墙2套(Net Filter防火墙(iptables) TCP Wrappers防火墙)P254
- 数据包过滤防火墙 iptables 即分析OSI7层协议的2/3/4层
- TCP Wrappers防火墙 依据服务软件程序作为分析 与程序启动那个端口无关,只与程序的名称有关。
- 当然也有Proxy代理服务器。
防火墙的使用限制
9.2 TCP Wrappers
/etc/hosts.allow /etc/hosts.deny
并非所有的软件都可以通过这两个文件管理。只有这两种软件才可以用TCP Wrappers:
1、super daemon(xinetd)所管理的服务
2、支持libwrap.so模块的服务
NET Address Translation:
9.3 Linux的数据包过滤软件 iptables p262
重点:比对和分析顺序
Linux上iptables防火墙的基本应用教程
linux下IPTABLES配置详解
9个常用iptables配置实例
Linux故障处理最佳实践
- uname -r 查一下Linux内核版本
- 这个防火墙软件中有很多表格,表和链 。至少有这3个:Filter(管理本机进出) NAT(管理后端主机) Mangle
iptables -t (后面加tables) -L (列出所有table规则) -n(不进行IP和hostname的反查) -v(查看到更多信息)
- p268
iptables -L -n 格式化输出,但是没有列出接口
与/etc/init.d/iptables status这条命令一样效果
- iptablses-save 查看完整的防火墙规则,只是没有格式化输出而已 与cat /etc/sysconfig/iptables
一样
- 添加完iptables规则后,要记得 service iptables save,将规则保存下来,否则重启以后规则又不见了
- iptables -L -n —line-number //有序号地查看
定义默认策略P271
规则的定义和管理
iptables
-F
-D 删除规则 如 iptables -D INPUT 8
-j [ACCEPT|DROP|REJECT|LOG] 有哪些操作呢?
-s -p
—sport
—dport
-m iptables的外挂模块:mac和state
—state [状态INVALID|ESTABLISHED|RELATED|RELATED] P275
-I INPUT 7 -p tcp -m state —state NEW -m tcp —dport 65400:65410 -j ACCEPT //他会成为第7条规则
iptables -I INPUT 4 -p tcp -m state —state NEW -m tcp —dport 6379 -j ACCEPT
将这条规则插入iptables第4条记录
拒绝特定IP访问
iptables -I INPUT -s 61.147.103.20 -j DROP
iptables -I INPUT -s 121.207.230.180 -j DROP
iptables -I INPUT -s 123.7.6.101 -j DROP
iptables -I INPUT -s 61.141.156.91 -j DROP
iptables -I INPUT -s 180.97.239.31 -j DROP
iptables -I INPUT -s 222.186.190.138 -j DROP
iptables -I INPUT -s 198.55.114.175 -j DROP
222.186.190.138
198.55.114.175
180.97.215.156
222.186.50.73
222.186.58.143
61.147.247.243
116.255.181.22
112.122.189.30
139.196.209.200
113.160.111.23
218.22.191.75
121.50.170.247
43.241.51.149
122.226.253.4
123.7.6.101
180.97.239.30
61.141.156.91
180.97.239.31
/etc/init.d/iptables status
/sbin/iptables -I INPUT -p tcp —dport 21 -j ACCEPT //
/sbin/iptables -I INPUT -p tcp —dport 8080 -j ACCEPT
/sbin/iptables -I INPUT -p tcp —dport 8080 -j ACCEPT //iptables中添加端口
/sbin/iptables -I INPUT -p tcp —dport 21 -j ACCEPT
/sbin/iptables -I INPUT -p tcp —dport 3306 -j ACCEPT
[rootlocalhost lcg]# cat /etc/sysconfig/iptables //314主机
# Generated by iptables-save v1.4.7 on Mon Jul 4 23:29:36 2016
filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [98:11420]
-A INPUT -m state —state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 22 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 21 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 80 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 8080 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 1054 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 1055:1057 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 2054 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 2055:2057 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 3306 -j ACCEPT
-A INPUT -j REJECT —reject-with icmp-host-prohibited
-A FORWARD -j REJECT —reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jul 4 23:29:36 2016
# Generated by iptables-save v1.4.7 on Mon Jul 4 23:29:36 2016 //314主机防火墙
filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [98:11420]
-A INPUT -m state —state RELATED,ESTABLISHED -j ACCEPT // 只要是已经建立连接或者已经发出请求相关的数据包,均放过
-A INPUT -p icmp -j ACCEPT //只要数据包类型是ICMP类型的,都放行
#允许icmp包通过,也就是允许ping
-A INPUT -i lo -j ACCEPT //进入lo网络接口(内部循环测试网络接口)都接受
#允许来自于lo接口的数据包
如果没有此规则,你将不能通过127.0.0.1访问本地服务,例如ping 127.0.0.1
-A INPUT -p tcp -m state —state NEW -m tcp —dport 22 -j ACCEPT // 只要与该端口想新建立连接的数据包,均放过
-A INPUT -p tcp -m state —state NEW -m tcp —dport 21 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 80 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 8080 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 1054 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 1055:1057 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 2054 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 2055:2057 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 3306 -j ACCEPT
-A INPUT -j REJECT —reject-with icmp-host-prohibited //拒绝所有的数据包,并回复 icmp-host-prohibited数据包
-A FORWARD -j REJECT —reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jul 4 23:29:36 2016
[rootlocalhost mysql]# cat /etc/sysconfig/iptables //NSCC超算中心2015/12/10
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state —state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Mysql Port
-A INPUT -m state —state NEW -m tcp -p tcp —dport 3306 -j ACCEPT
#Tomcat Port
-A INPUT -m state —state NEW -m tcp -p tcp —dport 8080 -j ACCEPT
# Earthquake Ports
-A INPUT -m state —state NEW -m tcp -p tcp —dport 1054 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 1055 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 1056 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 1057 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 1058 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 22 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 21 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 20 -j ACCEPT
# Test Earthquake Ports
-A INPUT -m state —state NEW -m tcp -p tcp —dport 2054 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 2055 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 2056 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 2057 -j ACCEPT
-A INPUT -m state —state NEW -m tcp -p tcp —dport 2058 -j ACCEPT
-A INPUT -j REJECT —reject-with icmp-host-prohibited
-A FORWARD -j REJECT —reject-with icmp-host-prohibited
#-A RH-Firewall-1-INPUT -p tcp —dport 10000:10010 -j ACCEPT
COMMIT
命令复制
iptables -A INPUT -m state —state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state —state NEW -m tcp —dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m state —state NEW -m tcp —dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m state —state NEW -m tcp —dport 20 -j ACCEPT
iptables -A INPUT -p tcp -m state —state NEW -m tcp —dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m state —state NEW -m tcp —dport 8080 -j ACCEPT
iptables -A INPUT -p tcp -m state —state NEW -m tcp —dport 1053:1056 -j ACCEPT
iptables -A INPUT -p tcp -m state —state NEW -m tcp —dport 3306 -j ACCEPT
iptables -A INPUT -j REJECT —reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT —reject-with icmp-host-prohibited
- 超算中心的HTTP服务开在1058端口!
iptables -I 7 INPUT -p tcp -m state —state NEW -m tcp —dport 80 -j ACCEPT
NAT服务器:Network adress Translation 网络地址转换
IP分享功能
若有收获,就点个赞吧
0 人点赞
