详解:https://blog.csdn.net/qq_38892883/article/details/79709023

一个典型的iptable:

-A INPUT -s 172.41.17.13/32 -j ACCEPT
-A INPUT -s 172.40.9.210/32 -p tcp -j ACCEPT
-A INPUT -p tcp -m tcp —dport 8080 -j ACCEPT
-A INPUT -s 172.41.17.0/24 -p icmp -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -j REJECT —reject-with icmp-host-prohibited
-A FORWARD -j REJECT —reject-with icmp-host-prohibited
#—reject-with tcp-reset 模拟无此端口的反映
# —reject-with icmp-host-prohibited 服务器拒绝连接
COMMIT

局域网的常规设置:

拒绝其他访问
#允许对本地端口的调用
-A INPUT -i lo -j ACCEPT
#对任意ip允许ping
-A INPUT -p icmp -j ACCEPT
#对局域网内ip允许访问任意端口
-A INPUT -s 172.41.17.0/24 -j ACCEPT
#对特定ip允许访问任意端口
-A INPUT -s 192.168.17.154/32 -j ACCEPT
#对特定ip允许访问特定协议端口
-A INPUT -s 172.20.1.0/24 -p tcp -m tcp —dport 22 -j ACCEPT

拒绝其他访问
-A INPUT -j REJECT —reject-with icmp-host-prohibited
COMMIT
对应的指令类似为:

sudo iptables -tfilter -A INPUT -i lo -j ACCEPT sudo iptables -t filter -A INPUT -p icmp -j ACCEPT sudo iptables -tfilter -A INPUT -s 192.168.36.0/22 -j ACCEPT sudo iptables -tfilter -A INPUT -s 192.168.17.154/32 -j ACCEPT sudo iptables -t filter -A INPUT -s 172.20.1.0/24 -p tcp -m tcp —dport 22 -j ACCEPT sudo iptables -tfilter -A INPUT -j REJECT —reject-with icmp-host-prohibited

其他

显示规则编号:
sudo iptables -L INPUT —line-number

在位置1插入一条规则:

sudo iptables -tfilter -I INPUT 1 -i lo -j ACCEPT

在一台新服务器从头设定

“安装iptables-services并设置策略

  1. # yum install iptables-services
  2. [root@arti-mysql-05 ~]# vi /etc/sysconfig/iptables
  3. *filter
  4. #对进来的包的状态进行检测。已经建立tcp连接的包以及该连接相关的包允许通过!
  5. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  6. #允许对本地端口的调用
  7. -A INPUT -i lo -j ACCEPT
  8. #对任意ip允许ping
  9. -A INPUT -p icmp -j ACCEPT
  10. #对特定ip允许访问任意端口:172.29.1.19,172.29.1.20,172.29.1.21,172.29.1.54,192.168.36.252
  11. -A INPUT -s 172.29.1.19/32 -j ACCEPT
  12. -A INPUT -s 172.29.1.20/31 -j ACCEPT
  13. -A INPUT -s 172.29.1.54/32 -j ACCEPT
  14. -A INPUT -s 192.168.36.252/32 -j ACCEPT
  15. #对特定ip允许访问特定协议端口
  16. #-A INPUT -s 172.20.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
  17. #拒绝其他所有
  18. -A INPUT -j REJECT --reject-with icmp-host-prohibited
  19. -A FORWARD -j REJECT --reject-with icmp-host-prohibited
  20. COMMIT
  21. # systemctl enable iptables
  22. # systemctl restart iptables"