半瓶
{ Keywords : 互联网 数据库 网站架构 伪文艺 }
首先查看一下现有的防火墙配置:
[root@localhost banping]# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
查看现有的策略:
[root@localhost banping]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0Chain OUTPUT (policy ACCEPT)
target prot opt source destinationChain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:23
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
如果要重新配置,先清空之前的策略:
[root@localhost banping]# iptables -F
[root@localhost banping]# iptables -X
[root@localhost banping]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destinationChain FORWARD (policy ACCEPT)
target prot opt source destinationChain OUTPUT (policy ACCEPT)
target prot opt source destination
先配置开放22端口,否则如果是远程登入的,会把自己关在外面:
[root@localhost banping]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
然后丢弃所有的input,根据需要配置开放的就行了:
[root@localhost banping]# iptables -P INPUT DROP
[root@localhost banping]# iptables -P OUTPUT ACCEPT
[root@localhost banping]# iptables -P FORWARD ACCEPT
然后要保存一下:
[root@localhost banping]# /etc/rc.d/init.d/iptables save
将当前规则保存到 /etc/sysconfig/iptables:[确定]
重启防火墙服务:
[root@localhost banping]# service iptables restart
清除防火墙规则:[确定]
把 chains 设置为 ACCEPT 策略:filter [确定]
正在卸载 Iiptables 模块:[确定]
应用 iptables 防火墙规则:[确定]
载入额外 iptables 模块:ip_conntrack_netbios_ns [确定]
除了用iptables命令,也可以直接编辑/etc/sysconfig/iptables文件,最终的配置结果可能如下,:
[root@localhost banping]# vi /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Thu Apr 29 17:28:08 2010
*filter
:INPUT DROP [3:349]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5585:947488]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 172.16.0.1 -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 172.16.0.2 -i eth0 -j ACCEPT
-A INPUT -s 172.16.0.3 -i eth0 -j ACCEPT
COMMIT
# Completed on Thu Apr 29 17:28:08 2010
可见,这里的配置允许指定的IP访问22端口,开放80端口,不限制下边的两个IP进行连接。
分享这篇文章
技术组织
