zoukankan      html  css  js  c++  java
  • vim /etc/sysconfig/iptables

    # Firewall configuration written by system-config-firewall
    # Manual customization of this file is not recommended.
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT

    以上是防火墙设置文件的初始值。

    下面需要增加的:

    -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

    -A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT

    -A INPUT -s 115.28.46.84/32 -p tcp -m tcp --dport 3306 -j ACCEPT  //115.28.46.84是从数据库地址

    实例:

    [danny@ay-sc-hz-02 ~]$ sudo cat /etc/sysconfig/iptables
    # Generated by iptables-save v1.4.7 on Tue Sep 30 14:47:08 2014
    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [44:6143]
    :BLACKLIST - [0:0]
    -A INPUT -s 115.28.46.84/32 -p tcp -m tcp --dport 3306 -j ACCEPT
    -A INPUT -s 112.124.7.82/32 -p tcp -m tcp --dport 25 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A INPUT -s 121.199.2.108/32 -p tcp -m tcp --dport 25 -j ACCEPT
    -A INPUT -s 54.204.167.252/32 -j ACCEPT
    -A INPUT -s 54.226.209.220/32 -j ACCEPT
    -A INPUT -s 180.166.51.234/32 -j ACCEPT
    -A INPUT -s 174.129.49.94/32 -j ACCEPT
    -A INPUT -s 75.101.181.183/32 -j ACCEPT
    -A INPUT -s 127.0.0.1/32 -j ACCEPT
    -A INPUT -s 10.160.2.32/32 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
    -A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
    -A BLACKLIST -j DROP
    COMMIT
    # Completed on Tue Sep 30 14:47:08 2014

    [danny@ay-db-qd-01 log]$ sudo cat /etc/sysconfig/iptables
    # Generated by iptables-save v1.3.5 on Mon Aug 25 17:48:21 2014
    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [184452044:15279824631]
    :BLACKLIST - [0:0]
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A INPUT -s 54.204.167.252 -j ACCEPT
    -A INPUT -s 54.226.209.220 -j ACCEPT
    -A INPUT -s 180.166.51.234 -j ACCEPT
    -A INPUT -s 174.129.49.94 -j ACCEPT
    -A INPUT -s 75.101.181.183 -j ACCEPT
    -A INPUT -s 127.0.0.1 -j ACCEPT
    -A INPUT -s 10.144.38.91 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
    -A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
    -A BLACKLIST -j DROP
    COMMIT
    # Completed on Mon Aug 25 17:48:21 2014

    [danny@ay-wifi-hz-01 ~]$ sudo cat /etc/sysconfig/iptables
    # Generated by iptables-save v1.3.5 on Wed Aug 6 14:55:42 2014
    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [91064865:14245935000]
    :BLACKLIST - [0:0]
    -A INPUT -s 112.5.193.46 -j DROP
    -A INPUT -s 112.5.193.47 -j DROP
    -A INPUT -s 115.168.77.68 -j DROP
    -A INPUT -s 115.238.225.110 -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A INPUT -s 23.22.208.66 -j ACCEPT
    -A INPUT -s 54.226.209.220 -j ACCEPT
    -A INPUT -s 180.166.51.234 -j ACCEPT
    -A INPUT -s 174.129.49.94 -j ACCEPT
    -A INPUT -s 75.101.181.183 -j ACCEPT
    -A INPUT -s 127.0.0.1 -j ACCEPT
    -A INPUT -s 10.122.68.87 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
    -A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
    -A BLACKLIST -j DROP
    COMMIT
    # Completed on Wed Aug 6 14:55:42 2014

    [root@ay-xf-hz-01 ~]# sudo cat /etc/sysconfig/iptables
    # Generated by iptables-save v1.4.7 on Wed Sep 24 17:11:18 2014
    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [86:9522]
    :BLACKLIST - [0:0]
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 8089 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A INPUT -s 180.166.51.234/32 -j ACCEPT
    -A INPUT -s 174.129.49.94/32 -j ACCEPT
    -A INPUT -s 75.101.181.183/32 -j ACCEPT
    -A INPUT -s 127.0.0.1/32 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
    -A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
    -A BLACKLIST -j DROP
    COMMIT
    # Completed on Wed Sep 24 17:11:18 2014

  • 相关阅读:
    为什么基于TCP的应用需要心跳包(TCP keep-alive原理分析)
    「DDoS攻击」兴风作浪,教你如何有效防护!
    你还敢乱粘贴吗?
    TODO git如何去掉烦人的merge?
    Git修改已经push到远程的commit信息
    Oracle删除唯一索引失败提示ORA-01418:指定的索引不存在 ORACLE
    mybatis逆向生成代码 [ERROR] No plugin found for prefix 'mybatis-generator' in the current project and in the plugin groups
    MySQL 中 redo log、undo log、binlog 的总结
    VATT: Transformers for Multimodal Self-Supervised Learning from Raw Video, Audio and Text
    OPT: Omni-Perception Pre-Trainer for Cross-Modal Understanding and Generation
  • 原文地址:https://www.cnblogs.com/chromebook/p/4006685.html
Copyright © 2011-2022 走看看